HP (Hewlett-Packard) 5300XL ユーザーズマニュアル

HP ProCurve Switch 5300xl Series Reviewer’s Guide 

 

can be given specific network access rights, such as assignment to a specific VLAN and some high level 

session accounting information can be maintained. (See the next section.) 
With a centralized RADIUS server doing the actual authentication, a user can log-in anywhere in the 

network that supports 802.1x and get access to his resources. This is true whether the log-in occurs on 
a shared client, or the user is using a mobile client and accessing the network at different access 

points. 
One point to note about 802.1x: access control is that it is control to the port of the switch. Once access 

is given to the switch port, anyone connected through this port will have access to the services 

associated with the user that authenticated. If someone inadvertently, or clandestinely places a switch 
or hub between the network access server and the authenticated client, any port on the introduced 

switch or hub has access to the configured network services of the authenticated client. One way to 
close this shortfall is to use the Port Security MAC Address Lockdown feature on the HP ProCurve 

Switch 5300xl Series, which is described in a following section. 
More details on 802.1x can be found in the white paper on the HP ProCurve website at 

 (select the information library). 

Most RADIUS servers can provide not only authentication for the user, but can also keep track of some 
parameters associated with the authenticated user or the switch itself. These parameters are actually 

kept on the HP ProCurve Switch 5300xl Series and updated on the RADIUS server at either RADIUS 

session begin/end or just at session end. 
Three areas of parameters are tracked: 

•  Network Accounting – Keeps track of items for an authenticated user on a switch port 

such as Account ID, Username, Input and Output Packets, Account Termination 

Reason, etc.  

•  Exec Accounting – Keeps track of the same items used in Network Accounting, but for 

logon sessions under telnet, SSH and console. 

•  System Accounting – Keeps track of the same items used in Network Accounting, with 

actual recording of the items done on a system event, such as system reboot, system 

reset and accounting enable or disable 

The primary purpose for RADIUS accounting is to have a security audit trail for user network usage or 

when switch events occur that affect the integrity of the network. 
RADIUS server accounting can also be used as a rudimentary form of tracking user network usage, but 
only covers very high level parameters such as total connect time, or total packets through the user’s 

switch port. 

RADIUS authentication can be used without using 802.1x. In this case RADIUS is used to provide user 
authentication when telnet, SSH or console port access authentication is required. Up to three RADIUS 

servers can be specified to provide backup capability in case the primary RADIUS server becomes 
unavailable. 

RFCs that were used or consulted in the development of the RADIUS functionality are: 

•  RFC-2865 - Remote Authentication Dial In User Service (RADIUS) 
•  RFC-2869 - RADIUS Extensions 
•  RFC-2138 - Extensible Authentication Protocol Support in RADIUS 
•  draft-congdon-radius-8021x-09.txt - IEEE 802.1X RADIUS Usage Guidelines 

 

© Hewlett-Packard Co. 2002, 2003 

Rev 1.1 – 2/11/2003 

http://www.hp.com/go/hpprocurve

 

Page 21 of 35