Table Of Contents - HP 10500 Series Configuration Manual

Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
Domain-based user management ··························································································································· 9
AAA for MPLS L3VPNs ········································································································································· 10
Protocols and standards ······································································································································· 10
RADIUS attributes ·················································································································································· 11
FIPS compliance ····························································································································································· 14
Configuration considerations and task list ·················································································································· 14
Configuring AAA schemes ············································································································································ 16
Configuring local users ········································································································································· 16
Configuring RADIUS schemes ······························································································································ 20
Configuring HWTACACS schemes ····················································································································· 32
Configuring AAA methods for ISP domains ················································································································ 38
Configuration prerequisites ·································································································································· 39
Creating an ISP domain ······································································································································· 39
Configuring ISP domain attributes ······················································································································· 40
Configuring authentication methods for an ISP domain ··················································································· 41
Configuring authorization methods for an ISP domain ····················································································· 42
Configuring accounting methods for an ISP domain ························································································· 44
Tearing down user connections ···································································································································· 45
Configuring a NAS ID-VLAN binding ·························································································································· 46
Displaying and maintaining AAA ································································································································ 46
AAA configuration examples ········································································································································ 47
AAA for Telnet users by an HWTACACS server ······························································································· 47
Local authentication and authorization for Telnet users ···················································································· 48
Authentication/authorization for SSH/Telnet users by a RADIUS server ························································ 49
AAA for portal users by a RADIUS server ·········································································································· 52
AAA for 802.1X users by a RADIUS server ······································································································· 60
Level switching authentication for Telnet users by an HWTACACS server ····················································· 66
Troubleshooting AAA ···················································································································································· 69
Troubleshooting RADIUS ······································································································································· 69
Troubleshooting HWTACACS ······························································································································ 71
802.1X overview ······················································································································································· 72
802.1X architecture ······················································································································································· 72
Controlled/uncontrolled port and port authorization status ······················································································ 72
802.1X-related protocols ·············································································································································· 73
EAP over RADIUS ·················································································································································· 74
Initiating 802.1X authentication ··································································································································· 75
802.1X client as the initiator································································································································ 75
Access device as the initiator ······························································································································· 75
802.1X authentication procedures ······························································································································ 76
A comparison of EAP relay and EAP termination ······························································································ 76
EAP relay ································································································································································ 77
EAP termination ····················································································································································· 78
Configuring 802.1X ·················································································································································· 80
HP implementation of 802.1X ······································································································································ 80
i