HP FlexNetwork 10500 Series Security Configuration Manual page 26

AAA methods
AAA supports configuring different authentication, authorization, and accounting methods for
different types of users in an ISP domain. The NAS determines the ISP domain and access type of a
user. The NAS also uses the methods configured for the access type in the domain to control the
user's access.
AAA also supports configuring a set of default methods for an ISP domain. These default methods
are applied to users for whom no AAA methods are configured.
The device supports the following authentication methods:
•
No authentication—This method trusts all users and does not perform authentication. For
security purposes, do not use this method.
•
Local authentication—The NAS authenticates users by itself, based on the locally configured
user information including the usernames, passwords, and attributes. Local authentication
allows high speed and low cost, but the amount of information that can be stored is limited by
the size of the storage space.
•
Remote authentication—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authenticate users. The server manages user information in a centralized manner. Remote
authentication provides high capacity, reliable, and centralized authentication services for
multiple NASs. You can configure backup methods to be used when the remote server is not
available.
The device supports the following authorization methods:
•
No authorization—The NAS performs no authorization exchange. The following default
authorization information applies after users pass authentication:
Non-login users can access the network.
Login users obtain the default user role. For more information about the default user role
feature, see Fundamentals Configuration Guide.
FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working
directory. However, the users do not have permission to access the root directory.
•
Local authorization—The NAS performs authorization according to the user attributes locally
configured for users.
•
Remote authorization—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS
authorization can work only after RADIUS authentication is successful, and the authorization
information is included in the Access-Accept packet. HWTACACS authorization is separate
from HWTACACS authentication, and the authorization information is included in the
authorization response after successful authentication. You can configure backup methods to
be used when the remote server is not available.
The device supports the following accounting methods:
•
No accounting—The NAS does not perform accounting for the users.
•
Local accounting—Local accounting is implemented on the NAS. It counts and controls the
number of concurrent users who use the same local user account.
•
Remote accounting—The NAS works with a RADIUS server or HWTACACS server for
accounting. You can configure backup methods to be used when the remote server is not
available.
In addition, the device provides the following login services to enhance device security:
•
Command authorization—Enables the NAS to let the authorization server determine whether
a command entered by a login user is permitted. Login users can execute only commands
permitted by the authorization server. For more information about command authorization, see
Fundamentals Configuration Guide.
•
Command accounting—When command authorization is disabled, command accounting
enables the accounting server to record all valid commands executed on the device. When
12