Preparation procedures for RADIUS

Procedure
  1. Configure one to fifteen RADIUS servers to support the switch. See the documentation provided with the RADIUS server application.
  2. Before configuring the switch, collect the following information:
    1. Determine the access methods (console, Telnet, REST, Port-Access (802.1X), WebAgent and/or SSH) for which you want RADIUS as the primary authentication method. Consider both operator (login) and manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond.
      switch(config)# show authentication
      
       Status and Counters - Authentication Information
       Authorized enabled as backup for secondary login are preceded by *
      
        Login Attempts : 3 
        Lockout Delay : 0   
        Respect Privilege : Disabled 
        Bypass Username For Operator and Manager Access : Disabled 
      
                       | Login       Login        Login     
        Access Task    | Primary     Server Group Secondary 
        -------------- + ----------- ------------ ----------
        Console        | Local                    None      
        Telnet         | Local                    None      
        Port-Access    | Local                    None      
        Webui          | Local                    None      
        SSH            | Local                    None      
        Web-Auth       | ChapRadius  radius       None      
        MAC-Auth       | ChapRadius  radius       None      
        SNMP           | Local                    None      
        Local-MAC-Auth | Local                    None      
        REST           | Local                    None      
      
                       | Enable      Enable       Enable    
        Access Task    | Primary     Server Group Secondary 
        -------------- + ----------- ------------ ----------
        Console        | Tacacs                   Local     
        Telnet         | Local                    None      
        Webui          | Local                    None      
        SSH            | Local                    None      
        REST           | Local                    None  
    2. Determine the IP addresses of the RADIUS servers to support the switch. You can configure the switch for up to fifteen RADIUS servers. See the documentation provided with the RADIUS server application for more information.
    3. If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.
    4. If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific Radius server, select it before beginning the configuration process.
    5. Determine whether to use one global encryption key for all RADIUS servers or if unique keys are required for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can configure this key as the global encryption key. For any server whose key differs from the global key you are using, you must configure that key in the same command that you use to designate that server's IP address to the switch.
    6. Determine an acceptable timeout period for the switch to wait for a server to respond to a request. Hewlett Packard Enterprise recommends that you begin with the default (five seconds).
    7. Determine how many times the switch can contact a RADIUS server before trying another RADIUS server or quitting. This depends on how many RADIUS servers you have configured the switch to access.
    8. Determine whether you want to bypass a RADIUS server that fails to respond to requests for service. To shorten authentication time, you can set a bypass period in the range of 1 to 1440 minutes for non-responsive servers. This requires that you have multiple RADIUS servers accessible for service requests.
    9. Optional: Determine whether the switch access level (manager or operator) for authenticated clients can be set by a Service Type value the RADIUS server includes in its authentication message to the switch, see Enabling manager access privilege (optional).
    10. Configure RADIUS on servers used to support authentication on the switch.