R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

161

162

163

164

165

166

167

168

169

170

160

To do… Use the command…

Remarks

Configure the idle cut function idle-cut enable minute [ flow ]

Optional

Disabled by default

This command is effective for only

portal users, and PPP users.

Enable the self-service server

location function and specify the

URL of the self-service server

self-service-url enable url-string

Optional

Disabled by default

Define an IP address pool for

allocating addresses to PPP users

ip pool pool-number

low-ip-address

[ high-ip-address ]

Optional

By default, no IP address pool is

configured for PPP users.

Specify the default authorization

user profile

authorization-attribute

user-profile profile-name

Optional

By default, an ISP domain has no

default authorization user profile.

NOTE:

self-service RADIUS server, such as Intelligent Management Center (IMC), is required for the self-service

server location function to work.

Configuring AAA authentication methods for an ISP domain

In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to

the interactive authentication process of username/password/user information during an access or

service request. The authentication process neither sends authorization information to a supplicant nor

triggers any accounting.

AAA supports the following authentication methods:

• No authentication (none)—All users are trusted and no authentication is performed. Generally, do

not use this method.

• Local authentication (local)—Authentication is performed by the NAS, which is configured with the

user information, including the usernames, passwords, and attributes. Local authentication allows

high speed and low cost, but the amount of information that can be stored is limited by the

hardware.

• Remote authentication (scheme)—The NAS cooperates with a RADIUS or HWTACACS server to

authenticate users. Remote authentication provides centralized information management, high

capacity, high reliability, and support for centralized authentication service for multiple NASs. You

can configure local or no authentication as the backup method, which will be used when the remote

server is not available. No authentication can only be configured for LAN users as the backup

method of remote authentication.

You can configure AAA authentication to work alone without authorization and accounting. By default,

an ISP domain uses the local authentication method.

Before configuring authentication methods, complete the following tasks:

• For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be

referenced first. The local and none authentication methods do not require a scheme.