4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

• Maximum number of online users—The device controls the number of online users in a domain to

ensure the system performance and service reliability.

• Authorization attributes—The device assigns the authorization attributes in the ISP domain to the

authenticated users who do not receive authorization attributes from the server.

An ISP domain attribute applies to all users in the domain.

To configure ISP domain attributes:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter ISP domain view.

domain isp-name N/A

3. Place the ISP domain to the

active or blocked state.

state { active | block }

By default, an ISP domain is in

active state, and users in the

domain can request network

services.

4. Specify the maximum number

of online users in the ISP

domain.

access-limit enable

max-user-number

By default, there is no limit to the

maximum number of online users.

5. Configure authorization

attributes for authenticated

users in the ISP domain.

authorization-attribute { idle-cut

minute [ flow ] | ip-pool

pool-name }

By default, the authorization

attributes are not configured and

the idle cut function is disabled.

Configuring authentication methods for an ISP domain

Configuration prerequisites

Before configuring authentication methods, complete the following tasks:

1. For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be

referenced first. The local and none authentication methods do not require a scheme.

2. Determine the access type or service type to be configured. With AAA, you can configure an

authentication method for each access type and service type.

3. Determine whether to configure the default authentication method for all access types or service

types. The default authentication method applies to all access users, but it has a lower priority than

the authentication method that is specified for an access type or service type.

Configuration guidelines

When configuring authentication methods, follow these guidelines:

• If you configure an authentication method that references a RADIUS scheme and an authorization

method that does not reference a RADIUS scheme, AAA accepts only the authentication result from

the RADIUS server. The Access-Accept message from the RADIUS server also includes the

authorization information, but the device ignores the information.

• To specify a scheme for user role authentication, make sure the user role is in the format of level-n.

If an HWTACACS scheme is specified, the device uses the entered username for role authentication.

If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for

role authentication, where n is the same as that in the target user role level-n.

Configuration procedure

To configure authentication methods for an ISP domain: