Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
351352353354355356357358359360
4-48
Firewall
User Authentication
rization. Rather, you must either integrate the RADIUS server with the existing
system or transfer all authentication information to the RADIUS server,
essentially replacing the legacy authentication server.
Additionally, using a RADIUS server for authentication enables you to create
multiple manager and operator accounts for the TMS zl Module with custom-
ized names. With separate accounts for each user, you can easily track when
a particular user logs in. When you create the policy on the RADIUS server
that authenticates manager users, you must set the Service-Type RADIUS
attribute to Administrative. When you create the policy for operator users, you
must set the Service-Type attribute to NAS Prompt.
Note The TMS zl Module does not currently support RADIUS accounting for
authenticated users.
Authentication
The TMS zl Module acts as a network access server (NAS) for your networks
RADIUS server(s). The module translates users’ network access requests into
RADIUS format, according to the authentication protocol that you choose,
and forwards the NAS Access-Request packet to the RADIUS server. At this
point, the RADIUS server validates the NAS then determines whether the
user’s credentials are valid and tells the module whether to accept or reject
the request.
A RADIUS server often has several policies used to authenticate users. A
request is selected for a particular policy according to the attribute value pairs
(AVPs) within the request. Table 4-7 shows the AVPs included within RADIUS
Access Requests from firewall users. One common way to set up a policy is
to have it select requests from users in a particular group.
Note If your users can also be L2TP Virtual Private Network (VPN) users, you must
distinguish the RADIUS policy for granting local access from the RADIUS
policy for granting L2TP access. One way to do so is to add Service-Type =
NAS-Prompt-User to the selection criteria for the local access policy. (See
“Configure an L2TP over IPsec VPN” in Chapter 7: “Virtual Private Networks“
for more information on L2TP.)