Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
201202203204205206207208209210
197
226BAAA for VPNs
When clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable
forwarding of RADIUS and HWTACACS packets across VPNs. With this feature, the MCE at the left side
of the backbone serves as a NAS and transparently delivers the AAA packets of private users in VPN 1
and VPN 2 to the AAA servers in VPN 3 for centralized authentication, as shown in
705HFigure 143.
Authentication packets of private users in different VPNs do not affect each other.
Figure 143 Network diagram
227BProtocols and standards
The following protocols and standards are related to AAA, RADIUS, and HWTACACS:
RFC 2865, Remote Authentication Dial In User Service (RADIUS)
RFC 2866, RADIUS Accounting
RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 2868, RADIUS Attributes for Tunnel Protocol Support
RFC 2869, RADIUS Extensions
RFC 1492, An Access Control Protocol, Sometimes Called TACACS
228BRADIUS attributes
This section provides tables of commonly used standard RADIUS attributes and HP proprietary RADIUS
sub-attributes.
422BCommonly used standard RADIUS attributes
No. Attribute Descri
p
tion
1 User-Name Name of the user to be authenticated.
2 User-Password
User password for PAP authentication, only present in Access-Request
packets when PAP authentication is used.
3 CHAP-Password
Digest of the user password for CHAP authentication, only present in
Access-Request packets when CHAP authentication is used.
4 NAS-IP-Address
IP address for the server to use to identify a client. Usually, a client is
identified by the IP address of its access interface. This attribute is only
present in Access-Request packets.