R0106-HP MSR Router Series Security Configuration Guide(V7)
i
Contents
Configuring AAA ························································································································································· 1
Overview ············································································································································································ 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list ·········································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 23
Configuring HWTACACS schemes ····················································································································· 33
Configuring LDAP schemes ·································································································································· 40
Configuring AAA methods for ISP domains ················································································································ 43
Configuration prerequisites ·································································································································· 44
Creating an ISP domain ······································································································································· 44
Configuring ISP domain attributes ······················································································································· 45
Configuring authentication methods for an ISP domain ··················································································· 46
Configuring authorization methods for an ISP domain ····················································································· 47
Configuring accounting methods for an ISP domain ························································································· 48
Enabling the session-control feature ····························································································································· 50
Configuring the RADIUS DAE server function ············································································································· 50
Changing the DSCP priority for RADIUS packets ······································································································· 51
Setting the maximum number of concurrent login users ···························································································· 51
Displaying and maintaining AAA ································································································································ 51
AAA configuration examples ········································································································································ 52
Authentication and authorization for SSH users by a RADIUS server ····························································· 52
Configuration procedure ······································································································································ 52
Local authentication and authorization for SSH users ······················································································· 55
AAA for SSH users by an HWTACACS server ·································································································· 56
Configuration procedure ······································································································································ 57
Authentication for SSH users by an LDAP server ······························································································· 58
Configuration procedure ······································································································································ 59
AAA for PPP users by an HWTACACS server ··································································································· 63
Configuration procedure ······································································································································ 63
Troubleshooting RADIUS ··············································································································································· 64
RADIUS authentication failure ······························································································································ 64
RADIUS packet delivery failure ···························································································································· 65
RADIUS accounting error ····································································································································· 66
Troubleshooting HWTACACS ······································································································································ 66
Troubleshooting LDAP ···················································································································································· 66
802.1X overview ······················································································································································· 68
802.1X architecture ······················································································································································· 68
Controlled/uncontrolled port and port authorization status ······················································································ 68
802.1X-related protocols ·············································································································································· 69