i
Contents
AAA configuration ······················································································································································· 1
AAA overview ··································································································································································· 1
RADIUS ······································································································································································ 2
HWTACACS ····························································································································································· 8
Domain-based user management ························································································································ 10
Protocols and standards ······································································································································· 11
RADIUS attributes ·················································································································································· 11
FIPS compliance ····························································································································································· 14
AAA configuration considerations and task list ·········································································································· 14
Configuring AAA schemes ············································································································································ 16
Configuring local users ········································································································································· 16
Configuring RADIUS schemes ······························································································································ 20
Configuring HWTACACS schemes ····················································································································· 31
Configuring AAA methods for ISP domains ················································································································ 36
Configuration prerequisites ·································································································································· 37
Creating an ISP domain ······································································································································· 37
Configuring ISP domain attributes ······················································································································· 37
Configuring AAA authentication methods for an ISP domain ·········································································· 38
Configuring AAA authorization methods for an ISP domain ··········································································· 40
Configuring AAA accounting methods for an ISP domain ··············································································· 42
Tearing down user connections forcibly ······················································································································ 43
Configuring a NAS ID-VLAN binding ·························································································································· 43
Displaying and maintaining AAA ································································································································ 44
AAA configuration examples ········································································································································ 44
AAA for Telnet users by an HWTACACS server ······························································································· 44
AAA for Telnet users by separate servers ··········································································································· 46
Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47
Level switching authentication for Telnet users by an HWTACACS server ····················································· 51
Troubleshooting AAA ···················································································································································· 55
Troubleshooting RADIUS ······································································································································· 55
Troubleshooting HWTACACS ······························································································································ 56
802.1X fundamentals ················································································································································ 57
Architecture of 802.1X ·················································································································································· 57
Controlled/uncontrolled port and pot authorization status ······················································································· 57
802.1X-related protocols ·············································································································································· 58
Packet format ························································································································································· 58
EAP over RADIUS ·················································································································································· 60
Initiating 802.1X authentication ··································································································································· 60
802.1X client as the initiator································································································································ 60
Access device as the initiator ······························································································································· 60
802.1X authentication procedures ······························································································································ 61
A comparison of EAP relay and EAP termination ······························································································ 61
EAP relay ································································································································································ 62
EAP termination ····················································································································································· 63
802.1X configuration ················································································································································ 65
HP implementation of 802.1X ······································································································································ 65
Access control methods ········································································································································ 65
Using 802.1X authentication with other features ······························································································ 65
To Next Page
Loading...
Need help?
General