HPE FlexNetwork MSR Series Configuration Manual page 3
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
Contents
Configuring AAA ··············································································1
Overview ···································································································································· 1
RADIUS ······························································································································ 2
HWTACACS ························································································································ 6
LDAP ·································································································································· 9
AAA implementation on the device ························································································· 12
AAA for MPLS L3VPNs ········································································································ 14
Protocols and standards ······································································································· 14
RADIUS attributes ··············································································································· 15
FIPS compliance ························································································································ 17
AAA configuration considerations and task list ················································································· 18
Configuring AAA schemes ··········································································································· 19
Configuring local users ········································································································· 19
Configuring RADIUS schemes ······························································································· 26
Configuring HWTACACS schemes ························································································· 36
Configuring LDAP schemes ·································································································· 42
Configuring AAA methods for ISP domains ····················································································· 46
Configuration prerequisites···································································································· 47
Creating an ISP domain ········································································································ 47
Configuring ISP domain attributes ·························································································· 48
Configuring authentication methods for an ISP domain ······························································· 50
Configuring authorization methods for an ISP domain ································································ 51
Configuring accounting methods for an ISP domain ··································································· 53
Configuring the session-control feature ·························································································· 55
Configuring the RADIUS DAE server feature ··················································································· 55
Changing the DSCP priority for RADIUS packets ············································································· 56
Setting the maximum number of concurrent login users ····································································· 56
Configuring and applying an ITA policy ·························································································· 57
Configuring a NAS-ID profile ········································································································ 58
Configuring the device ID ············································································································ 58
Displaying and maintaining AAA ··································································································· 58
AAA configuration examples ········································································································ 59
Authentication and authorization for SSH users by a RADIUS server ············································ 59
Local authentication and authorization for SSH users ································································· 62
AAA for SSH users by an HWTACACS server ·········································································· 63
Authentication for SSH users by an LDAP server ······································································ 65
AAA for PPP users by an HWTACACS server ·········································································· 70
ITA configuration example for IPoE users ················································································ 71
Local guest configuration and management example ································································· 75
Troubleshooting RADIUS ············································································································ 77
RADIUS authentication failure ······························································································· 77
RADIUS packet delivery failure ······························································································ 77
RADIUS accounting error ······································································································ 78
Troubleshooting HWTACACS······································································································· 78
Troubleshooting LDAP ················································································································ 78
LDAP authentication failure ··································································································· 78
802.1X overview ············································································ 80
802.1X architecture ···················································································································· 80
Controlled/uncontrolled port and port authorization status ·································································· 80
802.1X-related protocols ············································································································· 81
Packet formats ···················································································································· 81
EAP over RADIUS ··············································································································· 82
802.1X authentication initiation ····································································································· 83
802.1X client as the initiator ·································································································· 83
Access device as the initiator ································································································· 84
802.1X authentication procedures ································································································· 84
i
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?