Protocols And Standards - HPE FlexFabric 7900 Series Security Configuration Manual

Hide thumbs Also See for FlexFabric 7900 Series:

Table of Contents

•

No authentication—This method trusts all users and does not perform authentication. For

security purposes, do not use this method.

•

Local authentication—The NAS authenticates users by itself, based on the locally configured

user information including the usernames, passwords, and attributes. Local authentication

allows high speed and low cost, but the amount of information that can be stored is limited by

the size of the storage space.

•

Remote authentication—The NAS works with a RADIUS or HWTACACS server to

authenticate users. The server manages user information in a centralized manner. Remote

authentication provides high capacity, reliable, and centralized authentication services for

multiple NASs. You can configure backup methods to be used when the remote server is not

available.

The device supports the following authorization methods:

•

No authorization—The NAS performs no authorization exchange. After passing

authentication, users can access the network, except FTP, SFTP, and SCP users. When an FTP,

SFTP, or SCP user passes authentication, the working directory is set to the root directory of the

NAS, but the user cannot access this directory.

•

Local authorization—The NAS performs authorization according to the user attributes locally

configured for users.

•

Remote authorization—The NAS works with a RADIUS or HWTACACS server to authorize

users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can

work only after RADIUS authentication is successful, and the authorization information is

included in the Access-Accept packet. HWTACACS authorization is separate from

HWTACACS authentication, and the authorization information is included in the authorization

response after successful authentication. You can configure backup methods to be used when

the remote server is not available.

The device supports the following accounting methods:

•

No accounting—The NAS does not perform accounting for the users.

•

Local accounting—Local accounting is implemented on the NAS. It counts and controls the

number of concurrent users who use the same local user account, but does not provide

statistics for charging.

•

Remote accounting—The NAS works with a RADIUS server or HWTACACS server for

accounting. You can configure backup methods to be used when the remote server is not

available.

In addition, the device provides the following login services to enhance device security:

•

Command authorization—Enables the NAS to let the authorization server determine whether

a command entered by a login user is permitted. Login users can execute only commands

permitted by the authorization server. For more information about command authorization, see

Fundamentals Configuration Guide.

•

Command accounting—When command authorization is disabled, command accounting

enables the accounting server to record all valid commands executed on the device. When

command authorization is enabled, command accounting enables the accounting server to

record all authorized commands. For more information about command accounting, see

Fundamentals Configuration Guide.

•

User role authentication—Authenticates each user who wants to obtain a temporary user role

without logging out or getting disconnected. For more information about temporary user role

authorization, see Fundamentals Configuration Guide.