HP 7102dl - ProCurve Secure Router Configuration Manual page 546

Virtual Private Networks
Configuring a VPN Using IPSec
10-52
Table 10-17. AAA List Authentication Methods
Database Location
router
RADIUS server or servers
TACACS+ server or servers
When you use the group keyword to specify RADIUS databases, you can
either enter the name of a configured group of servers, or you can use the
radius keyword, which selects all RADIUS servers. Similarly, you can either
enter group <groupname> for a specific set of TACACS+ servers or group
tacacs, which specifies all TACACS+ servers.
If you want the Xauth server to search more than one database, you should
specify all these locations in the order in which you want the server to search
them. For example, you could configure the Xauth server to search the router's
local database first and then, if this database does not include the host's
username, the database of any RADIUS server with which the router can
communicate. Enter:
ProCurve(config)# aaa authentication login xauth local group radius
Enabling the Xauth Server. You enable the Xauth server in an IKE policy.
First, create the IKE policy (or move to the configuration mode context for a
pre-existing policy) and set the peer ID. For a site-to-site VPN, the peer ID is
that of gateway device behind which the hosts you want to authenticate are
located. For a client-to-site VPN, the peer ID will typically be any.
Then, still in the IKE policy configuration mode context, enable the Xauth
server and specify the name of the AAA list configured for Xauth:
Syntax: client authentication server list <aaa listname>
For example:
ProCurve(config-ike)# client authentication server list xauth
Keyword
local
group
group
Command Syntax
aaa authentication login
<aaa listname> local
aaa authentication login
<aaa listname> group
[radius | <groupname>]
aaa authentication login
<aaa listname> group
[tacacs | <groupname>]