Table Of Contents - HPE Moonshot 45Gc Security Configuration Manual

Contents
Configuring AAA ····························································································· 1
Overview ···························································································································································· 1
RADIUS ······················································································································································ 2
HWTACACS ··············································································································································· 6
LDAP ·························································································································································· 9
AAA implementation on the device ·········································································································· 11
AAA for MPLS L3VPNs ···························································································································· 13
Protocols and standards ·························································································································· 13
RADIUS attributes ···································································································································· 14
FIPS compliance ·············································································································································· 16
AAA configuration considerations and task list ································································································ 17
Configuring AAA schemes ······························································································································· 18
Configuring local users ····························································································································· 18
Configuring RADIUS schemes ················································································································· 22
Configuring HWTACACS schemes ·········································································································· 33
Configuring LDAP schemes ····················································································································· 40
Configuring AAA methods for ISP domains ····································································································· 43
Configuration prerequisites ······················································································································ 43
Creating an ISP domain ··························································································································· 43
Configuring ISP domain attributes ··········································································································· 43
Configuring authentication methods for an ISP domain ··········································································· 44
Configuring authorization methods for an ISP domain ············································································· 45
Configuring accounting methods for an ISP domain ················································································ 46
Enabling the session-control feature ················································································································ 47
Configuring the RADIUS DAE server feature ·································································································· 48
Setting the maximum number of concurrent login users ·················································································· 48
Configuring a NAS-ID profile ···························································································································· 49
Displaying and maintaining AAA ······················································································································ 49
AAA configuration examples ···························································································································· 50
AAA for SSH users by an HWTACACS server ························································································ 50
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ····················· 51
Authentication and authorization for SSH users by a RADIUS server ····················································· 53
Authentication for SSH users by an LDAP server ···················································································· 56
Troubleshooting RADIUS ································································································································· 61
RADIUS authentication failure ················································································································· 61
RADIUS packet delivery failure ················································································································ 61
RADIUS accounting error ························································································································· 62
Troubleshooting HWTACACS ·························································································································· 62
Troubleshooting LDAP ····································································································································· 62
802.1X overview ··························································································· 64
802.1X architecture ·········································································································································· 64
Controlled/uncontrolled port and port authorization status ·············································································· 64
802.1X-related protocols ·································································································································· 65
Packet formats ········································································································································· 65
EAP over RADIUS ··································································································································· 66
802.1X authentication initiation ························································································································ 67
802.1X client as the initiator ····················································································································· 67
Access device as the initiator ··················································································································· 67
802.1X authentication procedures ··················································································································· 68
Comparing EAP relay and EAP termination ····························································································· 68
EAP relay ················································································································································· 69
EAP termination ······································································································································· 70
Configuring 802.1X ······················································································· 72
Access control methods ··································································································································· 72
802.1X VLAN manipulation ······························································································································ 72
i