Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
21222324252627282930
16
Figure 8 Devices functioning as a RADIUS server
The device can serve as a RADIUS server to provide user information management, RADIUS client
management, and RADIUS authentication and authorization.
You can create, modify, and delete user information, including the username, password, authority,
lifetime, and user description.
You can create and delete RADIUS clients, which are identified by IP addresses and configured with
attributes such as a shared key. With a managed client range configured, the RADIUS server processes
only the RADIUS packets from the clients within the management range. Shared keys are used to ensure
secure communication between a RADIUS client and the RADIUS server.
With the RADIUS server enabled, the device checks whether or not the client of an incoming RADIUS
packet is under its management. If yes, it verifies the packet validity by using the shared key, checks
whether there is an account with the username, whether the password is correct, and whether the user
attributes meet the requirements defined on the RADIUS server (for example, whether the account has
expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication
succeeds, or denies the client if the authentication fails.
NOTE:
A
RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication
requests, but an HP device listens on UDP port 1645 instead when actin
g
as the RADIUS server. Be sure to
specify 1645 as the authentication port number on the RADIUS client when you use an HP device as the
RADIUS server.
AAA for MPLS L3VPNs
In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy
AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. With
this feature, the PE at the left side of the MPLS backbone serves as a NAS and transparently delivers the
AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized
authentication, as shown in Figure 9. A
uthentication packets of private users in different VPNs do not
affect each other.