R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

121

122

123

124

125

126

127

128

129

130

122

In addition, AAA provides the following services for login users to enhance device security:

• Command authorization—Enables the NAS to defer to the authorization server to determine

whether a command entered by a login user is permitted for the user, ensuring that login users

execute only commands they are authorized to execute. For more information about command

authorization, see Getting Started Guide.

• Command accounting—Allows the accounting server to record all commands executed on the

device or all authorized commands successfully executed. For more information about command

accounting, see Getting Started Guide.

You can configure different authentication, authorization, and accounting methods for different users in

a domain. See “Configuring AAA methods for ISP domains.“

Protocols and standards

The following protocols and standards are related to AAA, RADIUS, HWTACACS:

• RFC 2865, Remote Authentication Dial In User Service (RADIUS)

• RFC 2866, RADIUS Accounting

• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

• RFC 2868, RADIUS Attributes for Tunnel Protocol Support

• RFC 2869, RADIUS Extensions

• RFC 1492, An Access Control Protocol, Sometimes Called TACACS

RADIUS attributes

Commonly used standard RADIUS attributes

Table 43 Commonly used standard RADIUS attributes

No. Attribute Descri

tion

1 User-Name Name of the user to be authenticated.

2 User-Password

User password for PAP authentication, present only in Access-Request packets in

PAP authentication mode.

3 CHAP-Password

Digest of the user password for CHAP authentication, present only in

Access-Request packets in CHAP authentication mode.

4 NAS-IP-Address

IP address for the server to identify a client. Usually, a client is identified by the IP

address of the access interface of the NAS, namely the NAS IP address. This

attribute is present in only Access-Request packets.

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type Type of service that the user has requested or type of service to be provided.

7 Framed-Protocol Encapsulation protocol for framed access.

8 Framed-IP-Address IP address assigned to the user.

11 Filter-ID Name of the filter list.

12 Framed-MTU

Maximum transmission unit (MTU) for the data link between the user and NAS.

For example, with 802.1X EAP authentication, NAS uses this attribute to notify

the server of the MTU for EAP packets, so as to avoid oversized EAP packets.

14 Login-IP-Host IP address of the NAS interface that the user accesses.