Manualshelf

R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
11121314151617181920
12
AAA also supports configuring a set of default methods for an ISP domain. These default methods are
used for users for whom no specific AAA methods are configured.
The device supports the following authentication methods:
No authentication—This method trusts all users and does not perform authentication. For security
purposes, do not use this method.
Local authentication—The NAS authenticates users by itself, based on the locally configured user
information including the usernames, passwords, and attributes. Local authentication allows high
speed and low cost, but the amount of information that can be stored is limited by the size of the
storage space.
Remote authentication—The NAS cooperates with a RADIUS, HWTACACS, or LDAP server to
authenticate users. Remote authentication provides centralized information management, high
capacity, high reliability, and support for centralized authentication service for multiple NASs. You
can configure backup methods to be used when the remote server is not available.
The device supports the following authorization methods:
No authorization—The NAS performs no authorization exchange. After passing authentication,
non-login users can access the network, FTP users can access the root directory of the NAS, and
other login users obtain only the default user role.
Local authorization—The NAS performs authorization according to the user attributes locally
configured for users.
Remote authorization—The NAS cooperates with a RADIUS, HWTACACS, or LDAP server to
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
carried in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS
authentication, and the authorization information is carried in the authorization response after
successful authentication. You can configure backup methods to be used when the remote server is
not available.
The device supports the following accounting methods:
No accounting—The NAS does not perform accounting for the users.
Local accounting—Local accounting is implemented on the NAS. It counts and controls the number
of concurrent users who use the same local user account, but does not provide statistics for
charging.
Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting.
You can configure backup methods to be used when the remote server is not available.
In addition, the device provides the following login services to enhance device security:
Command authorization—Enables the NAS to let the authorization server determine whether a
command entered by a login user is permitted, and allow login users to execute only authorized
commands. For more information about command authorization, see Fundamentals Configuration
Guide.
Command accounting—When command authorization is disabled, command accounting enables
the accounting server to record all valid commands executed on the device. When command
authorization is enabled, command accounting enables the accounting server to record all
authorized commands. For more information about command accounting, see Fundamentals
Configuration Guide.
User role switching authentication—Authenticates each user who wants to switch to another user
role without logging out or getting disconnected. For more information about user role switching,
see Fundamentals Configuration Guide.