6-5
RADIUS Authentication, Authorization, and Accounting
General RADIUS Setup Procedure
General RADIUS Setup Procedure
Preparation:
1. Configure one to fifteen RADIUS servers to support the switch. Refer to 
the documentation provided with the RADIUS server application.
2. Before configuring the switch, collect the information outlined below.
Table 6-1.  Preparation for Configuring RADIUS on the Switch
• Determine the access methods (console, Telnet, Port-Access (802.1X), WebAgent  and/or SSH) for which you want 
RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels, as well 
as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not 
respond.
Figure 6-1. Example of Possible RADIUS Access Assignments
• Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch 
for up to fifteen RADIUS servers.)
• If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific 
RADIUS server, select it before beginning the configuration process.
• If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific 
Radius server, select it before beginning the configuration process.
• Determine whether you can use one, global encryption key for all RADIUS servers or if unique keys will be required 
for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can 
configure this key as the global encryption key. For any server whose key differs from the global key you are using, 
you must configure that key in the same command that you use to designate that server’s IP address to the switch. 
HP Switch(config)# show authentication
 Status and Counters - Authentication Information
  Login Attempts : 3
  Respect Privilege : Disabled
              | Login      Login        Enable     Enable
  Access Task | Primary    Secondary    Primary    Secondary
  ----------- + ---------- ------------ ---------- ----------
  Console     | Radius     Local        Radius     Local
  Telnet      | Radius     Local        Radius     Local
  Port-Access | EapRadius
  Webui       | Radius     Local        Radius     Local
  SSH         | Radius     Local        Radius     Local
  Web-Auth    | ChapRadius
  MAC-Auth    | ChapRadius 
 
Note: The WebAgent 
access task shown in this 
figure is available only on 
the switches covered in 
this guide.
Console access requires 
Local as secondary 
method to prevent lockout 
if the primary RADIUS 
access fails due to loss of 
RADIUS server access or 
other problems with the 
server.