Table Of Contents - HP MSR Series Configuration Manual

Contents
Configuring AAA ·············································································· 1
Overview ·································································································································· 1
RADIUS ···························································································································· 2
HWTACACS ······················································································································ 7
LDAP ································································································································ 9
AAA implementation on the device ························································································ 12
AAA for MPLS L3VPNs ······································································································ 14
Protocols and standards ····································································································· 14
RADIUS attributes ············································································································· 15
Command and hardware compatibility ·························································································· 18
FIPS compliance······················································································································ 18
AAA configuration considerations and task list ··············································································· 18
Configuring AAA schemes ········································································································· 19
Configuring local users ······································································································· 20
Configuring RADIUS schemes ····························································································· 25
Configuring HWTACACS schemes························································································ 36
Configuring LDAP schemes ································································································· 42
Configuring AAA methods for ISP domains ···················································································· 46
Configuration prerequisites ·································································································· 46
Creating an ISP domain ······································································································ 46
Configuring ISP domain attributes ························································································· 47
Configuring authentication methods for an ISP domain ······························································ 49
Configuring authorization methods for an ISP domain ······························································· 51
Configuring accounting methods for an ISP domain ·································································· 52
Enabling the session-control feature ···························································································· 54
Configuring the RADIUS DAE server feature ················································································· 55
Changing the DSCP priority for RADIUS packets ············································································ 55
Setting the maximum number of concurrent login users···································································· 56
Configuring and applying an ITA policy ························································································· 56
Configuring a NAS-ID profile ······································································································ 57
Configuring the Acct-Session-Id format ························································································· 57
Displaying and maintaining AAA ·································································································· 58
AAA configuration examples ······································································································· 58
Authentication and authorization for SSH users by a RADIUS server ············································ 58
Local authentication and authorization for SSH users ································································ 62
AAA for SSH users by an HWTACACS server ········································································· 63
Authentication for SSH users by an LDAP server ····································································· 65
Authentication and authorization for SSL VPN users by an LDAP server ······································· 70
AAA for PPP users by an HWTACACS server ········································································· 75
Troubleshooting RADIUS ··········································································································· 76
RADIUS authentication failure ······························································································ 76
RADIUS packet delivery failure ···························································································· 77
RADIUS accounting error ···································································································· 77
Troubleshooting HWTACACS ····································································································· 78
Troubleshooting LDAP ·············································································································· 78
802.1X overview ············································································ 79
802.1X architecture ·················································································································· 79
Controlled/uncontrolled port and port authorization status ································································· 79
802.1X-related protocols ············································································································ 80
Packet formats ·················································································································· 80
EAP over RADIUS ············································································································· 81
802.1X authentication initiation ··································································································· 82
802.1X client as the initiator ································································································· 82
Access device as the initiator ······························································································· 82
802.1X authentication procedures ······························································································· 83
Comparing EAP relay and EAP termination ············································································· 84
i