R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
164
Table 48 AAA configuration task list
Task Remarks
Configuring AAA
schemes
Configuring local users
Required.
Complete at le
ast one task.
Configuring RADIUS schemes in the web
interface
Configuring HWTACACS schemes in the web
interface
Configuring AAA
methods for ISP domains
Creating an ISP domain Required.
Configuring ISP domain attributes Optional.
Configuring AAA authentication methods for
an ISP domain
Required.
Complete at least one task.
Configuring AAA authorization methods for an
ISP domain
Configuring AAA accounting methods for an
ISP domain
Forcibly tearing down user connections Optional.
Configuring a NAS ID-VLAN binding Optional.
Displaying and maintaining AAA Optional.
NOTE:
To use AAA methods to control access of lo
g
in users, you must confi
g
ure the lo
g
in authentication mode for
the user interfaces as scheme by using the authentication-mode command.
Configuring AAA schemes
Configuring local users
To implement local user authentication, authorization, and accounting, you must create local users and
configure user attributes on the firewall. The local users and attributes are stored in the local user
database on the firewall. A local user is uniquely identified by a username. Configurable local user
attributes are as follows:
• Service type
The types of the services that the user can use. Local authentication checks the service types of a
local user. If none of the service types is available, the user cannot pass authentication.
Service types include DVPN, FTP, portal, PPP, SSH, Telnet, terminal, and Web. In FIPS mode, the
firewall does not support FTP and Telnet service types.
• User state
Indicates whether or not a local user can request network services. There are two user states: active
and blocked. A user in active state can request network services, but a user in blocked state
cannot.
• Maximum number of users using the same local user account
Indicates how many users can use the same local user account for local authentication.