R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

Contents

Security overview ························································································································································· 1

Network security threats ··················································································································································· 1

Network security services ················································································································································· 1

Network security technologies ········································································································································· 2

Identity authentication ·············································································································································· 2

Access security ·························································································································································· 2

Data security ····························································································································································· 3

Firewall and connection control ······························································································································ 3

Attack detection and protection ······························································································································ 4

Other security technologies ····································································································································· 5

Configuring AAA ························································································································································· 6

Overview ············································································································································································ 6

RADIUS ······································································································································································ 7

HWTACACS ·························································································································································· 12

Domain-based user management ························································································································ 14

RADIUS server feature of the router ····················································································································· 15

AAA for MPLS L3VPNs ········································································································································· 16

Protocols and standards ······································································································································· 17

RADIUS attributes ·················································································································································· 17

FIPS compliance ····························································································································································· 20

AAA configuration considerations and task list ·········································································································· 20

Configuring AAA schemes ············································································································································ 22

Configuring local users ········································································································································· 22

Configuring RADIUS schemes ······························································································································ 27

Configuring HWTACACS schemes ····················································································································· 39

Configuring AAA methods for ISP domains ················································································································ 45

Creating an ISP domain ······································································································································· 45

Configuring ISP domain attributes ······················································································································· 46

Configuring authentication methods for an ISP domain ··················································································· 47

Configuring authorization methods for an ISP domain ····················································································· 50

Configuring accounting methods for an ISP domain ························································································· 53

Tearing down user connections ···································································································································· 55

Configuring a NAS ID-VLAN binding ·························································································································· 56

Configuring the router as a RADIUS server ················································································································· 56

RADIUS server functions configuration task list ·································································································· 56

Configuring a RADIUS user ·································································································································· 56

Specifying a RADIUS client ·································································································································· 57

Displaying and maintaining AAA ································································································································ 57

AAA configuration examples ········································································································································ 58

Authentication/authorization for Telnet/SSH users by a RADIUS server ························································ 58

Local authentication/authorization for Telnet/FTP users ··················································································· 63

AAA for PPP users by an HWTACACS server ··································································································· 64

Level switching authentication for Telnet users by a RADIUS server ································································ 66

RADIUS authentication/authorization portal users ···························································································· 70

RADIUS authentication and authorization for Telnet users by a network device ··········································· 76

Troubleshooting AAA ···················································································································································· 78

Troubleshooting RADIUS ······································································································································· 78

Troubleshooting HWTACACS ······························································································································ 79