HP (Hewlett-Packard) 2650 (J4899A/B) ユーザーズマニュアル
5-8
RADIUS Authentication and Accounting
Configuring the Switch for RADIUS Authentication
Configuring the Switch for RADIUS Authentication
•
Server Dead-Time:
The period during which the switch will not send
new authentication requests to a RADIUS server that has failed to
respond to a previous request. This avoids a wait for a request to time
out on a server that is unavailable. If you want to use this feature,
select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled;
range: 1 - 1440 minutes.) If your first-choice server was initially
unavailable, but then becomes available before the dead-time expires,
you can nullify the dead-time by resetting it to zero and then trying to
log on again. As an alternative, you can reboot the switch, (thus
resetting the dead-time counter to assume the server is available) and
then try to log on again.
respond to a previous request. This avoids a wait for a request to time
out on a server that is unavailable. If you want to use this feature,
select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled;
range: 1 - 1440 minutes.) If your first-choice server was initially
unavailable, but then becomes available before the dead-time expires,
you can nullify the dead-time by resetting it to zero and then trying to
log on again. As an alternative, you can reboot the switch, (thus
resetting the dead-time counter to assume the server is available) and
then try to log on again.
•
Number of Login Attempts:
This is an
aaa authentication command.
It controls how many times in one session a RADIUS client (as well
as clients using other forms of access) can try to log in with the correct
username and password. (Default: Three times per session.)
as clients using other forms of access) can try to log in with the correct
username and password. (Default: Three times per session.)
(For RADIUS accounting features, refer to “Configuring RADIUS Accounting”
on page 5-17.)
on page 5-17.)
1. Configure Authentication for the Access Methods You
Want RADIUS To Protect
This section describes how to configure the switch for RADIUS authentication
through the following access methods:
through the following access methods:
■
Console:
Either direct serial-port connection or modem connection.
■
Telnet:
Inbound Telnet must be enabled (the default).
■
SSH:
To employ RADIUS for SSH access, you must first configure the
switch for SSH operation. Refer to “Configuring Secure Shell (SSH)”
on page 6-1.
on page 6-1.
■
Web:
Web browser interface (2600, 2600-PWR, and 2800 switches).
You can also use RADIUS for Port-Based Access authentication. Refer to
“Configuring Port-Based Access Control (802.1X)” on page 8-1.
“Configuring Port-Based Access Control (802.1X)” on page 8-1.
You can configure RADIUS as the primary password authentication method
for the above access methods. You will also need to select either
for the above access methods. You will also need to select either
local or none
as a secondary, or backup, method. Note that for console access, if you
configure
configure
radius (or tacacs) for primary authentication, you must configure
local for the secondary method. This prevents the possibility of being com-
pletely locked out of the switch in the event that all primary access methods
fail.
pletely locked out of the switch in the event that all primary access methods
fail.