6-49
RADIUS Authentication, Authorization, and Accounting
Accounting Services
■
Commands accounting:
Provides records containing information
on CLI command execution during user sessions.
■
RADIUS accounting with IP attribute:
The RADIUS Attribute 8
(Framed-IP-Address) feature provides the RADIUS server with infor-
mation about the client’s IP address after the client is authenticated.
DHCP snooping is queried for the IP address of the client, so DHCP
snooping must be enabled for the VLAN of which the client is a
member.
When the switch begins communications with the RADIUS server it sends
the IP address of the client requesting access to the RADIUS server as
RADIUS Attribute 8 (Framed-IP-Address) in the RADIUS accounting
request. The RADIUS server can use this information to build a map of
usernames and addresses.
It may take a minute or longer for the switch to learn the IP address and
then send the accounting packet with the Framed-IP-Address attribute to
the RADIUS server. If the switch does not learn the IP address after a
minute, it sends the accounting request packet to the RADIUS server
without the Framed-IP-Address attribute. If the IP address is learned at a
later time, it will be included in the next accounting request packet sent.
The switch forwards the accounting information it collects to the designated
RADIUS server, where the information is formatted, stored, and managed by
the server. For more information on this aspect of RADIUS accounting, refer
to the documentation provided with your RADIUS server.
Operating Rules for RADIUS Accounting
■
You can configure up to four types of accounting to run simultane-
ously: exec, system, network, and command.
■
RADIUS servers used for accounting are also used for authentication.
■
The switch must be configured to access at least one RADIUS server.
■
RADIUS servers are accessed in the order in which their IP addresses
were configured in the switch. Use
show radius
to view the order. As
long as the first server is accessible and responding to authentication
• Acct-Session-Id
• Acct-Status-Type
• Service-Type
• Acct-Authentic
• User-Name
• NAS-IP-Address
• NAS-Identifier
• NAS-Port-Type
• Calling-Station-Id
• HP-Command-String
• Acct-Delay-Time
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......