R21xx-HP FlexFabric 11900 Security Configuration Guide
i
Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 13
FIPS compliance ····························································································································································· 16
AAA configuration considerations and task list ·········································································································· 16
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 21
Configuring HWTACACS schemes ····················································································································· 29
Configuring LDAP schemes ·································································································································· 35
Configuring AAA methods for ISP domains ················································································································ 38
Configuration prerequisites ·································································································································· 38
Creating an ISP domain ······································································································································· 39
Configuring ISP domain attributes ······················································································································· 39
Configuring authentication methods for an ISP domain ··················································································· 40
Configuring authorization methods for an ISP domain ····················································································· 41
Configuring accounting methods for an ISP domain ························································································· 42
Enabling the session-control feature ····························································································································· 42
Setting the maximum number of concurrent login users ···························································································· 43
Displaying and maintaining AAA ································································································································ 43
AAA for SSH users by an HWTACACS server ··········································································································· 43
Network requirements ··········································································································································· 43
Configuration procedure ······································································································································ 44
AAA configuration examples ········································································································································ 45
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 45
Authentication and authorization for SSH users by a RADIUS server ····························································· 46
Authentication for SSH users by an LDAP server ······························································································· 50
Troubleshooting RADIUS ··············································································································································· 54
RADIUS authentication failure ······························································································································ 54
RADIUS packet delivery failure ···························································································································· 54
RADIUS accounting error ····································································································································· 55
Troubleshooting HWTACACS ······································································································································ 55
Troubleshooting LDAP ···················································································································································· 55
Configuring password control ··································································································································· 57
Overview ········································································································································································· 57
Password setting ···················································································································································· 57
Password updating and expiration ····················································································································· 58
User login control ·················································································································································· 59
Password not displayed in any form ··················································································································· 59
Logging ··································································································································································· 60
FIPS compliance ····························································································································································· 60
Password control configuration task list ······················································································································· 60