R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

Ste

Command

Remarks

5. Configure authorization

attributes for authenticated

users in the ISP domain.

authorization-attribute { idle-cut

minute [ flow ] | ip-pool

pool-name }

By default, the authorization

attributes are not configured and

the idle cut function is disabled.

6. Configure the device to include

the idle cut period or user

online detection period in the

user online duration to be sent

to the server.

session-time include-idle-time

By default, the user online duration

sent to the server does not include

the idle cut period or user online

detection period.

Configuring authentication methods for an ISP domain

Configuration prerequisites

Before configuring authentication methods, complete the following tasks:

1. Determine the access type or service type to be configured. With AAA, you can configure an

authentication method for each access type and service type.

2. Determine whether to configure the default authentication method for all access types or service

types. The default authentication method applies to all access users. However, the method has a

lower priority than the authentication method that is specified for an access type or service type.

Configuration guidelines

When configuring authentication methods, follow these guidelines:

• If the authentication method references a RADIUS scheme and the authorization method does not

reference a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server.

The Access-Accept message from the RADIUS server also includes the authorization information,

but the device ignores the information.

• To specify a scheme for user role authentication, make sure the user role is in the format of level-n.

If an HWTACACS scheme is specified, the device uses the entered username for role authentication.

If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for

role authentication. The variable n has the same value as the variable n in the target user role

level-n.

Configuration procedure

To configure authentication methods for an ISP domain:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter ISP domain view.

domain isp-name N/A

3. Specify the default

authentication method for

all types of users.

authentication default { hwtacacs-scheme

hwtacacs-scheme-name [ radius-scheme

radius-scheme-name ] [ local ] [ none ] |

ldap-scheme ldap-scheme-name [ local ]

[ none ] | local [ none ] | none | radius-scheme

radius-scheme-name [ hwtacacs-scheme

hwtacacs-scheme-name ] [ local ] [ none ] }

By default, the default

authentication method is

local.

The none keyword is not

supported in FIPS mode.