Table Of Contents - HPE FlexFabric 7900 Series Security Configuration Manual

Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
AAA implementation on the device ············································································································ 9
Protocols and standards ·························································································································· 10
RADIUS attributes ···································································································································· 11
FIPS compliance ·············································································································································· 14
AAA configuration considerations and task list ································································································ 14
Configuring AAA schemes ······························································································································· 15
Configuring local users ····························································································································· 15
Configuring RADIUS schemes ················································································································· 18
Configuring HWTACACS schemes ·········································································································· 27
Configuring AAA methods for ISP domains ····································································································· 33
Configuration prerequisites ······················································································································ 33
Creating an ISP domain ··························································································································· 33
Setting the ISP domain status ·················································································································· 34
Configuring authentication methods for an ISP domain ··········································································· 34
Configuring authorization methods for an ISP domain ············································································· 35
Configuring accounting methods for an ISP domain ················································································ 36
Enabling the session-control feature ················································································································ 37
Setting the maximum number of concurrent login users ·················································································· 37
Displaying and maintaining AAA ······················································································································ 37
AAA configuration examples ···························································································································· 38
AAA for SSH users by an HWTACACS server ························································································ 38
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 39
Authentication and authorization for SSH users by a RADIUS server ····················································· 41
Troubleshooting RADIUS ································································································································· 44
RADIUS authentication failure ················································································································· 44
RADIUS packet delivery failure ················································································································ 45
RADIUS accounting error ························································································································· 45
Troubleshooting HWTACACS ·························································································································· 45
Configuring password control ······································································· 46
Overview ·························································································································································· 46
Password setting ······································································································································ 46
Password updating and expiration ··········································································································· 47
User login control ····································································································································· 48
Password not displayed in any form ········································································································ 48
Logging ···················································································································································· 48
FIPS compliance ·············································································································································· 49
Password control configuration task list ··········································································································· 49
Enabling password control ······························································································································· 49
Setting global password control parameters ···································································································· 50
Setting user group password control parameters ···························································································· 51
Setting local user password control parameters ······························································································ 51
Setting super password control parameters ···································································································· 52
Displaying and maintaining password control ·································································································· 53
Password control configuration example ········································································································· 53
Network requirements ······························································································································ 53
Configuration procedure ··························································································································· 54
Verifying the configuration ························································································································ 55
Managing public keys ··················································································· 57
Overview ·························································································································································· 57
FIPS compliance ·············································································································································· 57
Creating a local key pair ·································································································································· 57
i