2-16
Controlling Management Access to the ProCurve Secure Router
Using the AAA Subsystem to Control Management Access
You configure the list of authentication methods in the order in which you
want them used. Then, if one method fails, the next method is used. (For
information about what constitutes a failure, see “Criteria for Failure of
Authentication Methods” on page 2-16.)
The AAA subsystem allows you to use a standard authentication method
across your entire network. If you are using a RADIUS server or a TACACS+
server to authenticate network services and applications, you can use this
same server to authenticate management access to the ProCurve Secure
Router.
In addition to controlling management access, the AAA subsystem can be used
to authenticate VPN users when Xauth is configured. (For more information
about Xauth, see the ProCurve Secure Router Advanced Management and
Configuration Guide, Chapter 10: Virtual Private Networks.)
The AAA subsystem also strengthens your WAN security by supporting autho-
rization and accounting for management access to the ProCurve Secure
Router. Enforced through a TACACS+ server, authorization and accounting
go beyond password authentication to ensure that only authorized users
perform management functions and to provide a record of the configuration
commands entered.
Criteria for Failure of Authentication Methods
The AAA subsystem skips an authentication method if the method itself fails.
However, if a user fails to enter the correct password, that user is denied
access to the router. The user failed in his or her attempt to authenticate; the
authentication method did not fail.
The ProCurve Secure Router uses the following criteria to determine if an
authentication method failed:
■ Line and enable passwords fail if no line or enable passwords are configured.
■ RADIUS or TACACS+ servers fail if the ProCurve Secure Router tries to
communicate with them but they do not respond.
■ The local user list fails if the given user is not listed in the database.
For example, if you configure the authentication methods with RADIUS as the
first option and the RADIUS server goes down, that authentication method
failed; the AAA subsystem will try the next authentication method you config-
ured. If you listed the local user list after the RADIUS server, the AAA
subsystem will use that authentication method next.
To Next Page
Loading...
Need help?
General
