Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Size: px
Start display at page:

Download "Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents"

Transcription

1 Table of Contents Table of Contents AAA/RADIUS/HWTACACS Over Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA/RADIUS/HWTACACS Task List Configuring AAA Prerequisites Creating an ISP Domain Configuring ISP Domain Attributes Configuring an AAA Authentication Scheme for an ISP Domain Configuring an AAA Authorization Scheme for an ISP Domain Configuring an AAA Accounting Scheme for an ISP Domain Configuring Local User Attributes Tearing down User Connections Forcibly Configuring RADIUS Creating a RADIUS Scheme Specifying the RADIUS Authentication/Authorization Servers Configuring the RADIUS Accounting Servers and Relevant Parameters Setting the Shared Key for RADIUS Packets Setting the Maximum Number of RADIUS Request Retransmission Attempts Setting the Supported RADIUS Server Type Setting the Status of RADIUS Servers Configuring Attributes Related to the Data Sent to the RADIUS Server Setting Timers Regarding RADIUS Servers Configuring RADIUS Accounting-on Configuring an IP Address for the Security Policy Server Enabling the Listening Port of the RADIUS Client Configuring HWTACACS Creating a HWTACAS scheme Specifying the HWTACACS Authentication Servers Specifying the HWTACACS Authorization Servers Specifying the HWTACACS Accounting Servers Setting the Shared Key for HWTACACS Packets Configuring Attributes Related to the Data Sent to the TACACS Server Setting Timers Regarding HWTACACS Servers Displaying and Maintaining AAA/RADIUS/HWTACACS i

2 Table of Contents Displaying and Maintaining AAA Displaying and Maintaining RADIUS Displaying and Maintaining HWTACACS AAA/RADIUS/HWTACACS Examples AAA for Telnet Users by a HWTACACS Server AAA for Telnet Users by Separate Servers Troubleshooting AAA/RADIUS/HWTACACS Troubleshooting RADIUS Troubleshooting HWTACACS ii

3 When configuring AAA/RADIUS/HWTACACS, go to these sections for information you are interested in: AAA/RADIUS/HWTACACS Over AAA/RADIUS/HWTACACS Task List Configuring AAA Configuring RADIUS Configuring HWTACACS Displaying and Maintaining AAA/RADIUS/HWTACACS AAA/RADIUS/HWTACACS Examples Troubleshooting AAA/RADIUS/HWTACACS 1.1 AAA/RADIUS/HWTACACS Over This section covers these topics: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring these three security functions to implement network security management. AAA usually uses a client/server model, where the client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers, as shown in Figure

4 Internet User NAS RADIUS server Figure 1-1 AAA networking diagram HWTACACS server When a user tries to establish a connection to the NAS and obtain the rights to access other networks or some network resources, the NAS authenticates the user or the corresponding connection. The NAS can also transparently pass the user authentication, authorization and accounting information to the server (RADIUS server or HWTACACS server). The RADIUS/HWTACACS protocol defines how to exchange user information between a NAS and a server. In the AAA network shown in Figure 1-1, there is a RADIUS server and a HWTACACS server. You can determine the authentication, authorization and accounting scheme according to the actual requirements. For example, you can use the RADIUS server for authentication and authorization, and the HWTACACS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server. Accounting: Records all network service usage information of users, including the service type, start and end time, and traffic. In this way, accounting can be used for not only accounting itself, but also network security surveillance. You can use AAA to provide only one or two security functions, if desired. For example, if your company only wants employees to be authenticated before they access specific resources, you can configure only an authentication server. If the network usage information is expected to be recorded, you also need to configure an accounting server. As mentioned above, AAA provides a uniform framework to implement network security management. It is a security mechanism that enables authenticated and authorized entities to access specific resources and records operations by the entities. The AAA framework thus allows for excellent scalability and centralized user information management. 1-2

5 AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS and HWTACACS for AAA, and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol in the client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. Based on UDP, RADIUS defines the RADIUS packet format and the message transfer mechanism, and uses UDP port 1812 as the authentication port and 1813 as the accounting port. RADIUS was originally designed for dial-in user access. With the diversification of access methods, RADIUS has been extended to support more access methods, for example, Ethernet access and ADSL access. It uses authentication and authorization to provide access service and uses accounting to collect and record usage of network resources by users. I. Client/server model Client: The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the response (for example, rejects or accepts user access requests). Server: The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It authenticates a user after receiving a connection request and returns the processing result (for example, rejecting or accepting user access requests) to the client. In general, the RADIUS server maintains three databases, namely, Users, Clients, and Dictionary, as shown in Figure 1-2: Figure 1-2 RADIUS server components Users: Stores user information such as the username, password, applied protocols, and IP address. Clients: Stores information about RADIUS clients such as the shared keys and IP addresses. Dictionary: Stores the information for interpreting RADIUS protocol attributes and their values. 1-3

6 II. Security authentication mechanism Information exchanged between the RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network, thus enhancing the security of information exchange. To prevent user passwords from being intercepted in non-secure networks, the passwords are encrypted during transmission. A RADIUS server supports multiple user authentication methods, such as the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) of Point-to-Point Protocol (PPP). In addition, a RADIUS server can act as the client of another AAA server to provide proxy authentication or accounting service. III. Basic message exchange process of RADIUS For the interaction among the host, the RADIUS client, and the RADIUS server, see Figure 1-3. Figure 1-3 Basic message exchange process of RADIUS The following is how RADIUS operates: 1) The host initiates a connection request carrying the username and password to the RADIUS client. 2) Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, where the user password is encrypted by the Message-Digest 5 (MD5) algorithm with the shared key. 1-4

7 3) The RADIUS server authenticates the username and password. If the authentication succeeds, it sends back an Access-Accept message containing the information of user s right. If the authentication fails, it returns an Access-Reject message. 4) The RADIUS client accepts or denies the user according to the returned authentication result. If it accepts the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server. 5) The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting. 6) The subscriber accesses the network resources. 7) The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server. 8) The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting. 9) The subscriber stops network resource accessing. IV. RADIUS packet structure RADIUS uses UDP to transmit messages. It ensures the smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, retransmission mechanism, and slave server mechanism. Figure 1-4 shows the RADIUS packet structure. Figure 1-4 RADIUS packet structure Descriptions of fields are as follows: 1) The Code field (1-byte long) is for indicating the type of the RADIUS packet. Table 1-1 gives the possible values and their meanings. 1-5

8 Table 1-1 Main values of the Code field Code Packet type Description 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. From the server to the client. If all the attribute values carried in the Access-Request are acceptable, that is, the authentication succeeds, the server sends an Access-Accept response. From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the server rejects the user and sends an Access-Reject response. From the client to the server. A packet of this type carries user information for the server to start/stop accounting on the user. It contains the Acct-Status-Type attribute, which indicates whether the server is requested to start the accounting or to end the accounting. From the server to the client. The server sends to the client a packet of this type to notify that it has received the Accounting-Request and has correctly recorded the accounting information. 2) The Identifier field (1-byte long) is for matching request packets and response packets and detecting retransmitted request packets. The request and response packets of the same type have the same identifier. 3) The Length field (2-byte long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. The value of the field is in the range 20 to Bytes beyond the length are considered the padding and are neglected after being received. If the length of a received packet is less than that indicated by the Length field, the packet is dropped. 4) The Authenticator field (16-byte long) is used to authenticate the reply from the RADIUS server, and is also used in the password hiding algorithm. There are two kinds of authenticators: Request authenticator and Response authenticator. 5) The Attribute field carries information about the configuration details of a request or response. This field is represented in triplets of Type, Length, and Value. 1-6

9 Type: One byte, in the range 1 to 255. It indicates the type of the attribute. Commonly used attributes for RADIUS authentication and authorization are listed in Table 1-2. Length: One byte for indicating the length of the attribute in bytes, including the Type, Length, and Value fields. Value: Value of the attribute, up to 253 bytes. Its format and content depend on the Type and Length fields. Table 1-2 RADIUS attributes No. Attribute type No. Attribute type 1 User-Name 45 Acct-Authentic 2 User-Password 46 Acct-Session-Time 3 CHAP-Password 47 Acct-Input-Packets 4 NAS-IP-Address 48 Acct-Output-Packets 5 NAS-Port 49 Acct-Terminate-Cause 6 Service-Type 50 Acct-Multi-Session-Id 7 Framed-Protocol 51 Acct-Link-Count 8 Framed-IP-Address 52 Acct-Input-Gigawords 9 Framed-IP-Netmask 53 Acct-Output-Gigawords 10 Framed-Routing 54 (unassigned) 11 Filter-ID 55 Event-Timestamp 12 Framed-MTU (unassigned) 13 Framed-Compression 60 CHAP-Challenge 14 Login-IP-Host 61 NAS-Port-Type 15 Login-Service 62 Port-Limit 16 Login-TCP-Port 63 Login-LAT-Port 17 (unassigned) 64 Tunnel-Type 18 Reply_Message 65 Tunnel-Medium-Type 19 Callback-Number 66 Tunnel-Client-Endpoint 20 Callback-ID 67 Tunnel-Server-Endpoint 21 (unassigned) 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access 1-7

10 No. Attribute type No. Attribute type 26 Vendor-Specific 73 ARAP-Security 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 -Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Private-Group-id 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38 Framed-AppleTalk-Network 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 89 (unassigned) 43 Acct-Output-Octets 90 Tunnel-Client-Auth-id 44 Acct-Session-Id 91 Tunnel-Server-Auth-id The attribute types listed in Table 1-2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC V. RADIUS extended attributes The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide. A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension in applications. As shown in Figure 1-5, a sub-attribute that can be encapsulated in Attribute 26 consists of the following four parts: 1-8

11 Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC The vendor ID of H3C is Vendor-Type: Indicates the type of the sub-attribute. Vendor-Length: Indicates the length of the sub-attribute. Vendor-Data: Indicates the contents of the sub-attribute. Figure 1-5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses the server/client model for information exchange between NAS and HWTACACS server. HWTACACS implements AAA mainly for such users as Point-to-Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical HWTACACS application, a terminal user needs to log onto the device for operations. Working as the HWTACACS client, the device sends the username and password to the HWTACACS sever for authentication. After passing authentication and being authorized, the user can log into the device to perform operations. I. Differences between HWTACACS and RADIUS HWTACACS and RADIUS have many common features, like implementing AAA, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in Table 1-3. Table 1-3 Primary differences between HWTACACS and RADIUS HWTACACS Uses TCP, providing more reliable network transmission Encrypts the entire packet except for the HWTACACS header RADIUS Uses UDP, providing higher transport efficiency Encrypts only the password field in an authentication packet 1-9

12 HWTACACS Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers. Supports authorized use of configuration commands. For example, an authenticated login user can be authorized to configure the device. RADIUS Protocol packets are simple and authorization is combined with authentication. Does not support authorized use of configuration commands. II. Basic message exchange process of HWTACACS The following takes Telnet user as an example to describe how HWTACACS performs user authentication, authorization, and accounting. Figure 1-6 illustrates the basic message exchange process of HWTACACS. 1-10

13 User HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user enters the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login password 8) Request for password 9) The user enters the password 10) Authentication continuance packet with the login password 11) Authentication response indicating successful authentication 12) User authorization request packet 14) The user logs in successfully 13) Authorization response indicating successful authorization 15) Start-accounting request 16) Accounting response indicating the start of accounting 17) The user logs off 18) Stop-accounting request 19) Stop-accounting response Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user 1) A Telnet user applies to access the NAS. 2) Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3) The HWTACACS server sends back an authentication response requesting the username. 4) Upon receiving the request, the HWTACACS client asks the user for the username. 5) The user enters the username. 6) After receiving the username from the user, the HWTACACS client sends to the server a continue-authentication packet carrying the username. 1-11

14 7) The HWTACACS server sends back an authentication response, requesting the login password. 8) Upon receipt of the response, the HWTACACS client requests of the user the login password. 9) The user enters the password. 10) After receiving the login password, the HWTACACS client sends to the HWTACACS server a continue-authentication packet carrying the login password. 11) The HWTACACS server sends back an authentication response indicating that the user has passed authentication. 12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 14) Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the NAS to the user. 15) The HWTACACS client sends a start-accounting request to the HWTACACS server. 16) The HWTACACS server sends back an accounting response, indicating that it has received the start-accounting request. 17) The user logs off. 18) The HWTACACS client sends a stop-accounting request to the HWTACACS server. 19) The HWTACACS server sends back a stop-accounting packet, indicating that the stop-accounting request has been received Protocols and Standards The protocols and standards related to AAA, RADIUS, and HWTACACS include: RFC 2865: Remote Authentication Dial In User Service (RADIUS) RFC 2866: RADIUS Accounting RFC 2867: RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868: RADIUS Attributes for Tunnel Protocol Support RFC 2869: RADIUS Extensions RFC 1492: An Access Control Protocol, Sometimes Called TACACS 1.2 AAA/RADIUS/HWTACACS Task List I. AAA configuration task list Task Remarks Creating an ISP Domain Configuring ISP Domain Attributes 1-12

15 Task Configuring an AAA Authentication Scheme for an ISP Domain Configuring an AAA Authorization Scheme for an ISP Domain Configuring an AAA Accounting Scheme for an ISP Domain Configuring Local User Attributes Tearing down User Connections Forcibly Remarks For local authentication, refer to Configuring Local User Attributes. For RADIUS authentication, refer to Configuring RADIUS. For HWTACACS authentication, refer to Configuring HWTACACS. II. RADIUS configuration task list Creating a RADIUS Scheme Task Specifying the RADIUS Authentication/Authorization Servers Configuring the RADIUS Accounting Servers and Relevant Parameters Setting the Shared Key for RADIUS Packets Setting the Maximum Number of RADIUS Request Retransmission Attempts Setting the Supported RADIUS Server Type Setting the Status of RADIUS Servers Configuring Attributes Related to the Data Sent to the RADIUS Server Setting Timers Regarding RADIUS Servers Configuring RADIUS Accounting-on Configuring an IP Address for the Security Policy Server Enabling the Listening Port of the RADIUS Client Remarks 1-13

16 III. HWTACACS configuration task list Task Creating a HWTACAS scheme Specifying the HWTACACS Authentication Servers Specifying the HWTACACS Authorization Servers Specifying the HWTACACS Accounting Servers Setting the Shared Key for HWTACACS Packets Configuring Attributes Related to the Data Sent to the TACACS Server Setting Timers Regarding HWTACACS Servers Remarks 1.3 Configuring AAA By configuring AAA, you can provide network access service for legal users, protect the networking devices, and avoid unauthorized access and bilking. In addition, you can configure ISP domains to perform AAA on accessing users. In AAA, users are divided into lan-access users(such as 802.1x users and MAC authentication users), login users(such as SSH, Telnet, FTP, and terminal access users), and command line users(that is, command line authentication users). Except for command line users, you can configure separate authentication/authorization/accounting policies for all the other type of users. Command line users can be configured with authorization policy independently Prerequisites For remote authentication, authorization, or accounting, you must create the RADIUS or HWTACACS scheme first. RADIUS scheme: Reference a configured RADIUS scheme to implement authentication/authorization and accounting. For RADIUS scheme configuration, refer to Configuring RADIUS. HWTACACS scheme: Reference a configured HWTACACS scheme to implement authentication/authorization and accounting. For HWTACACS scheme configuration, refer to Configuring HWTACACS Creating an ISP Domain For the NAS, each accessing user belongs to an ISP domain. Up to 16 ISP domains can be configured on a NAS. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain. 1-14

17 Follow these steps to create an ISP domain: Enter system system- Create an ISP domain and enter ISP domain domain isp-name Return to system quit Specify the default ISP domain domain default { disable enable isp-name } The system-default ISP domain named system by default You cannot delete the default ISP domain unless you change it to a non-default ISP domain (with the domain default disable command) first. If a user enters a username without an ISP domain name, the device uses the authentication scheme for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes: Enter system system- Create an ISP domain and enter ISP domain Place the ISP domain to the state of active or blocked Specify the maximum number of users in the ISP domain Configure the idle cut function domain isp-name state { active block } access-limit { disable enable max-user-number } idle-cut { disable enable minute } When created, an ISP is in the state of active by default, and users in the domain can request network services. No limit by default Disabled by default 1-15

18 Enable the self-service server localization function and specify the URL of the self-service server for changing user password self-service-url { disable enable url-string } Disabled by default A self-service RADIUS server, for example, CAMS, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server Configuring an AAA Authentication Scheme for an ISP Domain In AAA, authentication, authorization, and accounting are three separate processes. Authentication refers to the interactive authentication process of username/password/user information during access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting. You can configure AAA to use only authentication. If you do not perform any authentication configuration, the system-default ISP domain uses the local authentication scheme. Before configuring an authentication scheme, complete these three tasks: For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication modes do not require any scheme. Determine the access mode or service type to be configured. With AAA, you can configure an authentication scheme specifically for each access mode and service type, limiting the authentication protocols that can be used for access. Determine whether to configure an authentication scheme for all access modes or service types. Follow these steps to configure an AAA authentication scheme for an ISP domain: Enter system system- Create an ISP domain and enter ISP domain domain isp-name 1-16

19 Specify the default authentication scheme for all types of users Specify the authentication scheme for LAN access users Specify the authentication scheme for login users authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] authentication lan-access { local none radius-scheme radius-scheme-name [ local ] } authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } local by default The default authentication scheme is used by default. The default authentication scheme is used by default. The authentication scheme specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode. With a RADIUS authentication scheme configured, AAA accepts only the authentication result from the RADIUS server. The response from the RADIUS server does include the authorization information when the authentication is successful, but the authentication process ignores the information. With the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local keyword and argument combination configured, the local scheme is the backup scheme and is used only when the RADIUS server or TACACS server is not available. If the primary authentication scheme is local or none, the system performs local authentication or does not perform any authentication, rather than uses the RADIUS or HWTACACS scheme Configuring an AAA Authorization Scheme for an ISP Domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users authorized. Authorization scheme configuration is optional in AAA configuration. 1-17

20 If you do not perform any authorization configuration, the system-default domain uses the local authorization scheme. With the authorization scheme of none, the users are not required to be authorized, in which case an authenticated user has the default right. The default right is visiting (the lowest one) for EXEC users(that is, console users who use the console, AUX, or Telnet or SSH to connect to the device, such as Telnet or SSH users. Each connection of these types is called an EXEC user). The default right for FTP users is to use the root directory of the device. Before configuring an authorization scheme, complete these three tasks: 1) For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be same as the RADIUS authentication scheme; otherwise, it does not take effect. 2) Determine the access mode or service type to be configured. With AAA, you can configure an authorization scheme specifically for each access mode and service type, limiting the authorization protocols that can be used for access. 3) Determine whether to configure an authorization scheme for all access modes or service types. Follow these steps to configure an AAA authorization scheme for an ISP domain: Enter system system- Create an ISP domain and enter ISP domain Specify the default authorization scheme for all types of users Specify the authorization scheme for command line users Specify the authorization scheme for LAN access users domain isp-name authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } authorization command hwtacacs-scheme hwtacacs-scheme-name authorization lan-access { local none radius-scheme radius-scheme-name [ local ] } local by default The default authorization scheme is used by default. The default authorization scheme is used by default. 1-18

21 Specify the authorization scheme for login users authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } The default authorization scheme is used by default. The authorization scheme specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding. With the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local keyword and argument combination configured, the local scheme is the backup scheme and is used only when the RADIUS server or TACACS server is not available. If the primary authentication scheme is local or none, the system performs local authorization or does not perform any authorization, rather than uses the RADIUS or HWTACACS scheme. Authorization information of the RADIUS server is sent to the RADIUS client along with the authorization response message; therefore, you cannot specify a separate RADIUS server. If you use RADIUS for authorization and authentication, you must use the same scheme setting for authorization and authentication; otherwise, the system will prompt you with an error message Configuring an AAA Accounting Scheme for an ISP Domain In AAA, accounting is a separate process at the same level as authentication and authorization. Its responsibility is to send accounting start/update/end requests to the specified accounting server. Accounting is not required, and therefore accounting scheme configuration is optional. If you do not perform any accounting configuration, the system-default domain uses the local accounting scheme. Before configuring an authorization scheme, complete these three tasks: 1) For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication modes do not require any scheme. 1-19

22 2) Determine the access mode or service type to be configured. With AAA, you can configure an accounting scheme specifically for each access mode and service type, limiting the accounting protocols that can be used for access. 3) Determine whether to configure an accounting scheme for all access modes or service types. Follow these steps to configure an AAA accounting scheme for an ISP domain: Enter system system- Create an ISP domain and enter ISP domain Enable the accounting optional feature Specify the default accounting scheme for all types of users Specify the accounting scheme for LAN access users Specify the accounting scheme for login users domain isp-name accounting optional accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } accounting lan-access { local none radius-scheme radius-scheme-name [ local ] } accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] local none radius-scheme radius-scheme-name [ local ] } Disabled by default Local by default The default accounting scheme is used by default. The default accounting scheme is used by default. 1-20

23 With the accounting optional command configured, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. The accounting scheme specified with the accounting default command is for all types of users and has a priority lower than that for a specific access mode. With the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local keyword and argument combination configured, the local scheme is the backup scheme and is used only when the RADIUS server or HWTACACS server is not available. If the primary accounting scheme is local or none, the system performs local accounting or does not perform any accounting, rather than uses the RADIUS or HWTACACS scheme. With the access mode of login, accounting is not supported for FTP services Configuring Local User Attributes For local authentication, you must create a local user and configure the attributes. A local user represents a set of users configured on a device, which are uniquely identified by the username. For a user requesting network service to pass local authentication, you must add an entry as required in the local user database of the device. Follow these steps to configure the attributes for a local user: Enter system system- Set the password display mode for all local users Add a local user and enter local user Configure a password for the local user Place the local user to the state of active or blocked local-user password-display-mode { auto cipher-force } local-user user-name password { cipher simple } password state { active block } auto by default No local user is configured by default When created, a local user is in the state of active by default, and the user can request network services. 1-21

24 Specify the service types for the user service-type { lan-access { ssh telnet terminal } * [ level level ] } No service is authorized to a user by default By default, no service is authorized to a user and anonymous access to FTP service is not allowed. If you authorize a user to use the FTP service but do not specify a directory that the user can access, the user can access the root directory of the device by default. Specify the service types for the user Authorize the user to use the FTP service and specify a directory for the user to access service-type ftp [ ftp-directory directory] Set the directory accessible to FTP/SFTP users Set the priority level of the user Set attributes for a LAN access user work-directory directory-name level level attribute { access-limit max-user-number idle-cut minute ip ip-address location { nas-ip ip-address port slot-number subslot-number port-number port slot-number subslot-number port-number } mac mac-address vlan vlan-id } * By default, FTP/SFTP users can access the root directory. 0 by default If the user is bound to a remote port, the nas-ip parameter must be specified. If the user is bound to a local port, the nas-ip parameter does not need to be specified. The default value of nas-ip is , meaning the current host. 1-22

25 With the local-user password-display-mode cipher-force command configured, a local user password is always displayed in cipher text, regardless of the configuration of the password command. In this case, if you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto. Local authentication checks the service types of a local user. If the service types are not available, the user cannot pass authentication. During authorization, a user with no service type configured is authorized with no service by default. If you specify an authentication method that requires the username and password, including local authentication, RADIUS authentication and HWTACACS authentication, the level of the commands that a user can use after logging in depends on the priority of the user, or the priority of user interface level as with other authentication methods. For an SSH user using RSA public key authentication, the commands that can be used depend on the level configured on the user interface. For details regarding authentication method and command level, refer to Login and System Maintaining and Debugging respectively. Both the service-type and level commands can be used to specify user priority. The one used later has the final effect. The attribute ip command only applies to authentications that support IP address passing, such as 802.1x. If you configure the command to authentications that do not support IP address passing, such as MAC address authentication, the local authentication will fail. The attribute port command binds a port by its number only, regardless of the port type. The idle-cut command configured under ISP applies to lan-access users only Tearing down User Connections Forcibly Follow these steps to tear down user connections forcibly: Enter system system- Tear down AAA user connections forcibly cut connection { access-type { dot1x mac-authentication portal } all domain isp-name interface interface-type interface-number ip ip-address mac mac-address ucibindex ucib-index user-name user-name vlan vlan-id } [ slot slot-number ] Applies to only LAN access user connections at present. 1-23

26 1.4 Configuring RADIUS The RADIUS protocol is configured scheme by scheme. After creating a RADIUS scheme, you need to configure the IP addresses and UDP ports of the RADIUS servers for the scheme. The servers include authentication/authorization servers and accounting servers, or from another point of, primary servers and secondary servers. In another words, the attributes of a RADIUS scheme mainly include IP addresses of primary and secondary servers, shared key, and RADIUS server type. Actually, the RADIUS protocol configurations only set the parameters necessary for the information interaction between a NAS and a RADIUS server. For these settings to take effect, you must reference the RADIUS scheme containing those settings in ISP domain. For information about the commands for referencing a scheme, refer to Configuring AAA Creating a RADIUS Scheme Before performing other RADIUS configurations, follow these steps to create a RADIUS scheme and enter RADIUS scheme : Enter system system- Create a RADIUS scheme and enter RADIUS scheme radius scheme radius-scheme-name Not defined by default A RADIUS scheme can be referenced by more than one ISP domain at the same time Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: Enter system system- Create a RADIUS scheme and enter RADIUS scheme radius scheme radius-scheme-name Not defined by default 1-24

27 Configure the IP address and UDP port of the primary RADIUS authentication/authorizati on server Configure the IP address and UDP port of the secondary RADIUS authentication/authorizati on server primary authentication ip-address [ port-number ] secondary authentication ip-address [ port-number ] The defaults are as follows: for the IP address, and 1812 for the port. The defaults are as follows: for the IP address, and 1812 for the port. In practice, you may specify two RADIUS servers as the primary and secondary authentication/authorization servers respectively. At a moment, a server can be the primary authentication/authorization server for a scheme and the secondary authentication/authorization servers for another scheme. The IP addresses of the primary and secondary authentication/authorization servers for a scheme cannot be the same. Otherwise, the configuration fails Configuring the RADIUS Accounting Servers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations: Enter system system- Create a RADIUS scheme and enter RADIUS scheme Configure the IP address and UDP port of the primary RADIUS accounting server radius scheme radius-scheme-name primary accounting ip-address [ port-number ] Not defined by default The defaults are as follows: for the IP address, and 1813 for the port. 1-25

28 Configure the IP address and UDP port of the secondary RADIUS accounting server Enable the device to buffer stop-accounting requests getting no responses Set the maximum number of stop-accounting request transmission attempts Set the maximum number of accounting request transmission attempts secondary accounting ip-address [ port-number ] stop-accounting-buffer enable retry stop-accounting retry-times retry realtime-accounting retry-times The defaults are as follows: for the IP address, and 1813 for the port. Enabled by default 500 by default 5 by default In practice, you can specify two RADIUS servers as the primary and secondary accounting servers respectively; or specify one server to function as both. Besides, because RADIUS uses different UDP ports to receive authentication/authorization and accounting packets, the port for authentication/authorization must be different from that for accounting. You can set the maximum number of stop-accounting request transmission buffer, allowing the device to buffer and resend a stop-accounting request until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the device discards the packet. You can set the maximum number of accounting request transmission attempts on the device, allowing the device to disconnect a user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request. The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails. Currently, RADIUS does not support keeping accounts on FTP users. 1-26

29 1.4.4 Setting the Shared Key for RADIUS Packets The RADIUS client and RADIUS server use the MD5 algorithm to encrypt packets exchanged between them and a shared key to verify the packets. Only when the same key is used can they properly receive the packets and make responses. Follow these steps to set the shared key for RADIUS packets: Enter system system- Create a RADIUS scheme and enter RADIUS scheme Set the shared key for RADIUS authentication/authorizati on or accounting packets radius scheme radius-scheme-name key { accounting authentication } string Not defined by default No key by default The shared key configured on the device must be the same as that configured on the RADIUS server Setting the Maximum Number of RADIUS Request Retransmission Attempts Because RADIUS uses UDP packets to carry data, the communication process is not reliable. If a NAS receives no response from the RADIUS server before the response timeout timer expires, it is required to retransmit the RADIUS request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers the authentication a failure. Follow these steps to set the maximum number of RADIUS request retransmission attempts: Enter system system- Create a RADIUS scheme and enter RADIUS scheme Set the number of retransmission attempts of RADIUS packets radius scheme radius-scheme-name retry retry-times Not defined by default 3 by default 1-27

30 The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75. Refer to the timer response-timeout command in the command manual for configuring RADIUS server response timeout period Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type: Enter system system- Create a RADIUS scheme and enter RADIUS scheme Specify the RADIUS server type supported by the device radius scheme radius-scheme-name server-type { extended standard } Not defined by default By default, the RADIUS server type is standard. If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. When a third-party RADIUS is used, you can configure the RADIUS server to standard or extended. When CAMS server is used, you must RADIUS server to extended Setting the Status of RADIUS Servers When a primary server, authentication/authorization server or accounting server, fails, the device automatically turns to the secondary server. When both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case: If the secondary server is available, the device triggers the primary server quiet timer. After the quiet timer times out, the status of the primary server is active again and the status of the secondary server remains the same. 1-28

31 If the secondary server fails, the device restores the status of the primary server to active immediately. If the primary server has resumed, the device turns to use the primary server and stops communicating with the secondary server. After accounting starts, the communication between the client and the secondary server remains unchanged. Follow these steps to set the status of RADIUS servers: Enter system system- Create a RADIUS scheme and enter RADIUS scheme Set the status of the primary RADIUS authentication/authorizati on server Set the status of the primary RADIUS accounting server Set the status of the secondary RADIUS authentication/authorizati on server Set the status of the secondary RADIUS accounting server radius scheme radius-scheme-name state primary authentication { active block } state primary accounting { active block } state secondary authentication { active block } state secondary accounting { active block } Not defined by default active for every server configured with IP address in the RADIUS scheme If both the primary server and the secondary server are in the blocked state, it is necessary to manually turn the secondary server to the active state so that the secondary server can perform authentication. If the secondary server is still in the blocked state, the primary/secondary switchover cannot take place. If one server is in the active state while the other is blocked, the primary/secondary switchover will not take place even if the active server is not reachable Configuring Attributes Related to the Data Sent to the RADIUS Server Follow these steps to configure the attributes related to the data sent to the RADIUS server: 1-29

32 Enter system system- Enable the RADIUS trap function Create a RADIUS scheme and enter RADIUS scheme Specify the format of the username to be sent to a RADIUS server Specify the unit for data flows or packets to be sent to a RADIUS server radius trap { accounting-server-do wn authentication-server-d own } radius scheme radius-scheme-name user-name-format { with-domain without-domain } data-flow-format { data { byte giga-byte kilo-byte mega-byte } packet { giga-packet kilo-packet mega-packet one-packet } }* Disabled by default Not defined by default By default, the ISP domain name is included in the username. The defaults are as follows: byte for data flows, and one-packet for data packets. Set the source IP address of the device to send RADIUS packets In RADIUS scheme In system nas-ip ip-address quit radius nas-ip ip-address Use either command By default, the outbound port serves as the source IP address to send RADIUS packets Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name, therefore before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server. If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. The nas-ip command in RADIUS scheme is only for the current RADIUS scheme, while the radius nas-ip command in system is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme overwrites the configuration of the radius nas-ip command. 1-30

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model Table of Contents RADIUS Configuration 1 Overview 1 Introduction to RADIUS 1 Client/Server Model 1 Security and Authentication Mechanisms 2 Basic Message Exchange Process of RADIUS 2 RADIUS Packet Format

More information

Table of Contents 1 AAA Overview AAA Configuration 2-1

Table of Contents 1 AAA Overview AAA Configuration 2-1 Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-3 Introduction to RADIUS 1-3

More information

Table of Contents 1 AAA Overview AAA Configuration 2-1

Table of Contents 1 AAA Overview AAA Configuration 2-1 Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-2 Introduction to RADIUS 1-2

More information

HP 5120 SI Switch Series

HP 5120 SI Switch Series HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright 2012 Hewlett-Packard

More information

H3C S5120-SI Series Ethernet Switches Security Configuration Guide

H3C S5120-SI Series Ethernet Switches Security Configuration Guide H3C S5120-SI Series Ethernet Switches Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication

More information

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract HP A5820X & A5800 Switch Series Security Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 Network Security Overview... 1-1 1.1 Introduction to the Network Security Features Provided by CMW... 1-1 1.2 Hierarchical Line Protection... 1-2 1.3 RADIUS-Based

More information

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1 Table of Contents 1 802.1x Configuration 1-1 Introduction to 802.1x 1-1 Architecture of 802.1x Authentication 1-1 The Mechanism of an 802.1x Authentication System 1-3 Encapsulation of EAPoL Messages 1-3

More information

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1 Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-1 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-2 EAP over LAN 1-3 EAP over RADIUS 1-5 802.1X Authentication

More information

Operation Manual 802.1x. Table of Contents

Operation Manual 802.1x. Table of Contents Table of Contents Table of Contents... 1-1 1.1 802.1x Overview... 1-1 1.1.1 Architecture of 802.1x... 1-1 1.1.2 Operation of 802.1x... 1-3 1.1.3 EAP Encapsulation over LANs... 1-4 1.1.4 EAP Encapsulation

More information

HP Unified Wired-WLAN Products

HP Unified Wired-WLAN Products HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G

More information

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1 Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-2 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-3 EAP over LAN 1-4 EAP over RADIUS 1-5 802.1X Authentication

More information

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x authentication prevents

More information

Controlled/uncontrolled port and port authorization status

Controlled/uncontrolled port and port authorization status Contents 802.1X fundamentals 1 802.1X architecture 1 Controlled/uncontrolled port and port authorization status 1 802.1X-related protocols 2 Packet formats 2 EAP over RADIUS 4 Initiating 802.1X authentication

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized

More information

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents Table of Contents Table of Contents Chapter 1 802.1X Overview... 1-1 1.1 Introduction to 802.1X... 1-1 1.2 Features Configuration... 1-1 1.2.1 Global Configuration... 1-1 1.2.2 Configuration in Port View...

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the

More information

RADIUS - QUICK GUIDE AAA AND NAS?

RADIUS - QUICK GUIDE AAA AND NAS? RADIUS - QUICK GUIDE http://www.tutorialspoint.com/radius/radius_quick_guide.htm Copyright tutorialspoint.com AAA AND NAS? Before you start learning about Radius, it is important that you understand: What

More information

Operation Manual Login and User Interface. Table of Contents

Operation Manual Login and User Interface. Table of Contents Table of Contents Table of Contents Chapter 1 Switch Login... 1-1 1.1 Setting Up Configuration Environment Through the Console Port... 1-1 1.2 Setting Up Configuration Environment Through Telnet... 1-2

More information

Logging in to the CLI

Logging in to the CLI Contents Logging in to the CLI 1 Login methods 1 Logging in through the console port 2 Introduction 2 Configuration procedure 2 Logging in through the AUX port 5 Configuration prerequisites 5 Configuration

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes First Published: March 19, 2001 Last Updated: September 23, 2009 Remote Authentication Dial-In User Service (RADIUS) attributes are used to define

More information

With 802.1X port-based authentication, the devices in the network have specific roles.

With 802.1X port-based authentication, the devices in the network have specific roles. This chapter contains the following sections: Information About 802.1X, page 1 Licensing Requirements for 802.1X, page 9 Prerequisites for 802.1X, page 9 802.1X Guidelines and Limitations, page 9 Default

More information

802.1x Configuration. Page 1 of 11

802.1x Configuration. Page 1 of 11 802.1x Configuration Page 1 of 11 Contents Chapter1 Configuring 802.1X...3 1.1 Brief Introduction to 802.1X Configuration... 3 1.1.1 Architecture of 802.1X...3 1.1.2 Rule of 802.1x... 5 1.1.3 Configuring

More information

HWTACACS Technology White Paper

HWTACACS Technology White Paper S Series Switches HWTACACS Technology White Paper Issue 1.0 Date 2015-08-08 HUAWEI TECHNOLOGIES CO., LTD. 2015. All rights reserved. No part of this document may be reproduced or transmitted in any form

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 10 This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 3750 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments,

More information

Configuring Port-Based and Client-Based Access Control (802.1X)

Configuring Port-Based and Client-Based Access Control (802.1X) 9 Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview..................................................... 9-3 Why Use Port-Based or Client-Based Access Control?............

More information

Radius Configuration FSOS

Radius Configuration FSOS FSOS Radius Configuration Contents 1. RADIUS Configuration... 1 1.1 Radius Overview...1 1.1.1 AAA Overview...1 1.1.2 AAA Realization...1 1.1.3 RADIUS Overview...2 1.2 RADIUS Configuration... 3 1.2.1 RADIUS

More information

Configuring Security for the ML-Series Card

Configuring Security for the ML-Series Card 19 CHAPTER Configuring Security for the ML-Series Card This chapter describes the security features of the ML-Series card. This chapter includes the following major sections: Understanding Security, page

More information

Configuring RADIUS Servers

Configuring RADIUS Servers CHAPTER 7 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), that provides detailed accounting information and flexible administrative control over

More information

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5 [1]Oracle Communications Billing and Revenue Management Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5 E72005-01 April 2016 Oracle Communications

More information

With 802.1X port-based authentication, the devices in the network have specific roles.

With 802.1X port-based authentication, the devices in the network have specific roles. This chapter contains the following sections: Information About 802.1X, page 1 Licensing Requirements for 802.1X, page 8 Prerequisites for 802.1X, page 8 802.1X Guidelines and Limitations, page 9 Default

More information

Configuring 802.1X. Finding Feature Information. Information About 802.1X

Configuring 802.1X. Finding Feature Information. Information About 802.1X This chapter describes how to configure IEEE 802.1X port-based authentication on Cisco NX-OS devices. This chapter includes the following sections: Finding Feature Information, on page 1 Information About

More information

Chapter 4 Configuring 802.1X Port Security

Chapter 4 Configuring 802.1X Port Security Chapter 4 Configuring 802.1X Port Security Overview HP devices support the IEEE 802.1X standard for authenticating devices attached to LAN ports. Using 802.1X port security, you can configure an HP device

More information

Configuring Security Features on an External AAA Server

Configuring Security Features on an External AAA Server CHAPTER 3 Configuring Security Features on an External AAA Server The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users

More information

Configuring IEEE 802.1X Port-Based Authentication

Configuring IEEE 802.1X Port-Based Authentication CHAPTER 44 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage

More information

IEEE 802.1X RADIUS Accounting

IEEE 802.1X RADIUS Accounting The feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes. Finding Feature

More information

Configuring Switch-Based Authentication

Configuring Switch-Based Authentication CHAPTER 7 This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists

More information

RADIUS Attributes Configuration Guide

RADIUS Attributes Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

H3C S5830V2 & S5820V2 Switch Series

H3C S5830V2 & S5820V2 Switch Series H3C S5830V2 & S5820V2 Switch Series Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release2108 Document version: 6W101-20120531 Copyright 2012, Hangzhou

More information

Network Working Group Request for Comments: 2059 Category: Informational January 1997

Network Working Group Request for Comments: 2059 Category: Informational January 1997 Network Working Group C. Rigney Request for Comments: 2059 Livingston Category: Informational January 1997 Status of this Memo RADIUS Accounting This memo provides information for the Internet community.

More information

Configuring Security on the GGSN

Configuring Security on the GGSN CHAPTER 12 This chapter describes how to configure security features on the gateway GPRS support node (GGSN), including Authentication, Authorization, and Accounting (AAA), and RADIUS. IPSec on the Cisco

More information

802.1x Configuration. FSOS 802.1X Configuration

802.1x Configuration. FSOS 802.1X Configuration FSOS 802.1X Configuration Contents 1.1 802.1x Overview... 1 1.1.1 802.1x Authentication...1 1.1.2 802.1x Authentication Process...3 1.2 802.1X Configuration... 6 1.2.1 Configure EAP...6 1.2.2 Enable 802.1x...

More information

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1

Table of Contents 1 PPP Configuration Commands PPPoE Configuration Commands 2-1 Table of Contents 1 PPP Configuration Commands 1-1 PPP Configuration Commands 1-1 ip address ppp-negotiate 1-1 link-protocol ppp 1-2 mtu 1-2 ppp account-statistics enable 1-3 ppp authentication-mode 1-3

More information

DHCP Server RADIUS Proxy

DHCP Server RADIUS Proxy The Dynamic Host Configuration Protocol (DHCP) Server RADIUS Proxy is a RADIUS-based address assignment mechanism in which a DHCP server authorizes remote clients and allocates addresses based on replies

More information

Configuring RADIUS and TACACS+ Servers

Configuring RADIUS and TACACS+ Servers CHAPTER 13 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides

More information

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to 3 CHAPTER This chapter describes how to configure Remote Access Dial-In User Service (RADIUS) protocol on NX-OS devices. This chapter includes the following sections: Information About RADIUS, page 3-1

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. AAA Working Group Pat R. Calhoun Internet-Draft Black Storm Networks Category: Standards Track William Bulley Merit Network, Inc. Allan C. Rubens Tut Systems, Inc.

More information

RADIUS Attributes. RADIUS IETF Attributes

RADIUS Attributes. RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Contents. Configuring SSH 1

Contents. Configuring SSH 1 Contents Configuring SSH 1 Overview 1 How SSH works 1 SSH authentication methods 2 SSH support for Suite B 3 FIPS compliance 3 Configuring the device as an SSH server 4 SSH server configuration task list

More information

Network Working Group Request for Comments: 2058 Category: Standards Track. Merit W. Simpson Daydreamer S. Willens. Livingston.

Network Working Group Request for Comments: 2058 Category: Standards Track. Merit W. Simpson Daydreamer S. Willens. Livingston. Network Working Group Request for Comments: 2058 Category: Standards Track C. Rigney Livingston A. Rubens Merit W. Simpson Daydreamer S. Willens Livingston January 1997 Status of this Memo Remote Authentication

More information

HP Unified Wired-WLAN Products

HP Unified Wired-WLAN Products HP Unified Wired-WLAN Products Security Command Reference HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified

More information

HP VSR1000 Virtual Services Router

HP VSR1000 Virtual Services Router HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information

More information

HPE FlexFabric 5950 Switch Series

HPE FlexFabric 5950 Switch Series HPE FlexFabric 5950 Switch Series Security Configuration Guide Part number: 5200-0833 Software version: Release 6106 and later Document version: 6W100-20160513 Copyright 2016 Hewlett Packard Enterprise

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication

More information

RADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs

RADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting elements in a user profile, which is stored on

More information

Configuring Client-Initiated Dial-In VPDN Tunneling

Configuring Client-Initiated Dial-In VPDN Tunneling Configuring Client-Initiated Dial-In VPDN Tunneling Client-initiated dial-in virtual private dialup networking (VPDN) tunneling deployments allow remote users to access a private network over a shared

More information

HP 5920 & 5900 Switch Series

HP 5920 & 5900 Switch Series HP 5920 & 5900 Switch Series Security Command Reference Part number: 5998-2887 Software version: Release2208 Document version: 6W100-20130228 Legal and notice information Copyright 2013 Hewlett-Packard

More information

Configuring Authorization

Configuring Authorization The AAA authorization feature is used to determine what a user can and cannot do. When AAA authorization is enabled, the network access server uses information retrieved from the user s profile, which

More information

REMOTE AUTHENTICATION DIAL IN USER SERVICE

REMOTE AUTHENTICATION DIAL IN USER SERVICE AAA / REMOTE AUTHENTICATION DIAL IN USER SERVICE INTRODUCTION TO, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES Peter R. Egli INDIGOO.COM 1/12 Contents 1. AAA - Access Control 2.

More information

HP FlexFabric 5700 Switch Series

HP FlexFabric 5700 Switch Series HP FlexFabric 5700 Switch Series Security Command Reference Part number: 5998-6695 Software version: Release 2416 Document version: 6W100-20150130 Legal and notice information Copyright 2015 Hewlett-Packard

More information

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x First Published: August 01, 2014 Last Modified: November 13, 2015 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San

More information

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008 Network Working Group Request for Comments: 5176 Obsoletes: 3576 Category: Informational M. Chiba G. Dommety M. Eklund Cisco Systems, Inc. D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation

More information

Login management commands

Login management commands Contents Login management commands 1 CLI login configuration commands 1 display telnet client configuration 1 telnet 1 telnet ipv6 2 telnet server enable 3 User interface configuration commands 3 acl (user

More information

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible

More information

Configuring Authorization

Configuring Authorization Configuring Authorization AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user

More information

Operation Manual User Access. Table of Contents

Operation Manual User Access. Table of Contents Table of Contents Table of Contents Chapter 1 PPP Configuration... 1-1 1.1 Introduction to PPP... 1-1 1.1.1 Introduction to PPP... 1-1 1.2 Configuring PPP... 1-2 1.2.1 Configuring PPP Encapsulation on

More information

Overview. RADIUS Protocol CHAPTER

Overview. RADIUS Protocol CHAPTER CHAPTER 1 The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar as a proxy server. Cisco Access Registrar is a RADIUS

More information

Configuration - Security

Configuration - Security Release: Document Revision: 5.3 01.01 www.nortel.com NN46240-600 324564-A Rev01 Release: 5.3 Publication: NN46240-600 Document Revision: 01.01 Document status: Standard Document release date: 30 March

More information

Cisco Prime Optical 9.5 Basic External Authentication

Cisco Prime Optical 9.5 Basic External Authentication Cisco Prime Optical 9.5 Basic External Authentication June 6, 2012 This document describes the basic external authentication functionality in Cisco Prime Optical 9.5 running on a Solaris server. External

More information

Security Configuration Commands

Security Configuration Commands Table of Contents Table of Contents Chapter 1 AAA Authentication Configuration Commands...1 1.1 AAA Authentication Configuration Commands...1 1.1.1 aaa authentication enable...1 1.1.2 aaa authentication

More information

Configuring RADIUS and TACACS+

Configuring RADIUS and TACACS+ 28 CHAPTER The authentication, authorization, and accounting (AAA) mechanism verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches

More information

RADIUS Commands. Cisco IOS Security Command Reference SR

RADIUS Commands. Cisco IOS Security Command Reference SR RADIUS Commands This chapter describes the commands used to configure RADIUS. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation,

More information

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24 Contents Logging in to the CLI 1 Login methods 1 Logging in through the console or AUX port 2 Introduction 2 Configuration procedure 2 Logging in through Telnet 6 Introduction 6 Logging in to the switch

More information

Identity Firewall. About the Identity Firewall

Identity Firewall. About the Identity Firewall This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History

More information

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139 Network Working Group C. Rigney Request for Comments: 2866 Livingston Category: Informational June 2000 Obsoletes: 2139 Status of this Memo RADIUS Accounting This memo provides information for the Internet

More information

Configuration Guide. For 802.1X VLAN Assignment and MAB. T2600G-28TS _v2_ or Above T2600G-52TS_v2_ or Above

Configuration Guide. For 802.1X VLAN Assignment and MAB. T2600G-28TS _v2_ or Above T2600G-52TS_v2_ or Above Configuration Guide For 802.1X VLAN Assignment and MAB T2600G-28TS _v2_170323 or Above T2600G-52TS_v2_1703023 or Above T2600G-28MPS_v2_170928 or Above 1910012315 REV1.0.0 December 2017 CONTENTS 1 Overview...

More information

Configuring the Management Interface and Security

Configuring the Management Interface and Security CHAPTER 5 Configuring the Management Interface and Security Revised: February 15, 2011, Introduction This module describes how to configure the physical management interfaces (ports) as well as the various

More information

H3C SecPath Series Security Products

H3C SecPath Series Security Products Web-Based Configuration Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: T2-08018U-20070625-C-2.01 Copyright 2007, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. As LANs extend to

More information

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups Configuring a device to use authentication, authorization, and accounting (AAA) server groups provides a way to group existing server hosts. Grouping existing server hosts allows you to select a subset

More information

RADIUS Logical Line ID

RADIUS Logical Line ID The feature, also known as the Logical Line Identification (LLID) Blocking feature enables administrators to track their customers on the basis of the physical lines on which customer calls originate.

More information

H3C S12500 Series Routing Switches

H3C S12500 Series Routing Switches H3C S12500 Series Routing Switches Security Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: S12500-CMW710-R7128 Document version: 6W710-20121130 Copyright 2012,

More information

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com

More information

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7) HP MSR Router Series Layer 2 - WAN Access Configuration Guide(V7) Part number: 5998-6465 Software version: CMW710-R0106 Document version: 6PW101-20140807 Legal and notice information Copyright 2014 Hewlett-Packard

More information

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window 9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based

More information

Configuring Authentication, Authorization, and Accounting

Configuring Authentication, Authorization, and Accounting Configuring Authentication, Authorization, and Accounting This chapter contains the following sections: Information About AAA, page 1 Prerequisites for Remote AAA, page 5 Guidelines and Limitations for

More information

Network Working Group Request for Comments: Category: Standards Track Merit W. Simpson Daydreamer June 2000

Network Working Group Request for Comments: Category: Standards Track Merit W. Simpson Daydreamer June 2000 Network Working Group Request for Comments: 2865 Obsoletes: 2138 Category: Standards Track C. Rigney S. Willens Livingston A. Rubens Merit W. Simpson Daydreamer June 2000 Status of this Memo Remote Authentication

More information

Configuring Management Access

Configuring Management Access 37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 39 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major

More information

PPP configuration commands

PPP configuration commands Contents PPP configuration commands 1 ip address ppp-negotiate 1 ip pool 1 link-protocol ppp 2 ppp authentication-mode 2 ppp chap password 4 ppp chap user 5 ppp ipcp remote-address forced 5 ppp pap local-user

More information

Configuring 802.1x CHAPTERS. 1. Overview x Configuration 3. Configuration Example 4. Appendix: Default Parameters

Configuring 802.1x CHAPTERS. 1. Overview x Configuration 3. Configuration Example 4. Appendix: Default Parameters CHAPTERS 1. Overview 2. 3. Configuration Example 4. Appendix: Default Parameters Overview This guide applies to: T1500G-10PS v2 or above, T1500G-8T v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 37 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major

More information

Configuring Web-Based Authentication

Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure

More information

Configuring DHCP Services for Accounting and Security

Configuring DHCP Services for Accounting and Security Configuring DHCP Services for Accounting and Security Cisco IOS XE software supports several capabilities that enhance DHCP security, reliability, and accounting in Public Wireless LANs (PWLANs). This

More information

Configuring Secure Shell

Configuring Secure Shell Configuring Secure Shell Last Updated: October 24, 2011 The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures

More information