Table Of Contents - HP 12500 Series Configuration Manual

Contents
Security overview ························································································································································· 1
Network security threats ··················································································································································· 1
Network security services ················································································································································· 1
Network security technologies ········································································································································· 1
Identity authentication ·············································································································································· 1
Access security ·························································································································································· 2
Data security ····························································································································································· 2
Connection control ··················································································································································· 3
Attack detection and protection ······························································································································ 3
Other security technologies ····································································································································· 4
Configuring AAA ························································································································································· 5
FIPS compliance ································································································································································ 5
AAA overview ··································································································································································· 5
RADIUS ······································································································································································ 6
HWTACACS ·························································································································································· 11
Domain-based user management ························································································································ 13
AAA across MPLS L3VPNs ··································································································································· 14
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 15
AAA configuration considerations and task list ·········································································································· 18
Configuring AAA schemes ············································································································································ 19
Configuring local users ········································································································································· 19
Configuring RADIUS schemes ······························································································································ 24
Configuring HWTACACS schemes ····················································································································· 36
Configuring AAA methods for ISP domains ················································································································ 43
Configuration prerequisites ·································································································································· 43
Creating an ISP domain ······································································································································· 43
Configuring ISP domain attributes ······················································································································· 44
Configuring AAA authentication methods for an ISP domain ·········································································· 45
Configuring AAA authorization methods for an ISP domain ··········································································· 47
Configuring AAA accounting methods for an ISP domain ··············································································· 48
Tearing down user connections ···································································································································· 50
Displaying and maintaining AAA ································································································································ 50
AAA configuration examples ········································································································································ 51
AAA for Telnet users by an HWTACACS server ······························································································· 51
AAA for Telnet users by separate servers ··········································································································· 52
Authentication/authorization for SSH/Telnet users by a RADIUS server ························································ 54
AAA for 802.1X users by a RADIUS server ······································································································· 57
Level switching authentication for Telnet users by an HWTACACS server ····················································· 62
Troubleshooting AAA ···················································································································································· 65
Troubleshooting RADIUS ······································································································································· 65
Troubleshooting HWTACACS ······························································································································ 67
802.1X overview ······················································································································································· 68
802.1X architecture ······················································································································································· 68
Controlled/uncontrolled port and port authorization status ······················································································ 68
802.1X-related protocols ·············································································································································· 69
Packet formats ························································································································································ 69
EAP over RADIUS ·················································································································································· 71
i