HP (Hewlett-Packard) 2500 Switch User Manual


 
107
Enhancements in Release F.04.08
Configuring RADIUS Authentication and Accounting
zero and then trying to log on again. As an alternative, you can reboot the switch, (thus
resetting the dead-time counter to assume the server is available) and then try to log on
again.
Number of Login Attempts: This is actually an aaa authentication command. It controls
how many times in one session a RADIUS client (as well as clients using other forms of
access) can try to log in with the correct username and password. (Default: Three times
per session.)
(For RADIUS accounting features, refer to “Configuring RADIUS Accounting” on page 114.)
1. Configure Authentication for the Access Methods You Want RADIUS To
Protect
This section describes how to configure the switch for RADIUS authentication through the following
access methods:
Console: Either direct serial-port connection or modem connection.
Telnet: Inbound Telnet must be enabled (the default).
SSH: To employ RADIUS for SSH access, you must first configure the switch for SSH
operation. Refer to “Configuring Secure Shell (SSH)” on page 78.
You can also use RADIUS for Port-Based Access authentication. Refer to “Configuring Port-Based
Access Control (802.1X)” on page 29.
You can configure RADIUS as the primary password authentication method for the above access
methods. You will also need to select either local or none as a secondary, or backup, method. Note
that for console access, if you configure radius (or tacacs) for primary authentication, you must
configure local for the secondary method. This prevents the possibility of being completely locked
out of the switch in the event that all primary access methods fail.
Syntax: aaa authentication < console | telnet | ssh > Configures RADIUS as the primary
< enable | login > < radius > password authentication method for
console, Telnet, and/or SSH. (The default
primary < enable | login > authentication is
local.)
[ < local | none > ] Options for secondary authentication
(default: none). Note that for console access,
secondary authentication must be local
if primary access is not local. This prevents
you from being completely locked out of the
switch in the event of a failure in other
access methods.