Manualshelf

HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
191192193194195196197198199200
193
SSL VPN users—Users who access through SSL VPN.
The following matrixes show the user types and hardware compatibility:
Hardware DVPN user com
p
atible
F1000-A-EI/F1000-S-EI No
F1000-E Yes
F5000 Yes
F5000-S/F5000-C Yes
VPN firewall modules Yes
20-Gbps VPN firewall modules No
Hardware SSL VPN user com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E Yes
F5000 No
F5000-S/F5000-C Yes
VPN firewall modules No
20-Gbps VPN firewall modules No
In addition, AAA provides the following services for login users to enhance device security:
Command authorization—Enables the NAS to defer to the authorization server to determine
whether a command entered by a login user is permitted, and allows login users to execute only
authorized commands. For more information about command authorization, see Getting Started
Guide.
Command accounting—Allows the accounting server to record all commands executed on the
device or all authorized commands successfully executed. For more information about command
accounting, see Getting Started Guide.
Level switching authentication—Allows the authentication server to authenticate users who perform
privilege level switching. As long as passing level switching authentication, users can switch their
user privilege levels, without logging out and disconnecting current connections. For more
information about user privilege level switching, see Getting Started Guide.
You can configure different AAA methods for different types of users in a domain. For more information,
see "Configuring AAA methods for ISP domains."
AAA for VPNs
When clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable
forwarding of RADIUS and HWTACACS packets across VPNs. With this feature, the MCE at the left side
of the backbone serves as a NAS and transparently delivers the AAA packets of private users in VPN 1
and VPN 2 to the AAA servers in VPN 3 for centralized authentication, as shown in Figure 135.
A
uthenticati
on packets of private users in different VPNs do not affect each other.