R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

Contents

Security overview ························································································································································· 1

Network security threats ··················································································································································· 1

Network security services ················································································································································· 1

Network security technologies ········································································································································· 2

Identity authentication ·············································································································································· 2

Access security ·························································································································································· 2

Data security ····························································································································································· 3

Firewall and connection control ······························································································································ 3

Attack detection and protection ······························································································································ 4

Other security technologies ····································································································································· 5

Configuring AAA ························································································································································· 7

Overview ············································································································································································ 7

RADIUS ······································································································································································ 8

HWTACACS ·························································································································································· 13

Domain-based user management ························································································································ 15

AAA for MPLS L3VPNs ········································································································································· 16

Protocols and standards ······································································································································· 16

RADIUS attributes ·················································································································································· 17

AAA configuration considerations and task list ·········································································································· 20

Configuring AAA schemes ············································································································································ 21

Configuring local users ········································································································································· 21

Configuring RADIUS schemes ······························································································································ 26

Configuring HWTACACS schemes ····················································································································· 38

Configuring AAA methods for ISP domains ················································································································ 44

Creating an ISP domain ······································································································································· 45

Configuring ISP domain attributes ······················································································································· 45

Configuring authentication methods for an ISP domain ··················································································· 47

Configuring authorization methods for an ISP domain ····················································································· 49

Configuring accounting methods for an ISP domain ························································································· 50

Tearing down user connections ···································································································································· 52

Configuring a NAS ID-VLAN binding ·························································································································· 53

Displaying and maintaining AAA ································································································································ 53

AAA configuration examples ········································································································································ 54

RADIUS authentication/authorization for Telnet/SSH users ············································································· 54

Local authentication/authorization for Telnet/FTP users ··················································································· 57

AAA for PPP users by an HWTACACS server ··································································································· 58

Level switching authentication for Telnet users by a RADIUS server ································································ 60

AAA for portal users by a RADIUS server ·········································································································· 64

Troubleshooting AAA ···················································································································································· 70

Troubleshooting RADIUS ······································································································································· 70

Troubleshooting HWTACACS ······························································································································ 72

802.1X overview ······················································································································································· 73

802.1X architecture ······················································································································································· 73

Controlled/uncontrolled port and port authorization status ······················································································ 73

802.1X-related protocols ·············································································································································· 74

Packet formats ························································································································································ 75

EAP over RADIUS ·················································································································································· 76

Initiating 802.1X authentication ··································································································································· 76