Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
51525354555657585960
44
Configuration prerequisites
To use local authentication for users in an ISP domain, configure local user accounts on the device first.
See "Configuring local user attributes."
To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS,
or LDAP schemes. For more information about the scheme configuration, see "Configuring RADIUS
sc
hemes," "Configuring HWTACACS schemes," and "Configuring LDAP schemes."
Creating an ISP domain
In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. These users
can have different user attributes, such as different username and password structures, different service
types, and different rights. To manage users of different ISPs, configure ISP domains, and configure AAA
methods and domain attributes for each ISP domain as needed.
The device supports up to 16 ISP domains, including the system-defined ISP domain system. You can
specify one of the ISP domains as the default domain.
On the device, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the
device considers the user belongs to the default ISP domain.
The device chooses an authentication domain for each user in the following order:
The authentication domain specified for the access module.
The ISP domain in the username.
The default ISP domain of the device.
The ISP domain configured for users that include unknown domain names.
If none of the previous domains is available, user authentication fails.
NOTE:
Support for the authentication domain confi
g
uration depends on the access module. You can specify an
authentication domain for 802.1X, portal, or MAC authentication.
When you configure an ISP domain, follow these restrictions and guidelines:
An ISP domain cannot be deleted when it is used as the default ISP domain. Before you use the
undo domain command, change the domain to a non-default ISP domain by using the undo
domain default enable command.
You can modify the settings of the system-defined ISP domain system, but you cannot delete the
domain.
An ISP domain cannot be deleted when it is used for users that include unknown domain names.
Before you use the undo domain command, restore the default setting of the ISP domain by using
the undo domain if-unknown command.
To create an ISP domain:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an ISP domain and
enter ISP domain view.
domain isp-name
By default, the device has a
system-defined ISP domain system.