AAA configuration ······················································································································································· 1

AAA overview ··································································································································································· 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 8

Domain-based user management ························································································································ 10

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 11

FIPS compliance ····························································································································································· 14

AAA configuration considerations and task list ·········································································································· 14

Configuring AAA schemes ············································································································································ 16

Configuring local users ········································································································································· 16

Configuring RADIUS schemes ······························································································································ 20

Configuring HWTACACS schemes ····················································································································· 31

Configuring AAA methods for ISP domains ················································································································ 36

Configuration prerequisites ·································································································································· 37

Creating an ISP domain ······································································································································· 37

Configuring ISP domain attributes ······················································································································· 37

Configuring AAA authentication methods for an ISP domain ·········································································· 38

Configuring AAA authorization methods for an ISP domain ··········································································· 40

Configuring AAA accounting methods for an ISP domain ··············································································· 42

Tearing down user connections forcibly ······················································································································ 43

Configuring a NAS ID-VLAN binding ·························································································································· 43

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples ········································································································································ 44

AAA for Telnet users by an HWTACACS server ······························································································· 44

AAA for Telnet users by separate servers ··········································································································· 46

Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47

Level switching authentication for Telnet users by an HWTACACS server ····················································· 51

Troubleshooting AAA ···················································································································································· 55

Troubleshooting RADIUS ······································································································································· 55

Troubleshooting HWTACACS ······························································································································ 56

802.1X fundamentals ················································································································································ 57

Architecture of 802.1X ·················································································································································· 57

Controlled/uncontrolled port and pot authorization status ······················································································· 57

802.1X-related protocols ·············································································································································· 58

Packet format ························································································································································· 58

EAP over RADIUS ·················································································································································· 60

Initiating 802.1X authentication ··································································································································· 60

802.1X client as the initiator································································································································ 60

Access device as the initiator ······························································································································· 60

802.1X authentication procedures ······························································································································ 61

A comparison of EAP relay and EAP termination ······························································································ 61

EAP relay ································································································································································ 62

EAP termination ····················································································································································· 63

802.1X configuration ················································································································································ 65

HP implementation of 802.1X ······································································································································ 65

Access control methods ········································································································································ 65

Using 802.1X authentication with other features ······························································································ 65