Configuring AAA ························································································································································· 1

AAA overview ··································································································································································· 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

Domain-based user management ··························································································································· 9

AAA for MPLS L3VPNs ········································································································································· 10

Protocols and standards ······································································································································· 10

RADIUS attributes ·················································································································································· 11

AAA configuration considerations and task list ·········································································································· 14

Configuring AAA schemes ············································································································································ 15

Configuring local users ········································································································································· 15

Configuring RADIUS schemes ······························································································································ 20

Configuring HWTACACS schemes ····················································································································· 31

Configuring AAA methods for ISP domains ················································································································ 38

Configuration prerequisites ·································································································································· 38

Creating an ISP domain ······································································································································· 38

Configuring ISP domain attributes ······················································································································· 39

Configuring AAA authentication methods for an ISP domain ·········································································· 40

Configuring AAA authorization methods for an ISP domain ··········································································· 42

Configuring AAA accounting methods for an ISP domain ··············································································· 43

Tearing down user connections ···································································································································· 44

Configuring a NAS ID-VLAN binding ·························································································································· 45

Displaying and maintaining AAA ································································································································ 45

AAA configuration examples ········································································································································ 45

AAA for Telnet users by an HWTACACS server ······························································································· 45

AAA for Telnet users by separate servers ··········································································································· 47

Authentication/authorization for SSH/Telnet users by a RADIUS server ························································ 48

AAA for 802.1X users by a RADIUS server ······································································································· 51

Level switching authentication for Telnet users by an HWTACACS server ····················································· 58

RADIUS authentication and authorization for Telnet users by a switch ··························································· 61

Troubleshooting AAA ···················································································································································· 63

Troubleshooting RADIUS ······································································································································· 63

Troubleshooting HWTACACS ······························································································································ 64

802.1X overview ······················································································································································· 65

802.1X architecture ······················································································································································· 65

Controlled/uncontrolled port and port authorization status ······················································································ 65

802.1X-related protocols ·············································································································································· 66

Packet formats ························································································································································ 67

EAP over RADIUS ·················································································································································· 68

Initiating 802.1X authentication ··································································································································· 68

802.1X client as the initiator································································································································ 68

Access device as the initiator ······························································································································· 69

802.1X authentication procedures ······························································································································ 69

A comparison of EAP relay and EAP termination ······························································································ 70

EAP relay ································································································································································ 70

EAP termination ····················································································································································· 73

Configuring 802.1X ·················································································································································· 74

HP implementation of 802.1X ······································································································································ 74