Model: HPE 2930F (JL254A)
Software revision : WC.16.01.001
- NV_IP, NV_P_IP, NV_S_IP - NV's floating (VRRP), primary and secondary IPs
- RADIUS_KEY - RADIUS server authorisation key
- RADIUS_GROUP - RADIUS server group
- SW_IP - Switch's management IP address
- SNMP_SECRET - SNMP v2c secret
- SNMP_AUTH & SNMP_PRIV - SNMP v3 authentication and privacy keys
- SNMP_USER & SNMP_GROUP - SNMP v3 user and group
- CONF_FILE - Configuration file name
- TAC+_KEY - TACACS+ server privacy key
- VLAN_X - Authorization target VLAN (VLAN ID X)
radius-server host 'NV_IP' key 'RADIUS_KEY'
radius-server host 'NV_IP' dyn-authorization
radius-server host 'NV_IP' time-window 0
aaa server-group radius 'RADIUS_GROUP' host 'NV_IP'
radius-server host 'NV_P_IP' key 'RADIUS_KEY'
radius-server host 'NV_P_IP' dyn-authorization
radius-server host 'NV_P_IP' time-window 0
radius-server host 'NV_S_IP' key 'RADIUS_KEY'
radius-server host 'NV_S_IP' dyn-authorization
radius-server host 'NV_S_IP' time-window 0
radius-server timeout 3
radius-server dead-time 5
aaa server-group radius 'RADIUS_GROUP' host 'NV_IP'
radius-server timeout is a time in [s], after which RADIUS server is marked as inactive. radius-server dead-time is time in [m], after which retry can be attempted. These values allow for straightforward change between primary and secondary NVs, for example during an update.
radius-server dyn-autz-port 3799
Appropriate format to choose in NV is Aruba. Standard port is UDP 3799.
aaa authentication port-access eap-radius server-group `RADIUS_GROUP` cached-reauth authorized
aaa authentication mac-based chap server-group `RADIUS_GROUP` cached-reauth authorized
Authorization settings for logging into the network. cached-reauth authorized allows authorization using the cache when the connection to the radius server is lost, if the login attempt is made with identical parameters.
aaa accounting network start-stop radius server-group NACVIEW
aaa accounting update periodic 300
Accounting settings for logging into the network.
aaa port-access authenticator active
aaa port-access mac-based addr-format multi-colon-uppercase
Global authorization settings.
aaa port-access 1-8 controlled-direction in
aaa port-access 1-8 auth-order mac-based authenticator
aaa port-access 1-8 auth-priority authenticator mac-based
Global port settings for authorization. Not relevant when using only 802.1x authorization on ports, but recommended for ports with MAC or combined authorization.
aaa port-access authenticator 1
aaa port-access authenticator 1 control auto
aaa port-access authenticator 1 reauth-period 7200
aaa port-access authenticator 1 client-limit 1
aaa port-access mac-based 2
aaa port-access mac-based 2 reauth-period 7200
aaa port-access mac-based 2 mac-pin
aaa port-access mac-based 2 addr-moves
aaa port-access mac-based 2 quiet-period 20
aaa port-access authenticator 3 control auto
aaa port-access authenticator 3 reauth-period 7200
aaa port-access authenticator 3 client-limit 2
aaa port-access authenticator 3 quiet-period 20
aaa port-access authenticator 3
aaa port-access mac-based 3 reauth-period 7200
aaa port-access mac-based 3 quiet-period 20
aaa port-access mac-based 3 mac-pin
aaa port-access mac-based 3 addr-moves
aaa port-access mac-based 3
aaa authentication login privilege-mode
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs authorized
Authorization settings for TACACS+. aaa authentication ssh login tacacs local defines that an attempt to log in to the device will first be made using the TACACS+ server, and if it is unavailable, using a local account. At the same time, this only applies to logging in via SSH (WEB and console only use local authorization).
aaa authorization commands auto
aaa accounting commands interim-update tacacs
aaa accounting exec start-stop tacacs
Accounting settings for TACACS+
tacacs-server host 'NV_P_IP' key 'TAC_PASSWD'
tacacs-server host 'NV_S_IP' key 'TAC_PASSWD'
tacacs-server timeout 2
tacacs-server dead-time 5
Definitions of TACACS+ servers.
snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ******
Privacy protocol is DES
Enter privacy password: ******
User 'initial' has been created
Would you like to create a user that uses SHA? [y/n] 'n'
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] 'y'
snmpv3 only
snmpv3 group operatorauth user 'NV_USER' sec-model ver3
snmpv3 user 'NV_USER' auth sha 'NV_AUTH_PASSWD' priv 'NV_PRIV_PASSWD'
no snmpv3 user initial
no snmp-server community public
no snmp-server community private
snmp-server community 'SNMP_SECRET' manager unrestricted
snmp-server enable
snmp-server host `NV_IP` 'SNMP_SECRET'
logging 'NV_IP'
debug security radius-server
debug security port-access
debug destination buffer
These commands enable logging debugging for the network and radius.
show radius
show radius dyn-authorization
show authentication
show port-access clients
show port-access authenticator clients
show port-access authenticator ethernet 1 clients
The commands show statuses related to RADIUS and authorization on ports.
aaa port-access authenticator ethernet 1 reauthenticate
Command forcing reauthentication from the switch.
Displaying the current configuration.
show running-config
Displaying the saved configuration.
show config
Check if the saved and current configurations differ.
show config status
Downloading the configuration to the TFTP server.
copy running-config tftp 'NV_IP' 'CONF_FILE' unix