TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

351

352

353

354

355

356

357

358

359

360

4-52

Firewall

User Authentication

2. The RADIUS server determines if the credentials are valid.

If the credentials are invalid, the RADIUS server sends an Access-Reject

packet. The NAS denies network access to the user.

If the credentials are valid, the RADIUS server sends an Access-Accept

packet. The NAS permits the user to access the network.

PAP is a weaker protocol than CHAP and should only be used if the RADIUS

server does not support CHAP. Some vulnerabilities with PAP are that:

■ the plaintext passwords are sent over the line.

■ there is no protection against playback or repeated credential-guessing

attempts.

■ the client has complete control over the frequency and timing of authen-

tication attempts.

Authorization

When the RADIUS server prepares the Access-Accept packet that allows a

user to access the network, it checks its rules for the user. It includes these

rules in a series of AVPs within the Access-Accept packet. AVPs tell the module

to restrict the user’s access and often include one or more of the following:

■ Group assignment

■ Access control lists (ACLs)

■ Rate limits

Group assignment. The RADIUS server can send the user group to which

the authenticated user belongs, which should match a user group that is

configured on the TMS zl Module. The module will then apply the firewall

access policies configured for that user group to the user. The name of the

user group should be configured as the value for the Filter-ID attribute on the

RADIUS server.

Access Control List. An ACL is a list of permissions attached to an object—

in this case, the user. The list specifies exactly which other users (or subnets)

the object is allowed to contact (and vice versa). It also specifies exactly which

resources the user is allowed to access. For example, the ACL for a top level

executive would allow the user to access essentially every part of the network;

whereas, the ACL for a guest would likely allow very limited access (perhaps

only to the demilitarized zone).

An ACL may contain as many or as few entries as you like. You can configure

these manually or use a third-party program such as HP Identity Driven

Manager (IDM). (See “Using HP IDM with RADIUS Servers” on page 4-53.)