HP MSR3024 TAA-compliant AC Router : HP MSR2000/3000/4000 Router Series Security Configuration Guide : Page 3

i

Contents

Configuring AAA ························································································································································· 1

Overview ············································································································································································ 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

AAA implementation on the device ························································································································ 9

AAA for MPLS L3VPNs ········································································································································· 11

Protocols and standards ······································································································································· 11

RADIUS attributes ·················································································································································· 12

FIPS compliance ····························································································································································· 15

AAA configuration considerations and task list ·········································································································· 15

Configuring AAA schemes ············································································································································ 16

Configuring local users ········································································································································· 16

Configuring RADIUS schemes ······························································································································ 21

Configuring HWTACACS schemes ····················································································································· 29

Configuring AAA methods for ISP domains ················································································································ 35

Configuration prerequisites ·································································································································· 35

Creating an ISP domain ······································································································································· 35

Configuring ISP domain attributes ······················································································································· 35

Configuring authentication methods for an ISP domain ··················································································· 36

Configuring authorization methods for an ISP domain ····················································································· 37

Configuring accounting methods for an ISP domain ························································································· 38

Enabling the session-control feature ····························································································································· 40

Setting the maximum number of concurrent login users ···························································································· 40

Displaying and maintaining AAA ································································································································ 40

Authentication and authorization for SSH users by a RADIUS server ······································································ 41

Network requirements ··········································································································································· 41

Configuration procedure ······································································································································ 41

Verifying the configuration ··································································································································· 44

Local authentication and authorization for SSH users ······························································································· 44

Network requirements ··········································································································································· 44

Configuration procedure ······································································································································ 44

Verifying the configuration ··································································································································· 45

AAA for SSH users by an HWTACACS server ··········································································································· 45

Network requirements ··········································································································································· 45

Configuration procedure ······································································································································ 46

Verifying the configuration ··································································································································· 47

Troubleshooting RADIUS ··············································································································································· 47

RADIUS authentication failure ······························································································································ 47

RADIUS packet delivery failure ···························································································································· 48

RADIUS accounting error ····································································································································· 48

Troubleshooting HWTACACS ······································································································································ 49

802.1X overview ······················································································································································· 50

802.1X architecture ······················································································································································· 50

Controlled/uncontrolled port and port authorization status ······················································································ 50

802.1X-related protocols ·············································································································································· 51

Packet formats ························································································································································ 52

EAP over RADIUS ·················································································································································· 53

Initiating 802.1X authentication ··································································································································· 53