Manualshelf

R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
131132133134135136137138139140
132
Vendor-Length: Indicates the length of the sub-attribute.
Vendor-Data: Indicates the contents of the sub-attribute.
Figure 112 Segment of a RADIUS packet containing an extended attribute
Domain-based user management
On a NAS, each user belongs to one Internet service provider (ISP) domain. A NAS determines the ISP
domain a user belongs to by the username entered by the user at login, and controls access of the user
based on the AAA methods configured for the domain. If no specific AAA methods are configured for the
domain, the default methods are used. See Figure 113 .
By default, a domain uses local authentication,
local authorization, and local accounting.
Figure 113 Determine the ISP domain of a user by the username
AAA allows you to manage users based on their access types:
LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the
network.
Login users—Users who want to log in to the LB module, including SSH users, Telnet users, web
users, FTP users, and terminal users.
To enhance the security of the LB module, AAA provides the following additional services for Login users:
Level switching authentication—Allows the authentication server to authenticate users who perform
privilege level switching. As long as passing level switching authentication, users can switch their
user privilege levels, without logging out and disconnecting current connections. For more
information about user privilege level switching, see System Management Configuration Guide.
You can configure different authentication, authorization, and accounting methods for different users in
a domain. See “Configuring AAA.”
Type Length
0
Vendor-ID
715 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……
Username carries
@domain-name?
A user enters the username in
the form of
userid@domain-name
or userid
Use domain domain-name
to authenticate the user
Use the default domain to
authenticate the user
Yes
No
NAS