RADIUS Authentication and Accounting
Switch Operating Rules for RADIUS
Shared Secret Key: A text value used for encrypting data in RADIUS packets.
Both the RADIUS client and the RADIUS server have a copy of the key, and
the key is never transmitted across the network.
Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS
server to specific an optional switch feature assigned by the server during an
authenticated client session.
Switch Operating Rules for RADIUS
■ You must have at least one RADIUS server accessible to the switch.
■ The switch supports authentication and accounting using up to three
RADIUS servers. The switch accesses the servers in the order in
which they are listed by show radius (page 5-43). If the first server does
not respond, the switch tries the next one, and so-on. (To change the
order in which the switch accesses RADIUS servers, refer to
“Changing RADIUS-Server Access Order” on page 5-47.)
■ You can select RADIUS as the primary authentication method for each
type of access. (Only one primary and one secondary access method
is allowed for each access type.)
■ In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt
a response to a challenge from a RADIUS server.
■ When primary/secondary authentication is set to Radius/Local (for
either Login or Enable) and the RADIUS server fails to respond to a
client attempt to authenticate, the failure is noted in the Event Log
with the message radius: Can't reach RADIUS server < server-ip-addr >.
When this type of failure occurs, the switch prompts the client again
to enter a username and password. In this case, use the local user-
name (if any) and password configured on the switch itself.
■ Zero-length usernames or passwords are not allowed for RADIUS
authentication, even though allowed by some RADIUS servers.
■ TACACS+ is not supported for the web browser interface access.
5-6
