RADIUS Services Support on HP Switches

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. RADIUS is the transport for AAA services. The services can include the user profiles including storing user credentials, user access policies, and user activity statistics which can reside on the same server. Gateway devices that control network access, such as remote access servers, VPN servers, and network switches, can use the RADIUS protocol to communicate with a RADIUS server for:

  • Authentication — verifying user credentials regarding granted access to their networks.

  • Authorization — verifying user access policy on how much and what kind of resources are allowed for an authenticated user.

  • Accounting — keeping statistic information about the user activities for accounting purpose.

This chapter provides information used for configuring CoS (802.1p priority), rate-limiting, and ACL client services on a RADIUS server. For information on configuring client authentication capability on the switch, see RADIUS Authentication, Authorization, and Accounting.

RADIUS services supported on the switch

Service Application Standard RADIUS attribute[a] HP vendor-specific RADIUS attribute (VSA)
CoS (Priority) per-user 59 40
Ingress Rate-Limiting per-user 46
Egress Rate-Limiting per-port2[b] 48
ACLs
IPv6 and/or IPv4 ACEs(NAS-Filter-Rule) per-user 92 61
NAS-Rules-IPv6 (sets IP mode to IPv4-only or IPv4 and IPv6) per-user 63

[a] HP recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.

[b] If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.

RADIUS client and server requirements

  • Clients can be dual-stack, IPv4-only or IPv6 only.

  • Client authentication can be through 802.1X, MAC authentication, or web-based authentication. (clients using web-based authentication must be IPv4-capable.)

  • Server must support IPv4 and have an IPv4 address.