16
Figure 8 Devices functioning as a RADIUS server
The device can serve as a RADIUS server to provide user information management, RADIUS client
management, and RADIUS authentication and authorization.
You can create, modify, and delete user information, including the username, password, authority,
lifetime, and user description.
You can create and delete RADIUS clients, which are identified by IP addresses and configured with
attributes such as a shared key. With a managed client range configured, the RADIUS server
processes only the RADIUS packets from the clients within the management range. Shared keys are
used to ensure secure communication between a RADIUS client and the RADIUS server.
With the RADIUS server enabled, the device checks whether or not the client of an incoming
RADIUS packet is under its management. If yes, it verifies the packet validity by using the shared key,
checks whether there is an account with the username, whether the password is correct, and
whether the user attributes meet the requirements defined on the RADIUS server (for example,
whether the account has expired). Then, the RADIUS server assigns the corresponding authority to
the client if the authentication succeeds, or denies the client if the authentication fails.
NOTE:
A RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for
authentication requests, but an HPE device listens on UDP port 1645 instead when acting as the
RADIUS server. Be sure to specify 1645 as the authentication port number on the RADIUS client
when you use an HPE device as the RADIUS server.
AAA for MPLS L3VPNs
In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can
deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS
VPNs. With this feature, the PE at the left side of the MPLS backbone serves as a NAS and
transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in
VPN 3 for centralized authentication, as shown in Figure 9. Authentication
packets of private users in
different VPNs do not affect each other.
To Next Page
Loading...
Need help?
General
