R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

161

162

163

164

165

166

167

168

169

170

160

NOTE:

Together with the AAA across VPNs feature, you can implement portal authentication across VPNs on

MCEs.

Protocols and standards

The following protocols and standards are related to AAA, RADIUS, and HWTACACS:

• RFC 2865, Remote Authentication Dial In User Service (RADIUS)

• RFC 2866, RADIUS Accounting

• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

• RFC 2868, RADIUS Attributes for Tunnel Protocol Support

• RFC 2869, RADIUS Extensions

• RFC 1492, An Access Control Protocol, Sometimes Called TACACS

RADIUS attributes

Commonly used standard RADIUS attributes

Table 46 Commonly used standard RADIUS attributes

No. Attribute Descri

tion

1 User-Name Name of the user to be authenticated.

2 User-Password

User password for PAP authentication, present only in Access-Request packets in

PAP authentication mode.

3 CHAP-Password

Digest of the user password for CHAP authentication, present only in

Access-Request packets in CHAP authentication mode.

4 NAS-IP-Address

IP address for the server to identify a client. Usually, a client is identified by the IP

address of the access interface of the NAS, namely the NAS IP address. This

attribute is present in only Access-Request packets.

5 NAS-Port Physical port of the NAS that the user accesses.

6 Service-Type Type of service that the user has requested or type of service to be provided.

7 Framed-Protocol Encapsulation protocol for framed access.

8 Framed-IP-Address IP address assigned to the user.

11 Filter-ID Name of the filter list.

12 Framed-MTU Maximum transmission unit (MTU) for the data link between the user and NAS.

14 Login-IP-Host IP address of the NAS interface that the user accesses.

15 Login-Service Type of the service that the user uses for login.

18 Reply-Message

Text to be displayed to the user, which can be used by the server to indicate, for

example, the reason of the authentication failure.

26 Vendor-Specific

Vendor specific attribute. A packet can contain one or more such proprietary

attributes, each of which can contain one or more sub-attributes.

27 Session-Timeout

Maximum duration of service to be provided to the user before termination of the

session.