Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
291292293294295296297298299300
4-51
Firewall
User Authentication
Figure 4-32. PAP Handshake
The PAP handshake process is as follows:
1. The client sends a request to the NAS. The NAS translates the packet and
forwards it to the RADIUS server. This packet includes only a username
and password.
2. The RADIUS server determines if the credentials are valid.
If the credentials are invalid, the RADIUS server sends an Access-Reject
packet. The NAS denies network access to the user.
If the credentials are valid, the RADIUS server sends an Access-Accept
packet. The NAS permits the user to access the network.
PAP is a weaker protocol than CHAP and should only be used if the RADIUS
server does not support CHAP. Some vulnerabilities with PAP are that:
the plaintext passwords are sent over the line.
there is no protection against playback or repeated credential-guessing
attempts.
the client has complete control over the frequency and timing of authen-
tication attempts.
Authorization
When the RADIUS server prepares the Access-Accept packet that allows a
user to access the network, it checks its rules for the user. It includes these
rules in a series of AVPs within the Access-Accept packet. AVPs tell the module
to restrict the user’s access and often include access control lists (ACLs) and
rate limits.