Aaa Implementation On The Device - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
6.
After receiving the request, the LDAP server searches for the user DN by the base DN, search
scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify
the LDAP client of the successful search. There might be one or more user DNs found.
7.
The LDAP client uses the obtained user DN and the entered user password as parameters to
send a user DN bind request to the LDAP server. The server will check whether the user
password is correct.
8.
The LDAP server processes the request, and sends a response to notify the LDAP client of the
bind operation result. If the bind operation fails, the LDAP client uses another obtained user DN
as the parameter to send a user DN bind request to the LDAP server. This process continues
until a DN is bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the
LDAP client notifies the user of the login failure and denies the user's access request.
9.
The LDAP client and server perform authorization exchanges. If another scheme (for example,
an HWTACACS scheme) is expected for authorization, the LDAP client exchanges
authorization packets with the HWTACACS authorization server instead.
10. After successful authorization, the LDAP client notifies the user of the successful login.
AAA implementation on the device
This section describes AAA user management and methods.
User management based on ISP domains and user access types
AAA manages users based on the users' ISP domains and access types.
On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a
user belongs based on the username entered by the user at login.
Figure 8 Determining the ISP domain for a user by username
A user enters the
username in the form
userid@domain-name
or userid
AAA manages users in the same ISP domain based on the users' access types. The device supports
the following user access types:
•
LAN—LAN users must pass 802.1X or MAC authentication to come online.
•
Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device.
Terminal users can access through console ports.
•
Portal—Portal users must pass portal authentication to access the network.
•
HTTP or HTTPS—Users log in to the device through HTTP or HTTPS.
NOTE:
The device also provides authentication modules (such as 802.1X) for implementation of user
authentication management policies. If you configure these authentication modules, the ISP
domains for users of the access types depend on the configuration of the authentication modules.
NAS
Username contains
@domain-name?
No
The user belongs to the
default domain.
11
Yes
The user belongs to
domain domain-name.
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
