How it Works
HP
Loading...
5120 EI Switch
Configuration Manual
304 pgs2.56 Mb0
Table of contents
Loading...

HP 5120 EI Switch Configuration Manual

HP A5120 EI Switch Series
Part number: 5998-1800 Software version: Release 2208
Document version: 5W100-20110530
Security Configuration Guide
Abstract
This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and network administrators working with the HP A Series products.
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
AAA configuration ··························································································································································· 1
AAA overview ··································································································································································· 1
RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the device ··················································································································· 10 Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································ 16
Configuring local users ········································································································································· 16
Configuring RADIUS schemes ······························································································································ 20
Configuring HWTACACS schemes ····················································································································· 30 Configuring AAA methods for ISP domains ················································································································ 36
Configuration prerequisites ·································································································································· 36
Creating an ISP domain ······································································································································· 36
Configuring ISP domain attributes ······················································································································· 36
Configuring AAA authentication methods for an ISP domain ·········································································· 37
Configuring AAA authorization methods for an ISP domain ··········································································· 39
Configuring AAA accounting methods for an ISP domain ··············································································· 40 Tearing down user connections forcibly ······················································································································ 42 Configuring a network device as a RADIUS server ··································································································· 42
RADIUS server functions configuration task list ·································································································· 42
Configuring a RADIUS user ·································································································································· 42
Specifying a RADIUS client ·································································································································· 43 Displaying and maintaining AAA ································································································································ 44 AAA configuration examples ········································································································································ 44
AAA for Telnet users by an HWTACACS server ······························································································· 44
AAA for Telnet users by separate servers ··········································································································· 45
Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47
AAA for 802.1X users by a RADIUS server ······································································································· 50
Level switching authentication for Telnet users by an HWTACACS server ····················································· 56
RADIUS authentication and authorization for Telnet users by a network device ··········································· 59 Troubleshooting AAA ···················································································································································· 61
Troubleshooting RADIUS ······································································································································ 61
Troubleshooting HWTACACS······························································································································ 62
802.1X fundamentals ···················································································································································· 63
802.1X architecture ······················································································································································· 63 Controlled/uncontrolled port and pot authorization status ······················································································· 63
802.1X-related protocols ·············································································································································· 64
Packet format ························································································································································· 64
EAP over RADIUS ·················································································································································· 66 Initiating 802.1X authentication ··································································································································· 66
802.1X client as the initiator ······························································································································· 66
Access device as the initiator ······························································································································· 66
802.1X authentication procedures ······························································································································ 67
A comparison of EAP relay and EAP termination ······························································································ 67
EAP relay ································································································································································ 68
EAP termination ····················································································································································· 69
iii
802.1X configuration ···················································································································································· 71
HP implementation of 802.1X ······································································································································ 71
Access control methods ········································································································································ 71
Using 802.1X authentication with other features ······························································································ 71 Configuring 802.1X ······················································································································································ 74
Configuration prerequisites ·································································································································· 74
802.1X configuration task list ······························································································································ 74
Enabling 802.1X ··················································································································································· 75
Specifying EAP relay or EAP termination ··········································································································· 75
Setting the port authorization state ······················································································································ 76
Specifying an access control method ·················································································································· 77
Setting the maximum number of concurrent 802.1X users on a port ······························································ 77
Setting the maximum number of authentication request attempts ···································································· 78
Setting the 802.1X authentication timeout timers ······························································································ 78
Configuring the online user handshake function ······························································································· 78
Configuring the authentication trigger function ································································································· 79
Specifying a mandatory authentication domain on a port ··············································································· 80
Enabling the quiet timer ········································································································································ 81
Enabling the periodic online user re-authentication function ············································································ 81
Configuring an 802.1X guest VLAN ··················································································································· 82
Configuring an Auth-Fail VLAN ··························································································································· 83 Displaying and maintaining 802.1X ··························································································································· 84
802.1X configuration examples ··································································································································· 84
802.1X authentication configuration example ·································································································· 84
802.1X with guest VLAN and VLAN assignment configuration example······················································· 86
802.1X with ACL assignment configuration example ······················································································· 89
EAD fast deployment configuration ····························································································································· 91
EAD fast deployment overview ····································································································································· 91
EAD fast deployment implementation ················································································································· 91 Configuring EAD fast deployment ································································································································ 91
Configuration prerequisites ·································································································································· 91
Configuration procedure ······································································································································ 91 Displaying and maintaining EAD fast deployment ····································································································· 92 EAD fast deployment configuration example ·············································································································· 93 Troubleshooting EAD fast deployment ························································································································· 95
Web browser users cannot be correctly redirected ·························································································· 95
MAC authentication configuration ······························································································································· 96
MAC authentication overview ······································································································································ 96
User account policies ············································································································································ 96
Authentication approaches ·································································································································· 96
MAC authentication timers ··································································································································· 97 Using MAC authentication with other features ··········································································································· 97
VLAN assignment ·················································································································································· 97
ACL assignment ····················································································································································· 97
Guest VLAN ··························································································································································· 97 MAC authentication configuration task list ················································································································· 98 Basic configuration for MAC authentication ··············································································································· 98
Configuration prerequisites ·································································································································· 98
Configuration procedure ······································································································································ 98 Specifying an authentication domain for MAC authentication users ······································································· 99 Configuring a MAC authentication guest VLAN ······································································································ 100
Configuration prerequisites ································································································································ 100
Configuration procedure ···································································································································· 100 Displaying and maintaining MAC authentication ···································································································· 101
iv
MAC authentication configuration examples ············································································································ 101
Local MAC authentication configuration example ·························································································· 101
RADIUS-based MAC authentication configuration example ·········································································· 103
ACL assignment configuration example ··········································································································· 105
Portal configuration ···················································································································································· 108
Portal overview ····························································································································································· 108
Introduction to portal ··········································································································································· 108
Extended portal functions ··································································································································· 108
Portal system components ··································································································································· 108
Portal system using the local portal server ········································································································ 110
Portal authentication modes ······························································································································· 111
Layer 2 portal authentication process ··············································································································· 111 Portal configuration task list ········································································································································ 112 Configuration prerequisites ········································································································································· 113
Specifying the local portal server for Layer 2 portal authentication ······························································ 114 Configuring the local portal server ···························································································································· 114
Customizing authentication pages ···················································································································· 114
Configuring the local portal server ···················································································································· 117 Enabling Layer 2 portal authentication ······················································································································ 118 Controlling access of portal users ······························································································································ 119
Configuring a portal-free rule ···························································································································· 119
Setting the maximum number of online portal users ························································································ 119
Specifying an authentication domain for portal users ····················································································· 120
Adding a web proxy server port number ········································································································· 120
Enabling support for portal user moving ·········································································································· 121 Specifying the Auth-Fail VLAN for portal authentication ························································································· 122 Specifying the auto redirection URL for authenticated portal users ········································································ 122 Configuring portal detection functions ······················································································································· 123 Logging off portal users ··············································································································································· 123 Displaying and maintaining portal ···························································································································· 123 Portal configuration examples ···································································································································· 124
Configuring Layer 2 portal authentication ········································································································ 124 Troubleshooting portal ················································································································································· 128
Inconsistent keys on the access device and the portal server ········································································· 128
Incorrect server port number on the access device ························································································· 128
Triple authentication configuration ··························································································································· 130
Triple authentication overview ···································································································································· 130
Triple authentication mechanism ······················································································································· 130
Using triple authentication with other features ································································································· 131 Configuring triple authentication ································································································································ 131 Triple authentication configuration examples ··········································································································· 132
Triple authentication basic function configuration example ··········································································· 132
Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ·············· 135
Port security configuration·········································································································································· 140
Port security overview ·················································································································································· 140
Port security features ··········································································································································· 140
Port security modes ············································································································································· 140
Support for guest VLAN and Auth-Fail VLAN ··································································································· 143 Port security configuration task list ····························································································································· 143 Enabling port security ·················································································································································· 144
Configuration prerequisites ································································································································ 144
Configuration procedure ···································································································································· 144 Setting the maximum number of secure MAC addresses ························································································ 144
v
Setting the port security mode ···································································································································· 145
Configuration prerequisites ································································································································ 145
Configuration procedure ···································································································································· 145 Configuring port security features ······························································································································ 146
Configuring NTK ················································································································································· 146
Configuring intrusion protection ························································································································ 147
Configuring port security traps ·························································································································· 147 Configuring secure MAC addresses ·························································································································· 148
Configuration prerequisites ································································································································ 148
Configuration procedure ···································································································································· 148 Ignoring authorization information from the server ·································································································· 149 Displaying and maintaining port security·················································································································· 149 Port security configuration examples ························································································································· 150
Configuring the autoLearn mode ······················································································································· 150
Configuring the userLoginWithOUI mode ········································································································ 152
Configuring the macAddressElseUserLoginSecure mode················································································ 156 Troubleshooting port security ······································································································································ 159
Cannot set the port security mode ····················································································································· 159
Cannot configure secure MAC addresses ········································································································ 160
Cannot change port security mode when a user is online ············································································· 160
User profile configuration ·········································································································································· 161
User profile overview ··················································································································································· 161 User profile configuration task list ······························································································································ 161 Creating a user profile ················································································································································ 161
Configuration prerequisites ································································································································ 161
Creating a user profile ········································································································································ 161 Configuring a user profile ··········································································································································· 162 Enabling a user profile ················································································································································ 162 Displaying and maintaining user profile ··················································································································· 163
Password control configuration ································································································································· 164
Password control overview ········································································································································· 164 Password control configuration task list ····················································································································· 166 Configuring password control ···································································································································· 167
Enabling password control ································································································································· 167
Setting global password control parameters ···································································································· 167
Setting user group password control parameters ···························································································· 168
Setting local user password control parameters ······························································································ 169
Setting super password control parameters ····································································································· 170
Setting a local user password in interactive mode ·························································································· 170 Displaying and maintaining password control ········································································································· 170 Password control configuration example ·················································································································· 171
HABP configuration ···················································································································································· 174
HABP overview ····························································································································································· 174 Configuring HABP ························································································································································ 175
Configuring the HABP server ····························································································································· 175
Configuring an HABP client ······························································································································· 175 Displaying and maintaining HABP····························································································································· 176 HABP configuration example ······································································································································ 176
Network requirements ········································································································································· 176
Configuration procedure ···································································································································· 177
Public key configuration ············································································································································· 179
Asymmetric key algorithm overview ·························································································································· 179
Basic concepts ····················································································································································· 179
vi
Key algorithm types ············································································································································ 179
Asymmetric key algorithm applications ············································································································ 179 Configuring the local asymmetric key pair ··············································································································· 180
Creating an asymmetric key pair ······················································································································ 180
Displaying or exporting the local RSA or DSA host public key ····································································· 180
Destroying an asymmetric key pair ··················································································································· 181 Configuring a peer public key ···································································································································· 181 Displaying and maintaining public keys ··················································································································· 182 Public key configuration examples ····························································································································· 182
Configuring a peer public key manually ·········································································································· 182
Importing a peer public key from a public key file·························································································· 184
PKI configuration ························································································································································· 187
PKI overview ································································································································································· 187
PKI terms ······························································································································································· 187
PKI architecture ···················································································································································· 188
PKI applications ··················································································································································· 188
How does PKI work ············································································································································· 189 PKI configuration task list ············································································································································ 189 Configuring an entity DN ············································································································································ 190 Configuring a PKI domain ·········································································································································· 191 Submitting a PKI certificate request ···························································································································· 192
Submitting a certificate request in auto mode ·································································································· 193
Submitting a certificate request in manual mode ····························································································· 193 Retrieving a certificate manually ································································································································ 194 Configuring PKI certificate verification ······················································································································ 195 Destroying a local RSA key pair ································································································································ 196 Deleting a certificate ···················································································································································· 196 Configuring an access control policy ························································································································ 197 Displaying and maintaining PKI ································································································································· 197 PKI configuration examples ········································································································································· 198
Requesting a certificate from a CA running RSA Keon ··················································································· 198
Requesting a certificate from a CA running Windows 2003 Server ···························································· 201
Configuring a certificate attribute-based access control policy ····································································· 204 Troubleshooting PKI ····················································································································································· 206
Failed to retrieve a CA certificate ····················································································································· 206
Failed to request a local certificate ··················································································································· 206
Failed to retrieve CRLs ········································································································································ 207
SSH2.0 configuration ················································································································································· 208
SSH2.0 overview ························································································································································· 208
Introduction to SSH2.0 ······································································································································· 208
How does SSH work ··········································································································································· 208 Configuring the device as an SSH server ················································································································· 210
SSH server configuration task list ······················································································································ 210
Generating a DSA or RSA key pair ·················································································································· 211
Enabling the SSH server function ······················································································································ 211
Configuring the user interfaces for SSH clients ································································································ 212
Configuring a client public key ·························································································································· 212
Configuring an SSH user ···································································································································· 213
Setting the SSH management parameters ········································································································ 214 Configuring the device as an SSH client ··················································································································· 215
SSH client configuration task list ························································································································ 215
Specifying a source IP address/interface for the SSH client ·········································································· 215
Configuring whether first-time authentication is supported ············································································· 216
Establishing a connection between the SSH client and server ······································································· 217
vii
Displaying and maintaining SSH ······························································································································· 217 SSH server configuration examples ··························································································································· 218
When switch acts as server for password authentication ··············································································· 218
When switch acts as server for publickey authentication ··············································································· 220 SSH client configuration examples····························································································································· 225
When switch acts as client for password authentication ················································································ 225
When switch acts as client for publickey authentication ················································································ 228
SFTP configuration ······················································································································································ 231
SFTP overview······························································································································································· 231 Configuring the device as an SFTP server ················································································································· 231
Configuration prerequisites ································································································································ 231
Enabling the SFTP server ···································································································································· 231
Configuring the SFTP connection idle timeout period ····················································································· 231 Configuring the device an SFTP client ······················································································································· 232
Specifying a source IP address or interface for the SFTP client······································································ 232
Establishing a connection to the SFTP server ···································································································· 232
Working with SFTP directories ··························································································································· 233
Working with SFTP files ······································································································································ 233
Displaying help information ······························································································································· 234
Terminating the connection to the remote SFTP server ···················································································· 234 SFTP client configuration example ····························································································································· 235 SFTP server configuration example ···························································································································· 238
SSL configuration ························································································································································ 241
SSL overview ································································································································································· 241
SSL security mechanism ······································································································································ 241
SSL protocol stack ··············································································································································· 242 SSL configuration task list ············································································································································ 242 Configuring an SSL server policy ······························································································································· 242
Configuration prerequisites ································································································································ 242
Configuration procedure ···································································································································· 243
SSL server policy configuration example ·········································································································· 243 Configuring an SSL client policy ································································································································ 245
Configuration prerequisites ································································································································ 245
Configuration procedure ···································································································································· 245 Displaying and maintaining SSL ································································································································ 246 Troubleshooting SSL ····················································································································································· 246
SSL handshake failure ········································································································································· 246
TCP attack protection configuration ·························································································································· 248
TCP attack protection overview ·································································································································· 248 Enabling the SYN cookie feature ······························································································································· 248 Displaying and maintaining TCP attack protection ·································································································· 248
IP source guard configuration ··································································································································· 249
IP source guard overview ············································································································································ 249
Introduction to IP source guard ·························································································································· 249
IP source guard binding ····································································································································· 249 Configuring IPv4 source guard binding ···················································································································· 251
Configuring a static IPv4 source guard binding entry ···················································································· 252
Configuring the dynamic IPv4 source guard binding function ······································································· 252 Configuring IPv6 source guard binding ···················································································································· 253
Configuring a static IPv6 source guard binding entry ···················································································· 253
Configuring the dynamic IPv6 source guard binding function ······································································· 254 Displaying and maintaining IP source guard ············································································································ 255 IP source guard configuration examples ··················································································································· 256
viii
Static IPv4 source guard binding entry configuration example ····································································· 256
Global static binding excluded port configuration example ·········································································· 257
Dynamic IPv4 source guard binding by DHCP snooping configuration example ······································· 259
Dynamic IPv4 source guard binding by DHCP relay configuration example ·············································· 260
Static IPv6 source guard binding entry configuration example ····································································· 261
Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example ··································· 262
Dynamic IPv6 source guard binding by ND snooping configuration example ··········································· 263 Troubleshooting IP source guard ································································································································ 264
Neither static binding entries nor the dynamic binding function can be configured ·································· 264
ARP attack protection configuration ························································································································· 265
ARP attack protection overview ·································································································································· 265 ARP attack protection configuration task list ············································································································· 265 Configuring ARP defense against IP packet attacks ································································································· 266
Introduction ·························································································································································· 266
Configuring ARP source suppression ················································································································ 266
Enabling ARP black hole routing ······················································································································· 267
Displaying and maintaining ARP defense against IP packet attacks ····························································· 267 Configuring ARP packet rate limit ······························································································································ 267
Introduction ·························································································································································· 267
Configuring ARP packet rate limit ····················································································································· 267 Configuring source MAC address based ARP attack detection ············································································· 268
Introduction ·························································································································································· 268
Configuration procedure ···································································································································· 268
Displaying and maintaining source MAC address based ARP attack detection ········································· 269 Configuring ARP packet source MAC address consistency check ········································································· 269
Introduction ·························································································································································· 269
Configuration procedure ···································································································································· 269 Configuring ARP active acknowledgement ··············································································································· 270
Introduction ·························································································································································· 270
Configuration procedure ···································································································································· 270 Configuring ARP detection ·········································································································································· 270
Introduction ·························································································································································· 270
Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X
security entries/OUI MAC addresses ··············································································································· 271
Configuring ARP detection based on specified objects ·················································································· 272
Configuring ARP restricted forwarding ············································································································· 273
Displaying and maintaining ARP detection ······································································································ 273
ARP detection configuration example I ············································································································· 273
ARP detection configuration example II ············································································································ 275
ARP restricted forwarding configuration example ··························································································· 276 Configuring ARP automatic scanning and fixed ARP ······························································································ 278
Introduction ·························································································································································· 278
Configuration procedure ···································································································································· 278 Configuring ARP gateway protection ························································································································ 279
Introduction ·························································································································································· 279
Configuration procedure ···································································································································· 279
ARP gateway protection configuration example······························································································ 280 Configuring ARP filtering ············································································································································· 280
Introduction ·························································································································································· 280
Configuration procedure ···································································································································· 281
ARP filtering configuration example ·················································································································· 281
ND attack defense configuration ······························································································································ 283
Introduction to ND attack defense ······························································································································ 283 Enabling source MAC consistency check for ND packets······················································································· 284
ix
Configuring the ND detection function ······················································································································ 284
Introduction to ND detection ······························································································································ 284
Configuring ND detection ·································································································································· 285
Displaying and maintaining ND detection ······································································································· 285 ND detection configuration example ························································································································· 286
Support and other resources ····································································································································· 288
Contacting HP ······························································································································································ 288
Subscription service ············································································································································ 288 Related information ······················································································································································ 288
Documents ···························································································································································· 288
Websites ······························································································································································ 288 Conventions ·································································································································································· 289
Index ············································································································································································· 291
x

AAA configuration

Remote user
NAS
RADIUS server
HWTACACS server
Internet
Network

AAA overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions:
AuthenticationIdentifies users and determines whether a user is valid. AuthorizationGrants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
AccountingRecords all user network service usage information, including the service type, start
time, and traffic. The accounting function not only provides the information required for charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers, as shown in Figure 1.
Figure 1 Network diagram for AAA
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS authenticates the user. The NAS can transparently pass the users authentication, authorization, and accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose different servers for different security functions. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as required. For example, if your company only wants employees to be authenticated before they access specific resources, you only need to configure an authentication server. If network usage information is needed, you must also configure an accounting server.
AAA can be implemented through multiple protocols. The device supports using RADIUS and HWTACACS for AAA. RADIUS is often used in practice.
1

RADIUS

RADIUS servers
Users Clients Dictionary
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It listens to connection requests, authenticates users, and returns user access control information (for example, rejecting or accepting the user access request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary
Figure 2 RADIUS server components
UsersStores user information, such as usernames, passwords, applied protocols, and IP addresses. ClientsStores information about RADIUS clients, such as shared keys and IP addresses. DictionaryStores RADIUS protocol attributes and their values.
Security and authentication mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network. This enhances information exchange security. In addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy services.
RADIUS basic message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
2
Figure 3 RADIUS basic message exchange process
RADIUS client
RADIUS server
1) Username and password
3) Access-Accept/Reject
2) Access-Request
4) Accounting-Request (start)
5) Accounting-Response
7) Accounting-Request (stop)
8) Accounting-Response
9) Notification of access termination
Host
6) The host accesses the resources
RADIUS operates in the following manner:
1. The host initiates a connection request carrying the username and password to the RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the Message­Digest 5 (MD5) algorithm and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, it
sends back an Access-Accept message containing the user’s authorization information. If the authentication fails, it returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting
for the user.
9. The user stops access to network resources.
RADIUS packet format
RADIUS uses UDP to transmit messages. It ensures smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
3
Figure 4 RADIUS packet format
Code
Attribute
Identifier
0
7
Length
Authenticator (16bytes)
7 15 31
Code
Packet type
Description
1
Access-Request
From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port.
2
Access-Accept
From the server to the client. If all the attribute values carried in the Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response.
3
Access-Reject
From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the authentication fails and the server sends an Access-Reject response.
4
Accounting-Request
From the client to the server. A packet of this type carries user information for the server to start or stop accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting.
5
Accounting-Response
From the server to the client. The server sends a packet of this type to notify the client that it has received the Accounting­Request and has correctly recorded the accounting information.
Descriptions of the fields are as follows:
1. The Code field (1 byte long) indicates the type of the RADIUS packet.
Table 1 Main values of the Code field
2. The Identifier field (1 byte long) is used to match request and response packets and to detect
retransmitted request packets. Request and response packets of the same type have the same identifier.
3. The Length field (2 bytes long) indicates the length of the entire packet, including the Code,
Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered padding and are neglected upon reception. If the length of a received packet is less than this length, the packet is dropped. The value of this field is in the range 20 to 4096.
4. The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to
encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator.
4
5. The Attribute field, with a variable length, carries the specific authentication, authorization, and
No.
Attribute
No.
Attribute
1
User-Name
45
Acct-Authentic
2
User-Password
46
Acct-Session-Time
3
CHAP-Password
47
Acct-Input-Packets
4
NAS-IP-Address
48
Acct-Output-Packets
5
NAS-Port
49
Acct-Terminate-Cause
6
Service-Type
50
Acct-Multi-Session-Id
7
Framed-Protocol
51
Acct-Link-Count
8
Framed-IP-Address
52
Acct-Input-Gigawords
9
Framed-IP-Netmask
53
Acct-Output-Gigawords
10
Framed-Routing
54
(unassigned)
11
Filter-ID
55
Event-Timestamp
12
Framed-MTU
56-59
(unassigned)
13
Framed-Compression
60
CHAP-Challenge
14
Login-IP-Host
61
NAS-Port-Type
15
Login-Service
62
Port-Limit
16
Login-TCP-Port
63
Login-LAT-Port
17
(unassigned)
64
Tunnel-Type
18
Reply-Message
65
Tunnel-Medium-Type
19
Callback-Number
66
Tunnel-Client-Endpoint
20
Callback-ID
67
Tunnel-Server-Endpoint
21
(unassigned)
68
Acct-Tunnel-Connection
22
Framed-Route
69
Tunnel-Password
23
Framed-IPX-Network
70
ARAP-Password
24
State
71
ARAP-Features
25
Class
72
ARAP-Zone-Access
26
Vendor-Specific
73
ARAP-Security
accounting information that defines the configuration details of the request or response. This field contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.
Type (1 byte long)Indicates the type of the attribute. It is in the range 1 to 255. See Table 2 for
commonly used attributes for RADIUS authentication, authorization and accounting, which are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information about commonly used standard RADIUS attributes, see Commonly used standard RADIUS attributes.
Length (1 byte long)Indicates the length of the attribute in bytes, including the Type, Length, and
Value fields.
Value (up to 253 bytes)Value of the attribute. Its format and content depend on the Type and
Length fields.
Table 2 RADIUS attributes
5
No.
Attribute
No.
Attribute
27
Session-Timeout
74
ARAP-Security-Data
28
Idle-Timeout
75
Password-Retry
29
Termination-Action
76
Prompt
30
Called-Station-Id
77
Connect-Info
31
Calling-Station-Id
78
Configuration-Token
32
NAS-Identifier
79
EAP-Message
33
Proxy-State
80
Message-Authenticator
34
Login-LAT-Service
81
Tunnel-Private-Group-id
35
Login-LAT-Node
82
Tunnel-Assignment-id
36
Login-LAT-Group
83
Tunnel-Preference
37
Framed-AppleTalk-Link
84
ARAP-Challenge-Response
38
Framed-AppleTalk-Network
85
Acct-Interim-Interval
39
Framed-AppleTalk-Zone
86
Acct-Tunnel-Packets-Lost
40
Acct-Status-Type
87
NAS-Port-Id
41
Acct-Delay-Time
88
Framed-Pool
42
Acct-Input-Octets
89
(unassigned)
43
Acct-Output-Octets
90
Tunnel-Client-Auth-id
44
Acct-Session-Id
91
Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension in applications. As shown in Figure 5, a sub-attribute that can be encapsulated in Attribute 26 consists of the following parts:
Vendor-ID (4 bytes long)Indicates the ID of the vendor. Its most significant byte is 0; the other three
bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see HP proprietary RADIUS sub-attributes.
Vendor-TypeIndicates the type of the sub-attribute. Vendor-LengthIndicates the length of the sub-attribute. Vendor-DataIndicates the contents of the sub-attribute.
6
Figure 5 Segment of a RADIUS packet containing an extended attribute
Type Length
0
Vendor-ID
7 15 31
Vendor-ID (continued) Vendor-Type Vendor-Length
Vendor-Data
(Specified attribute value……)
23
……

HWTACACS

RADIUS
Uses TCP, providing more reliable network transmission.
Uses UDP, providing higher transport efficiency.
Encrypts the entire packet except for the HWTACACS header.
Encrypts only the user password field in an authentication packet.
Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers.
Protocol packets are simple and the authorization process is combined with the authentication process.
Supports authorization of configuration commands. Which commands a user can use depends on both the user level and AAA authorization. A user can use only commands that are not only of, or lower than, the user level but also authorized by the HWTACACS server.
Does not support authorization of configuration commands. Which commands a user can use depends on the level of the user and a user can use all the commands of, or lower than, the user level.
HWTACACS
HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server.
HWTACACS mainly provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical HWTACACS application, some terminal users need to log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the username and password of a user to the HWTACACS sever for authentication. After passing authentication and being authorized, the user logs in to the device and performs operations, and the HWTACACS server records the operations that the user performs.
Differences between HWTACACS and RADIUS
HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They have many features in common, like using a client/server model, using shared keys for user information security, and providing flexibility and extensibility. Table 3 lists their differences.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS basic message exchange process
The following takes a Telnet user as an example to describe how HWTACACS performs user authentication, authorization, and accounting.
7
Figure 6 HWTACACS basic message exchange process for a Telnet user
Host HWTACACS client HWTACACS server
1) The user logs in
2) Start-authentication packet
3) Authentication response requesting the username
4) Request for username
5) The user inputs the username
6) Authentication continuance packet with the username
7) Authentication response requesting the login
password
8) Request for password
9) The user inputs the password
11) Authentication response indicating successful authentication
12) User authorization request packet
13) Authorization response indicating successful authorization
14) The user logs in successfully
15) Start-accounting request
16) Accounting response indicating the start of accounting
17) The user logs off
18) Stop-accounting request
19) Stop-accounting response
10) Authentication continuance packet with the login password
Here is the process:
1. A Telnet user sends an access request to the HWTACACS client.
2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the
HWTACACS server.
3. The HWTACACS server sends back an authentication response to request the username.
4. Upon receiving the response, the HWTACACS client asks the user for the username.
5. The user inputs the username.
6. After receiving the username, the HWTACACS client sends the server a continue-authentication
packet that carries the username.
7. The HWTACACS server sends back an authentication response, requesting the login password.
8. Upon receipt of the response, the HWTACACS client asks the user for the login password.
8
9. The user inputs the password.
Username carries
@domain-name?
A user enters the username in
the form of
userid@domain-name
or userid
Use domain domain-name
to authenticate the user
Use the default domain to
authenticate the user
Yes
No
NAS
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that carries the login password.
11. The HWTACACS server sends back an authentication response to indicate that the user has passed
authentication.
12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.
13. The HWTACACS server sends back the authorization response, indicating that the user is now
authorized.
14. Knowing that the user is now authorized, the HWTACACS client pushes its configuration interface
to the user.
15. The HWTACACS client sends a start-accounting request to the HWTACACS server.
16. The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17. The user logs off.
18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19. The HWTACACS server sends back a stop-accounting response, indicating that the stop-accounting
request has been received.

Domain-based user management

A NAS manages users based on Internet service provider (ISP) domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain a user belongs to by the username entered by the user at login, as shown in Figure 7.
Figure 7 Determine the ISP domain of a user by the username
The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain that the user belongs to. If no specific AAA methods are configured for the domain, the default methods are used. By default, a domain uses local authentication, local authorization, and local accounting.
The AAA feature allows you to manage users based on their access types:
LAN usersUsers on a LAN who must pass 802.1X authentication or MAC address authentication
Login usersUsers who want to log in to the device, including SSH users, Telnet users, FTP users,
Portal usersUsers who must pass portal authentication to access the network.
to access the network.
and terminal service users.
9
For a user who has logged in to the device, AAA provides the following services to enhance device
NAS
RADIUS server
RADIUS serverNAS/
IP network
IP network
security:
Command authorizationEnables the NAS to defer to the authorization server to determine whether
a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute. For more information about command authorization, see the Fundamentals Configuration Guide.
Command accountingAllows the accounting server to record all commands executed on the
device or all authorized commands successfully executed. For more information about command accounting, see the Fundamentals Configuration Guide.
Level switching authenticationAllows the authentication server to authenticate users performing
privilege level switching. As long as passing level switching authentication, users can switch their user privilege levels, without logging out and disconnecting current connections. For more information about user privilege level switching, see the Fundamentals Configuration Guide.
You can configure different authentication, authorization, and accounting methods for different users in a domain. See Configuring AAA methods for ISP domains.

RADIUS server feature of the device

Generally, the RADIUS server runs on a computer or workstation, and the RADIUS client runs on a NAS device. A network device that supports the RADIUS server feature can also serve as the RADIUS server, working with RADIUS clients to implement user authentication, authorization, and accounting. As shown in Figure 8, the RADIUS server and client can reside on the same device or different devices.
Using a network device as the RADIUS server simplifies networking and reduces deployment costs. This implementation is usually deployed on networks by using the clustering feature. In such a scenario, configure the RADIUS server feature on a management device at the distribution layer, so that the device functions as a RADIUS server to cooperate with cluster member switches at the access layer to provide user authentication and authorization services.
Figure 8 Devices functioning as a RADIUS server
A network device serving as the RADIUS server can provide the following functions:
User information managementSupports creating, modifying, and deleting user information,
including the username, password, authority, lifetime, and user description.
RADIUS client information managementSupports creating, and deleting RADIUS clients, which are
identified by IP addresses and configured with attributes such as a shared key. After being configured with a managed client range, the RADIUS server processes only the RADIUS packets
10
from the clients within the management range. A shared key is used to ensure secure communication
NOTE:
The UDP port number for RADIUS authentication is 1812 in the standard RADIUS protocol, but is 1645 on HP devices. Specify 1645 as the authentication port number when you use an HP device as a RADIUS client.
No.
Attribute
Description
1
User-Name
Name of the user to be authenticated.
2
User-Password
User password for PAP authentication, present only in Access-Request packets in PAP authentication mode.
3
CHAP-Password
Digest of the user password for CHAP authentication, present only in Access­Request packets in CHAP authentication mode.
4
NAS-IP-Address
IP address for the server to identify a client. Usually, a client is identified by the IP address of the access interface on the NAS, namely the NAS IP address. This attribute is present in only Access-Request packets.
5
NAS-Port
Physical port of the NAS that the user accesses.
6
Service-Type
Type of service that the user has requested or type of service to be provided.
7
Framed-Protocol
Encapsulation protocol.
8
Framed-IP-Address
IP address to be configured for the user.
11
Filter-ID
Name of the filter list.
between a RADIUS client and the RADIUS server.
RADIUS authentication and authorization. RADIUS accounting is not supported.
Upon receiving a RADIUS packet, a device working as the RADIUS server checks whether the sending client is under its management. If yes, it verifies the packet validity by using the shared key, checks whether there is an account with the username, whether the password is correct, and whether the user attributes meet the requirements defined on the RADIUS server (for example, whether the account has expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication succeeds, or denies the client if the authentication fails.

Protocols and standards

The following protocols and standards are related to AAA, RADIUS, and HWTACACS:
RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868, RADIUS Attributes for Tunnel Protocol Support RFC 2869, RADIUS Extensions RFC 1492, An Access Control Protocol, Sometimes Called TACACS

RADIUS attributes

Commonly used standard RADIUS attributes
11
No.
Attribute
Description
12
Framed-MTU
Maximum transmission unit (MTU) for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS uses this attribute to notify the server of the MTU for EAP packets, so as to avoid oversized EAP packets.
14
Login-IP-Host
IP address of the NAS interface that the user accesses.
15
Login-Service
Type of the service that the user uses for login.
18
Reply-Message
Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure.
26
Vendor-Specific
Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes.
27
Session-Timeout
Maximum duration of service to be provided to the user before termination of the session.
28
Idle-Timeout
Maximum idle time permitted for the user before termination of the session.
31
Calling-Station-Id
User identification that the NAS sends to the server. With the LAN access service provided by an HP device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH.
32
NAS-Identifier
Identification that the NAS uses for indicating itself.
40
Acct-Status-Type
Type of the Accounting-Request packet. Possible values are as follows:
1Start 2Stop 3Interium-Update 4Reset-Charge 7Accounting-On (Defined in 3GPP, the 3rd Generation Partnership
Project)
8Accounting-Off (Defined in 3GPP) 9 to 14 Reserved for tunnel accounting 15 Reserved for failed
45
Acct-Authentic
Authentication method used by the user. Possible values are as follows:
1RADIUS 2Local 3Remote
60
CHAP-Challenge
CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.
61
NAS-Port-Type
Type of the physical port of the NAS that is authenticating the user. Possible values are as follows:
15 Ethernet 16 Any type of ADSL 17 Cable (with cable for cable TV) 201VLAN 202ATM
If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.
79
EAP-Message
Used for encapsulating EAP packets to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol.
12
No.
Attribute
Description
80
Message­Authenticator
Used for authentication and checking of authentication packets to prevent spoofing Access-Requests. This attribute is used when RADIUS supports EAP authentication.
87
NAS-Port-Id
String for describing the port of the NAS that is authenticating the user.
No.
Sub-attribute
Description
1
Input-Peak-Rate
Peak rate in the direction from the user to the NAS, in bps.
2
Input-Average-Rate
Average rate in the direction from the user to the NAS, in bps.
3
Input-Basic-Rate
Basic rate in the direction from the user to the NAS, in bps.
4
Output-Peak-Rate
Peak rate in the direction from the NAS to the user, in bps.
5
Output-Average-Rate
Average rate in the direction from the NAS to the user, in bps.
6
Output-Basic-Rate
Basic rate in the direction from the NAS to the user, in bps.
15
Remanent_Volume
Remaining, available total traffic of the connection, in different units for different server types.
20
Command
Operation for the session, used for session control. Possible values are as follows:
1Trigger-Request 2Terminate-Request 3SetPolicy 4Result 5PortalClear
24
Control_Identifier
Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value; for retransmitted packets of different sessions, this attribute may take the same value. The client response of a retransmitted packet must also carry this attribute and the value of the attribute must be the same.
For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attribute, if present, makes no sense.
25
Result_Code
Result of the Trigger-Request or SetPolicy operation. A value of zero means the operation succeeded, any other value means the operation failed.
26
Connect_ID
Index of the user connection
28
Ftp_Directory
Working directory of the FTP user.
For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client.
29
Exec_Privilege
Priority of the EXEC user
59
NAS_Startup_Timestam p
Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).
60
Ip_Host_Addr
IP address and MAC address of the user carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.
61
User_Notify
Information that needs to be sent from the server to the client transparently
HP proprietary RADIUS sub-attributes
13
No.
Sub-attribute
Description
62
User_HeartBeat
Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the device and is used for verifying the handshake messages from the 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets.
140
User_Group
User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device.
141
Security_Level
Security level assigned after the SSL VPN user passes security authentication
201
Input-Interval-Octets
Bytes input within a real-time accounting interval
202
Output-Interval-Octets
Bytes output within a real-time accounting interval
203
Input-Interval-Packets
Packets input within an accounting interval, in the unit set on the device
204
Output-Interval-Packets
Packets output within an accounting interval, in the unit set on the device
205
Input-Interval­Gigawords
Result of bytes input within an accounting interval divided by 4G bytes
206
Output-Interval­Gigawords
Result of bytes output within an accounting interval divided by 4G bytes 207
Backup-NAS-IP
Backup source IP address for sending RADIUS packets
255
Product_ID
Product name

AAA configuration considerations and task list

To configure AAA, you must complete these tasks on the NAS:

1. Configure the required AAA schemes.

Local authenticationConfigure local users and the related attributes, including the usernames and
passwords of the users to be authenticated.
Remote authenticationConfigure the required RADIUS and HWTACACS schemes, and configure
user attributes on the servers accordingly.

2. Configure AAA methods for the users’ ISP domains.

Authentication methodNo authentication (none), local authentication (local), or remote
authentication (scheme)
Authorization methodNo authorization (none), local authorization (local), or remote authorization
(scheme)
Accounting methodNo accounting (none), local accounting (local), or remote accounting
(scheme)
14
Figure 9 AAA configuration diagram
Configure the RADIUS, HWTACACS
schemes to be referenced
none/ local/ scheme
Authorization method
Accounting method
Configure AAA methods
Create an ISP domain
and enter its view
local (default method)
none
scheme
Authentication method
Configure local users and related
attributes
none/ local/ scheme
+
+
Local AAA
Remote AAA
No AAA
Task
Remarks
Configuring AAA schemes Configuring local users
Required
Complete at least one task.
Configuring RADIUS schemes
Configuring HWTACACS schemes
Configuring AAA methods for ISP domains
Creating an ISP domain
Required
Configuring ISP domain attributes
Optional
Configuring AAA authentication methods for an ISP domain
Required
Complete at least one task.
Configuring AAA authorization methods for an ISP domain
Configuring AAA accounting methods for an ISP domain
Tearing down user connections forcibly
Optional
Configuring a network device as a RADIUS server
Optional
Displaying and maintaining AAA
Optional
NOTE:
For login users, you must configure the login authentication mode for the user interfaces as scheme before performing the above configurations. For more information, see the
Fundamentals Configuration
Guide
.
Table 4 AAA configuration task list
15

Configuring AAA schemes

Configuring local users

For local authentication, you must create local users and configure user attributes on the device in advance. The local users and attributes are stored in the local user database on the device. A local user is uniquely identified by a username. Configurable local user attributes are as follows:
Service type
Types of services that the user can use. Local authentication checks the service types of a local user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, LAN access, Portal, SSH, Telnet, and Terminal.
User state
Indicates whether or not a local user can request network services. There are two user states: active and blocked. A user in the active state can request network services, but a user in the blocked state cannot.
Maximum number of users using the same local user account
Indicates how many users can use the same local user account for local authentication.
Expiration time
Indicates the expiration time of a local user account. A user must use a local user account that has not expired to pass local authentication.
User group
Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see Configuring user group attributes.
Password control attributes
Password control attributes help you improve the security of local users passwords. Password control attributes include password aging time, minimum password length, and password composition policy.
You can configure a password control attribute in system view, user group view, or local user view, making the attribute effective for all local users, all local users in a group, or only the local user. A password control attribute with a smaller effective range has a higher priority. For more information about password management and global password configuration, see the chapter ―Password control configuration.
Binding attributes
Binding attributes are used to control the scope of users. Binding attributes are checked during authentication. If the attributes of a user do not match the binding attributes configured for the user on the access device, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP address, access port, MAC address, and native VLAN. For more information about binding attributes, see Configuring local user attributes.
Authorization attributes
Authorization attributes indicate the rights that a user has after passing local authentication. Authorization attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN, and FTP/SFTP work directory. For more information about authorization attributes, see Configuring local
user attributes.
16
You can configure an authorization attribute in user group view or local user view, making the attribute
Task
Remarks
Configuring local user attributes
Required
Configuring user group attributes
Optional
Displaying and maintaining local users and local user groups
Optional
To do…
Use the command…
Remarks
Enter system view
system-view
Set the password display mode for all local users
local-user password-display­mode { auto | cipher-force }
Optional
auto by default, indicating to display the password of a local user in the way indicated by the password command.
Add a local user and enter local user view
local-user user-name
Required
No local user exists by default.
Configure a password for the local user
password { cipher | simple }
password
Optional
Place the local user to the state of active or blocked
state { active | block }
Optional
When created, a local user is in the active state by default, and the user can request network services.
Set the maximum number of users using the local user account
access-limit max-user-number
Optional
By default, there is no limit on the maximum number of users that use the same local user account.
This limit is not effective for FTP users.
Configure the password control attributes for the local user
Set the password aging time
password-control aging aging- time
Optional
By default, the setting for the user group is used. If there is no such setting for the user group, the global setting is used.
Set the minimum password length
password-control length length
Optional
By default, the setting for the user group is used. If there is no such setting for the user group, the global setting is used.
effective for all local users in the group or only for the local user. The setting of an authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Configuring local user attributes
Follow these steps to configure attributes for a local user:
17
To do…
Use the command…
Remarks
Configure the password composition policy
password-control composition type-number type-number [ type-length type-length ]
Optional
By default, the setting for the user group is used. If there is no such setting for the user group, the global setting is used.
Specify the service types for the local user
service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal }
Required
By default, no service is authorized to a local user.
Configure the binding attributes for the local user
bind-attribute { call-number call­number [ : subcall-number ] | ip ip-address | location port slot­number subslot-number port­number | mac mac-address |
vlan vlan-id } *
Optional
By default, no binding attribute is configured for a local user.
ip, location, mac, and vlan are supported for LAN users. No binding attribute is supported for other types of local users.
Configure the authorization attributes for the local user
authorization-attribute { acl acl- number | callback-number callback-number | idle-cut minute | level level | user-
profile profile-name | user-role security-audit | vlan vlan-id | work-directory directory-name }
*
Optional
By default, no authorization attribute is configured for a local user.
For LAN and portal users, only
acl, idle-cut, user-profile, and vlan are supported.
For SSH and terminal users, only level is supported.
For FTP users, only level and work-directory are supported.
For Telnet users, only level and user-role is supported.
For other types of local users, no binding attribute is supported.
Set the expiration time of the local user
expiration-date time
Optional
Not set by default
When some users need to access the network temporarily, create a guest account and specify an expiration time for the account.
Assign the local user to a user group
group group-name
Optional
By default, a local user belongs to the default user group system.
18
NOTE: For more information about password control attribute commands, see the chapter “Password control
configuration.
On a device supporting the password control feature, local user passwords are not displayed, and the local-user
password-display-mode command is not effective.
With the local-user password-display-mode cipher-force command configured, a local user password is
always displayed in cipher text, regardless of the configuration of the password command. In this case, if you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto.
The access-limit command configured for a local user takes effect only when local accounting is configured. If the user interface authentication mode (set by the authentication-mode command in user interface view) is
AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to the user. If the user interface authentication mode is password (password) or no authentication (none), which commands a login user can use after login depends on the level configured for the user interface (set by the user privilege level command in user interface view). For an SSH user using public key authentication, which commands are available depends on the level configured for the user interface. For more information about user interface authentication mode and user interface command level, see the
Fundamentals Configuration Guide.
Be cautious when deciding which binding attributes should be configured for a local user. Binding attributes are
checked upon local authentication of a user. If the checking fails, the user fails the authentication.
Every configurable authorization attribute has its definite application environments and purposes. When
configuring authorization attributes for a local user, consider what attributes are needed.
To do…
Use the command…
Remarks
Enter system view
system-view
Create a user group and enter user group view
user-group group-name
Required
Configure password control attributes for the user group
Set the password aging time
password-control aging aging-time
Optional
By default, the global setting is used.
Set the minimum password length
password-control length length
Optional
By default, the global setting is used.
Configure the password composition policy
password-control composition type­number type-number [ type-length
type-length ]
Optional
By default, the global setting is used.
Configuring user group attributes
User groups simplify local user configuration and management. A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized user attributes management for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
By default, every newly added local user belongs to the system default user group system and bears all attributes of the group. To change the user group to which a local user belongs, use the user-group command in local user view.
Follow these steps to configure attributes for a user group:
19
To do…
Use the command…
Remarks
Configure the authorization attributes for the user group
authorization-attribute { acl acl- number | callback-number
callback-number | idle-cut minute |
level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
Optional
By default, no authorization attribute is configured for a user group.
To do…
Use the command…
Remarks
Display local user information
display local-user [ idle-cut { disable | enable } | service-type { ftp | lan­access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression
]
Available in any view
Display the user group configuration information
display user-group [ group-name ] [ | { begin | exclude | include } regular- expression ]
Available in any view
Task
Remarks
Creating a RADIUS scheme
Required
Specifying the RADIUS authentication/authorization servers
Required
Specifying the RADIUS accounting servers and relevant parameters
Optional
Setting the shared keys for RADIUS packets
Optional
Setting the maximum number of RADIUS request transmission attempts
Optional
Setting the supported RADIUS server type
Optional
Setting the status of RADIUS servers
Optional
Setting the username format and traffic statistics units
Optional
Specifying a source IP address for outgoing RADIUS packets
Optional
Setting timers for controlling communication with RADIUS servers
Optional
Displaying and maintaining local users and local user groups

Configuring RADIUS schemes

A RADIUS scheme specifies the RADIUS servers that the device can cooperate with and defines a set of parameters that the device uses to exchange information with the RADIUS servers. There may be authentication/authorization servers and accounting servers, or primary servers and secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and the RADIUS server type.
RADIUS scheme configuration task list
20
Loading...
+ 274 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use