RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Size: px
Start display at page:

Download "RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model"

Transcription

1 Table of Contents RADIUS Configuration 1 Overview 1 Introduction to RADIUS 1 Client/Server Model 1 Security and Authentication Mechanisms 2 Basic Message Exchange Process of RADIUS 2 RADIUS Packet Format 3 Extended RADIUS Attributes 6 Protocols and Standards 6 Configuring RADIUS 6 Configuration Task List 6 Configuring the RADIUS Servers 7 Configuring RADIUS Parameters 8 RADIUS Configuration Example 12 Configuration Guidelines 19 i

2 RADIUS Configuration Overview The Remote Authentication Dial-In User Service (RADIUS) protocol is for implementing Authentication, Authorization, and Accounting (AAA). Introduction to RADIUS RADIUS is a distributed information interaction protocol using the client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP, and its packet format and message transfer mechanism are based on UDP. It uses UDP port 1812 for authentication and 1813 for accounting. RADIUS was originally designed for dial-in user access. With the diversification of access methods, RADIUS has been extended to support more access methods, for example, Ethernet access and ADSL access. It uses authentication and authorization in providing access services and uses accounting to collect and record usage information of network resources. Client/Server Model Client: The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests). Server: The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It listens to connection requests, authenticates users, and returns the processing results (for example, rejecting or accepting the user access request) to the clients. In general, the RADIUS server maintains three databases, namely, Users, Clients, and Dictionary, as shown in Figure 1. Figure 1 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. 1

3 Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network. This enhances the information exchange security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts passwords before transmitting them. A RADIUS server supports multiple user authentication methods, for example, the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) of the Point-to-Point Protocol (PPP). Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy services. Basic Message Exchange Process of RADIUS Figure 2 illustrates the interaction of the host, the RADIUS client, and the RADIUS server. Figure 2 Basic message exchange process of RADIUS The following is how RADIUS operates: 1. The host initiates a connection request carrying the username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key. 3. The RADIUS server authenticates the username and password. If the authentication succeeds, it sends back an Access-Accept message containing the user s authorization information. If the authentication fails, it returns an Access-Reject message. 4. The RADIUS client permits or denies the user according to the returned authentication result. If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server. 2

4 5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting. 6. The user accesses the network resources. 7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server. 8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting for the user. 9. The user stops access to network resources. RADIUS Packet Format RADIUS uses UDP to transmit messages. It ensures the smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, retransmission mechanism, and slave server mechanism. Figure 3 shows the RADIUS packet format. Figure 3 RADIUS packet format Descriptions of the fields are as follows: 1. The Code field (1-byte long) is for indicating the type of the RADIUS packet. Table 1 gives the possible values and their meanings. Table 1 Main values of the Code field Code Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. 2 Access-Accept From the server to the client. If all the attribute values carried in the Access-Request are acceptable, that is, the authentication succeeds, the server sends an Access-Accept response. 3 Access-Reject From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the server rejects the user and sends an Access-Reject response. 4 Accounting-Request From the client to the server. A packet of this type carries user information for the server to start/stop accounting for the user. It contains the Acct-Status-Type attribute, which indicates whether the server is requested to start the accounting or to end the accounting. 3

5 Code Packet type Description 5 Accounting-Response From the server to the client. The server sends to the client a packet of this type to notify that it has received the Accounting-Request and has correctly started recording the accounting information The Identifier field (1-byte long) is for matching request packets and response packets and detecting retransmitted request packets. The request and response packets of the same type have the same identifier. 3. The Length field (2-byte long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. The value of the field is in the range 20 to Bytes beyond the length are considered the padding and are neglected upon reception. If the length of a received packet is less than that indicated by the Length field, the packet is dropped. 4. The Authenticator field (16-byte long) is used to authenticate replies from the RADIUS server, and is also used in the password hiding algorithm. There are two kinds of authenticators: request authenticator and response authenticator. 5. The Attribute field, with a variable length, carries the specific authentication, authorization, and accounting information for defining configuration details of the request or response. This field is represented in triplets of Type, Length, and Value. Type: One byte, in the range 1 to 255. It indicates the type of the attribute. Commonly used attributes for RADIUS authentication, authorization and accounting are listed in Table 2. Length: One byte for indicating the length of the attribute in bytes, including the Type, Length, and Value fields. Value: Value of the attribute, up to 253 bytes. Its format and content depend on the Type and Length fields. Table 2 RADIUS attributes No. Attribute No. Attribute 1 User-Name 45 Acct-Authentic 2 User-Password 46 Acct-Session-Time 3 CHAP-Password 47 Acct-Input-Packets 4 NAS-IP-Address 48 Acct-Output-Packets 5 NAS-Port 49 Acct-Terminate-Cause 6 Service-Type 50 Acct-Multi-Session-Id 7 Framed-Protocol 51 Acct-Link-Count 8 Framed-IP-Address 52 Acct-Input-Gigawords 9 Framed-IP-Netmask 53 Acct-Output-Gigawords 10 Framed-Routing 54 (unassigned) 11 Filter-ID 55 Event-Timestamp 12 Framed-MTU (unassigned) 13 Framed-Compression 60 CHAP-Challenge 14 Login-IP-Host 61 NAS-Port-Type 4

6 No. Attribute No. Attribute 15 Login-Service 62 Port-Limit 16 Login-TCP-Port 63 Login-LAT-Port 17 (unassigned) 64 Tunnel-Type 18 Reply_Message 65 Tunnel-Medium-Type 19 Callback-Number 66 Tunnel-Client-Endpoint 20 Callback-ID 67 Tunnel-Server-Endpoint 21 (unassigned) 68 Acct-Tunnel-Connection 22 Framed-Route 69 Tunnel-Password 23 Framed-IPX-Network 70 ARAP-Password 24 State 71 ARAP-Features 25 Class 72 ARAP-Zone-Access 26 Vendor-Specific 73 ARAP-Security 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Private-Group-id 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38 Framed-AppleTalk-Network 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 89 (unassigned) 43 Acct-Output-Octets 90 Tunnel-Client-Auth-id 44 Acct-Session-Id 91 Tunnel-Server-Auth-id NOTE: The attribute types listed in Table 2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC

7 Extended RADIUS Attributes The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide. A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension in applications. As shown in Figure 4, a sub-attribute that can be encapsulated in Attribute 26 consists of the following four parts: Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC The vendor ID of H3C is Vendor-Type: Indicates the type of the sub-attribute. Vendor-Length: Indicates the length of the sub-attribute. Vendor-Data: Indicates the contents of the sub-attribute. Figure 4 Segment of a RADIUS packet containing an extended attribute Protocols and Standards The protocols and standards related to RADIUS include: RFC 2865: Remote Authentication Dial In User Service (RADIUS) RFC 2866: RADIUS Accounting RFC 2867: RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868: RADIUS Attributes for Tunnel Protocol Support RFC 2869: RADIUS Extensions Configuring RADIUS Configuration Task List NOTE: The RADIUS scheme configured through the Web interface is named system. By default, there is no RADIUS scheme named system in the system. When you select any item under User > RADIUS from the navigation tree to enter the page of the item, the system will automatically create a scheme named system. Table 3 lists the RADIUS configuration steps: 6

8 Table 3 RADIUS configuration steps Task Configuring the RADIUS Servers Remarks The authentication server configuration is required while the accounting server configuration is optional. This section describes how to specify the primary and the secondary RADIUS authentication/accounting servers. By default, no server is specified. IMPORTANT: It is recommended to configure only the primary RADIUS authentication/accounting server if no backup is needed. Configuring RADIUS Parameters Optional This section describes how to configure the parameters that are necessary for information exchange between the device and RADIUS server. Configuring the RADIUS Servers From the navigation tree, select User > RADIUS > Server Configuration to enter the RADIUS server configuration interface, as shown in Figure 5. Figure 5 RADIUS server configuration Table 4 lists the RADIUS server configuration items. Table 4 RADIUS server configuration Item Server Type Description Type of the RADIUS server to be configured, including Authentication Server and Accounting Sever 7

9 Item Description IP address of the primary server If no primary server is specified, the text box displays Primary Server IP If you enter , it means that the previously configured primary server is to be removed. The IP address of the primary server cannot be the same as that of the secondary server. UDP port of the primary server Primary Server UDP Port Before you specify the IP address of the primary server or after you remove the primary server IP address, the port number is 1812 for authentication or 1813 for accounting. As RADIUS uses different UDP ports for authentication and accounting, you need to specify different UDP ports for the two functions. Primary Server Status Status of the primary server, including: Active: The server is working normally. Blocked: The server is down. Before you specify the IP address of the primary server or after you remove the primary server IP address, the status is blocked. IP address of the secondary server If no secondary server is specified, the text box displays Secondary Server IP If you enter , it means to remove the previously configured primary server. The IP address of the secondary server cannot be the same as that of the primary server. UDP port of the secondary server Secondary Server UDP Port Before you specify the IP address of the primary server or after you remove the primary server IP address, the port number is 1812 for authentication or 1813 for accounting. As RADIUS uses different UDP ports for authentication and accounting, you need to specify different UDP ports for the two functions. Secondary Server Status Status of the secondary server, including: Active: The server is working normally. Blocked: The server is down. If the IP address of the secondary server is not specified or the specified IP address is to be removed, the status is blocked. Return to RADIUS configuration steps. Configuring RADIUS Parameters From the navigation tree, select User > RADIUS > Parameter Configuration to enter the RADIUS parameter configuration interface, as shown in Figure 6. 8

10 Figure 6 RADIUS parameter configuration Table 5 lists the RADIUS parameters. Table 5 RADIUS parameters Item Server Type Description Select the type of the RADIUS server supported by the device, including: extended: Specifies an extended RADIUS server (usually a CAMS or imc server). That is, the RADIUS client and RADIUS server communicate using the proprietory RADIUS protocol and packet format. standard: Specifies a standard RADIUS server. That is, the RADIUS client and RADIUS server communicate using the standard RADIUS protocol and packet format defined in RFC 2138/2139 or later. 9

11 Item Authentication Server Shared Key Confirm Authentication Shared Key Accounting Server Shared Key Confirm Accounting Shared Key NAS-IP Description Specify the shared key for the RADIUS authentication packets and that for the RADIUS accounting packets. The RADIUS client and RADIUS authentication/accounting server use MD5 to encrypt RADIUS packets, and they verify the validity of packets through the specified shared key. Only if the shared key of the client and that of the server are the same, will the client and server receive and respond to packets from each other. IMPORTANT: The shared keys specified on the device must be consistent with those configured on the RADIUS servers. Specify the source IP address for the device to use in RADIUS packets to be sent to the RADIUS server. It is recommended to use a loopback interface address instead of a physical interface address as the source IP address, because if the physical interface is down, the response packets from the server cannot reach the device. Timeout Interval Timeout Retransmission Times Set the RADIUS server response timeout Set the maximum number of transmission attempts IMPORTANT: The upper limit of the product of the timeout value and the number of retransmission attempts of an access module is the timeout time of the access module and cannot exceed 75 seconds. For example, for voice access and Telnet access, as the timeout time of voice access is 10 seconds and that of Telnet access is 30 seconds, the product cannot exceed 10 and 30 seconds (exclusive); otherwise, the stop accounting packets cannot be buffered and the primary and secondary servers cannot switch over normally. Realtime-Accounting Interval Realtime-Accounting Packet Retransmission Times Set the real-time accounting interval, whose value must be n times 3 (n is an integer). To implement real-time accounting on users, it is necessary to set the real-time accounting interval. After this parameter is specified, the device will send the accounting information of online users to the RADIUS server every the specified interval. The value of the real-time accounting interval is related to the requirement on the performance of the NAS and RADIUS server. The smaller the value, the higher the requirement. It is recommended to set a large value if the number of users is equal to or larger than Table 6 shows the relationship between the interval value and the number of users. Set the maximum number of real-time accounting request retransmission times. When the number of non-responded real-time accounting requests sent by the device to the RADIUS server exceeds this number, the device will cut off the user connection. 10

12 Item Description Enable or disable buffering of stop-accounting requests without responses in the device. Stop-Accounting Buffer Stop-Accounting Packet Retransmission Times Quiet Interval If the device does not receive the response of a stop-accounting request from the RADIUS server and stop-accounting buffering is enabled on the device, the device will buffer the request and retransmit it to the RADIUS server repeatedly until it receives the response or, when the retransmission maximum number specified by the Stop-Accounting Packet Retransmission Times parameter is reached, drops the request. Set the maximum number of transmission attempts after no response is received for the stop-accounting packet Specify the interval the RADIUS servers have to wait before being active. Set the format of username sent to the RADIUS server. A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. If a RADIUS server (such as a RADIUS server of some early version) does not accept a username including an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the RADIUS server. Username Format without-domain: Specifies to remove the domain name of a username that is to be sent to the RADIUS server. with-domain: Specifies to keep the domain name of a username that is to be sent to the RADIUS server. IMPORTANT: If you specify the username format as without domain in a RADIUS scheme, do not apply the scheme to two or more ISP domains. Otherwise, the RADIUS server will consider that two users with the same user ID but in different domains as the same user. This is because the usernames sent to the RADIUS server are the same. Unit for Data Flows Specify the unit for data flows sent to the RADIUS server, which can be: byte kilo-byte mega-byte giga-byte IMPORTANT: The unit in which the device sends data flows to the RADIUS server must be consistent with that specified on the RADIUS server. Otherwise, the accounting results will be incorrect. Unit for Packets Specify the unit for data packets sent to the RADIUS server, which can be one-packet kilo-packet mega-packet giga-packet IMPORTANT: The unit in which the device sends packets to the RADIUS server must be consistent with that specified in the RADIUS server. Otherwise, the accounting results will be incorrect. 11

13 Item EAD Offload Function Description Enable or disable the EAP offload function. As some RADIUS servers do not support EAP authentication, that is, do not support processing EAP packets, it is necessary to preprocess EAP packets sent from clients on the access device. The preprocessing of EAP packets is referred to as EAP offload for RADIUS. After receiving an EAP packet, the access device enabled with the EAP offload function will first convert the authentication information in the EAP packet into the corresponding RADIUS attributes through the local EAP server, then encapsulate the EAP packet into a RADIUS request and send the request to the RADIUS server for authentication. When the RADIUS server receives the request, it will analyze the carried authentication information, encapsulate the authentication result in the RADIUS packet, and then send the packet to the local EAP server on the access device for subsequent interaction with the client. IMPORTANT: Because the EAP packet preprocessing is implemented through the local EAP authentication server, it is required to configure the local EAP authentication server on the access device, specifying the EAP authentication method as PEAP-MSCHAPv2. Table 6 Relationship between the real-time accounting interval and the number of users Number of users Real-time accounting interval (in minutes) 1 to to to ƒ1000 ƒ15 Return to RADIUS configuration steps. RADIUS Configuration Example Network requirements As shown in Figure 7, connect the Telnet user to the device and the device to the RADIUS server. Run the CAMS/iMC Server on the RADIUS server to provide authentication, authorization, and accounting services for Telnet users. The IP address of the RADIUS server is /24. Set the shared keys for authentication, authorization, and accounting packets exchanged between the device and the RADIUS server to expert and specify the ports for authentication/authorization and accounting as 1812 and 1813 respectively. Specify that a username sent to the RADIUS server carries the domain name. Add an account on the RADIUS server, with the username and password being hello@bbb and abc. Configure to authorize the Telnet user logging in using the account with the privilege level of 3. 12

14 Figure 7 Network diagram for RADIUS configuration RADIUS server /24 Telnet user /24 GE0/ /24 Device GE0/ /24 Internet Configuration procedure Step1 Configure the RADIUS server When the RADIUS server runs CAMS: NOTE: This example assumes that the RADIUS server runs CAMS Server Version 2.10-R0210. # Add an access device. Log into the CAMS management platform and select System Management > System Configuration from the navigation tree. In the System Configuration window, click Modify of the Access Device item, and then click Add to enter the Add Access Device window and perform the following configurations as shown in Figure 8: Figure 8 Add an access device Specify the IP address of the device as Set both the shared keys for authentication and accounting packets to expert. Select Device Management Service as the service type. Specify the ports for authentication and accounting as 1812 and 1813 respectively. 13

15 Select Extensible Protocol as the protocol type. Select Standard as the RADIUS packet type. Click OK. # Add a user for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account window and perform the following configurations, as shown in Figure 9: Figure 9 Add an account for device management Add a user named hello@bbb. Specify the password as abc and confirm the password. Select Telnet as the service type. Set the EXEC privilege level to 3. This value identifies the privilege level of the Telnet user after login, which is 0 by default. Specify the IP address range of the hosts to be managed as to , and click Add. Click OK to finish the operation. When the RADIUS server runs imc: NOTE: This example assumes that the RADIUS server runs imc PLAT 3.20-R2602 and imc UAM 3.60-E6102. # Add an access device. Log into the imc management platform, select the Service tab, and select Access Service > Service Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter the Add Access Device page and perform the following configurations, as shown in Figure 10: 14

16 Figure 10 Add an access device Set the shared keys for authentication and accounting packets to expert Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of Click OK to finish the operation. NOTE: The IP address of the access device must be the same as the source IP address of the RADIUS packets sent from the device. By default, the source IP address of a RADIUS packet is the IP address of the interface through which the packet is sent out. # Add a user for device management. Log into the imc management platform, select the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Device Management User page and perform the following configurations, as shown in Figure 11: 15

17 Figure 11 Add an account for device management Add a user named hello@bbb Specify the password as abc and confirm the password Select Telnet as the service type Set the EXEC privilege level to 3. This value identifies the privilege level of the Telnet user after login, which is 0 by default. Click Add in the IP address list of managed devices, and then specify the IP address range of the hosts to be managed as to Click OK to finish the operation. NOTE: The IP address range of the hosts to be managed must contain the IP address of the access device added. Step2 Configure the device # Configure the IP address and security zone of each interface. (Omitted) # Configure the RADIUS authentication and accounting servers. From the navigation tree, select User > RADIUS > Server Configuration. Perform the configurations shown in Figure 12 and Figure

18 Figure 12 Configure the RADIUS authentication server Figure 13 Configure the RADIUS accounting server Select Authentication Server as the server type. Enter as the IP address of the primary server, and 1812 as the UDP port. Select active as the primary server status. Click Apply to finish the configuration. Select Accounting Server as the server type. Enter as the IP address of the primary server, and 1813 as the UDP port. Select active as the primary server status. Click Apply to finish the configuration. # Configure the parameters for communication between the device and the RADIUS server: From the navigation tree, select User > RADIUS > Parameter Configuration. Perform the configurations shown in Figure 14: 17

19 Figure 14 Configure the scheme for communication between the device and the RADIUS server Select extended as the server type. Select the Authentication Server Shared Key check box and enter expert in the text box. Enter expert in the Confirm Authentication Shared Key text box. Select the Accounting Server Shared Key check box and enter expert in the text box. Enter expert in the Confirm Accounting Shared Key text box. Select with-domain for the username format. Click Apply to finish the configuration. Perform the following configuration in the command line interface of the device: # Enable the Telnet service on the device. [Device] telnet server enable # Configure the device to use AAA for Telnet users. [Device] user-interface vty 0 4 [Device-ui-vty0-4] authentication-mode scheme [Device-ui-vty0-4] quit # Configure the AAA methods for domain bbb. As RADIUS authorization information is sent to the RADIUS client in the authentication response messages, be sure to reference the same scheme for user authentication and authorization. [Device] domain bbb [Device-isp-bbb] authentication login radius-scheme system 18

20 Verification [Device-isp-bbb] authorization login radius-scheme system [Device-isp-bbb] accounting login radius-scheme system [Device-isp-bbb] quit // You can achieve the same result by configuring default AAA methods for all types of users in domain bbb. (You can use either approach as needed) [Device] domain bbb [Device-isp-bbb] authentication default radius-scheme system [Device-isp-bbb] authorization default radius-scheme system [Device-isp-bbb] accounting default radius-scheme system After the above configuration, the Telnet user should be able to telnet to the device and use the configured account (username and password abc) to enter the user interface of the device, and access all the commands of level 0 to level 3. Configuration Guidelines When configuring the RADIUS client, note that: 1. The specified server status is dynamic information, which cannot be saved in the configuration file. After the device reboots, the status of servers becomes active. 2. At present, RADIUS does not support accounting for FTP users. 3. If the accounting server in use by online users is removed, the device cannot send real-time accounting requests and stop-accounting messages of the users to the server, and the stop-accounting messages are not buffered locally. 4. The system allows you to configure multiple secondary servers for a RADIUS scheme through CLI. On the web interface, the system displays the first secondary server in the scheme system. When you configure a secondary server on the web interface: If the specified IP address is , all secondary servers in the scheme system are deleted. If the specified IP address is not , and does not conflict with the IP addresses of the existing secondary servers, the first secondary server in the scheme is replaced by the one you specified. If the specified IP address is not , and conflicts with the IP address of an existing secondary server, the configuration fails. 5. For the primary and secondary servers (assume only one secondary server exists) in a RADIUS scheme, the device follows these rules to exchange packets with the servers: If the primary server and secondary server are in the same state, the device communicates with the primary server. If both the primary server and secondary server are in active state, the device communicates with the primary server. When the primary server becomes unavailable, the device sets the server s status to block and turns to the secondary server for communication. When the quiet timer expires, the device resumes the status of the primary server to active while keeping the status of the secondary server unchanged. In the case of authentication/authorization, the device resumes the communication with the primary server; in the case of accounting, however, the device keeps communicating with the secondary server no matter whether the primary server recovers or not. If one server is in active state and the other is in block state, the device only tries to communicate with the server in active state, even if the server is unavailable. 19

21 If both the primary server and secondary server are in block state, the device only communicates with the primary server. In this case, if the primary server is available or becomes available, the device will change the primary server s status to active. To use the secondary server for communication, you need to manually change the status of the secondary server to active; otherwise, no primary/secondary server switchover will take place. 20

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols

More information

Table of Contents 1 AAA Overview AAA Configuration 2-1

Table of Contents 1 AAA Overview AAA Configuration 2-1 Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-2 Introduction to RADIUS 1-2

More information

Table of Contents 1 AAA Overview AAA Configuration 2-1

Table of Contents 1 AAA Overview AAA Configuration 2-1 Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-3 Introduction to RADIUS 1-3

More information

HP 5120 SI Switch Series

HP 5120 SI Switch Series HP 5120 SI Switch Series Security Configuration Guide Part number: 5998-1815 Software version: Release 1505 Document version: 6W102-20121111 Legal and notice information Copyright 2012 Hewlett-Packard

More information

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract HP A5820X & A5800 Switch Series Security Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures.

More information

H3C S5120-SI Series Ethernet Switches Security Configuration Guide

H3C S5120-SI Series Ethernet Switches Security Configuration Guide H3C S5120-SI Series Ethernet Switches Security Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements

More information

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5 [1]Oracle Communications Billing and Revenue Management Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5 E72005-01 April 2016 Oracle Communications

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes First Published: March 19, 2001 Last Updated: September 23, 2009 Remote Authentication Dial-In User Service (RADIUS) attributes are used to define

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication

More information

RADIUS - QUICK GUIDE AAA AND NAS?

RADIUS - QUICK GUIDE AAA AND NAS? RADIUS - QUICK GUIDE http://www.tutorialspoint.com/radius/radius_quick_guide.htm Copyright tutorialspoint.com AAA AND NAS? Before you start learning about Radius, it is important that you understand: What

More information

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents

802.1x Configuration Examples H3C S7500 Series Ethernet Switches Release Table of Contents Table of Contents Table of Contents Chapter 1 802.1X Overview... 1-1 1.1 Introduction to 802.1X... 1-1 1.2 Features Configuration... 1-1 1.2.1 Global Configuration... 1-1 1.2.2 Configuration in Port View...

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 Network Security Overview... 1-1 1.1 Introduction to the Network Security Features Provided by CMW... 1-1 1.2 Hierarchical Line Protection... 1-2 1.3 RADIUS-Based

More information

HP Unified Wired-WLAN Products

HP Unified Wired-WLAN Products HP Unified Wired-WLAN Products Security Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G

More information

RADIUS Attributes Configuration Guide

RADIUS Attributes Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

Network Working Group Request for Comments: 2059 Category: Informational January 1997

Network Working Group Request for Comments: 2059 Category: Informational January 1997 Network Working Group C. Rigney Request for Comments: 2059 Livingston Category: Informational January 1997 Status of this Memo RADIUS Accounting This memo provides information for the Internet community.

More information

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1 Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-1 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-2 EAP over LAN 1-3 EAP over RADIUS 1-5 802.1X Authentication

More information

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1 Table of Contents 1 802.1x Configuration 1-1 Introduction to 802.1x 1-1 Architecture of 802.1x Authentication 1-1 The Mechanism of an 802.1x Authentication System 1-3 Encapsulation of EAPoL Messages 1-3

More information

RADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs

RADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs RADIUS Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting elements in a user profile, which is stored on

More information

Controlled/uncontrolled port and port authorization status

Controlled/uncontrolled port and port authorization status Contents 802.1X fundamentals 1 802.1X architecture 1 Controlled/uncontrolled port and port authorization status 1 802.1X-related protocols 2 Packet formats 2 EAP over RADIUS 4 Initiating 802.1X authentication

More information

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139

Network Working Group Request for Comments: 2866 Category: Informational June 2000 Obsoletes: 2139 Network Working Group C. Rigney Request for Comments: 2866 Livingston Category: Informational June 2000 Obsoletes: 2139 Status of this Memo RADIUS Accounting This memo provides information for the Internet

More information

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to 3 CHAPTER This chapter describes how to configure Remote Access Dial-In User Service (RADIUS) protocol on NX-OS devices. This chapter includes the following sections: Information About RADIUS, page 3-1

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x authentication prevents

More information

Configuring Switch-Based Authentication

Configuring Switch-Based Authentication CHAPTER 7 This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists

More information

Radius Configuration FSOS

Radius Configuration FSOS FSOS Radius Configuration Contents 1. RADIUS Configuration... 1 1.1 Radius Overview...1 1.1.1 AAA Overview...1 1.1.2 AAA Realization...1 1.1.3 RADIUS Overview...2 1.2 RADIUS Configuration... 3 1.2.1 RADIUS

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized

More information

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. AAA Working Group Pat R. Calhoun Internet-Draft Black Storm Networks Category: Standards Track William Bulley Merit Network, Inc. Allan C. Rubens Tut Systems, Inc.

More information

Configuring Security for the ML-Series Card

Configuring Security for the ML-Series Card 19 CHAPTER Configuring Security for the ML-Series Card This chapter describes the security features of the ML-Series card. This chapter includes the following major sections: Understanding Security, page

More information

Configuring RADIUS Servers

Configuring RADIUS Servers CHAPTER 7 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS), that provides detailed accounting information and flexible administrative control over

More information

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008 Network Working Group Request for Comments: 5176 Obsoletes: 3576 Category: Informational M. Chiba G. Dommety M. Eklund Cisco Systems, Inc. D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation

More information

Contents. Configuring SSH 1

Contents. Configuring SSH 1 Contents Configuring SSH 1 Overview 1 How SSH works 1 SSH authentication methods 2 SSH support for Suite B 3 FIPS compliance 3 Configuring the device as an SSH server 4 SSH server configuration task list

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Operation Manual 802.1x. Table of Contents

Operation Manual 802.1x. Table of Contents Table of Contents Table of Contents... 1-1 1.1 802.1x Overview... 1-1 1.1.1 Architecture of 802.1x... 1-1 1.1.2 Operation of 802.1x... 1-3 1.1.3 EAP Encapsulation over LANs... 1-4 1.1.4 EAP Encapsulation

More information

Network Working Group Request for Comments: 2058 Category: Standards Track. Merit W. Simpson Daydreamer S. Willens. Livingston.

Network Working Group Request for Comments: 2058 Category: Standards Track. Merit W. Simpson Daydreamer S. Willens. Livingston. Network Working Group Request for Comments: 2058 Category: Standards Track C. Rigney Livingston A. Rubens Merit W. Simpson Daydreamer S. Willens Livingston January 1997 Status of this Memo Remote Authentication

More information

RADIUS Attributes. RADIUS IETF Attributes

RADIUS Attributes. RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples

HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples HPE IMC UAM 802.1X Authentication and ACL Based Access Control Configuration Examples Part Number: 5200-1368 Software version: IMC UAM 7.2 (E0406) Document version: 2 The information in this document is

More information

Network Working Group Request for Comments: Category: Standards Track Merit W. Simpson Daydreamer June 2000

Network Working Group Request for Comments: Category: Standards Track Merit W. Simpson Daydreamer June 2000 Network Working Group Request for Comments: 2865 Obsoletes: 2138 Category: Standards Track C. Rigney S. Willens Livingston A. Rubens Merit W. Simpson Daydreamer June 2000 Status of this Memo Remote Authentication

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication CHAPTER 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the

More information

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features

More information

Configuring RADIUS and TACACS+ Servers

Configuring RADIUS and TACACS+ Servers CHAPTER 13 This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides

More information

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1 Table of Contents 1 802.1X Configuration 1-1 802.1X Overview 1-1 Architecture of 802.1X 1-2 Authentication Modes of 802.1X 1-2 Basic Concepts of 802.1X 1-3 EAP over LAN 1-4 EAP over RADIUS 1-5 802.1X Authentication

More information

RADIUS Attributes Configuration Guide, Cisco IOS Release 12.2SX

RADIUS Attributes Configuration Guide, Cisco IOS Release 12.2SX RADIUS Attributes Configuration Guide, Cisco IOS Release 12.2SX Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS

More information

RADIUS Attributes Configuration Guide, Cisco IOS Release 15S

RADIUS Attributes Configuration Guide, Cisco IOS Release 15S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

Cisco Prime Optical 9.5 Basic External Authentication

Cisco Prime Optical 9.5 Basic External Authentication Cisco Prime Optical 9.5 Basic External Authentication June 6, 2012 This document describes the basic external authentication functionality in Cisco Prime Optical 9.5 running on a Solaris server. External

More information

HWTACACS Technology White Paper

HWTACACS Technology White Paper S Series Switches HWTACACS Technology White Paper Issue 1.0 Date 2015-08-08 HUAWEI TECHNOLOGIES CO., LTD. 2015. All rights reserved. No part of this document may be reproduced or transmitted in any form

More information

HPE FlexFabric 5950 Switch Series

HPE FlexFabric 5950 Switch Series HPE FlexFabric 5950 Switch Series Security Configuration Guide Part number: 5200-0833 Software version: Release 6106 and later Document version: 6W100-20160513 Copyright 2016 Hewlett Packard Enterprise

More information

Configuring Authorization

Configuring Authorization Configuring Authorization AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user

More information

Configuring Port-Based and Client-Based Access Control (802.1X)

Configuring Port-Based and Client-Based Access Control (802.1X) 9 Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview..................................................... 9-3 Why Use Port-Based or Client-Based Access Control?............

More information

Application Note. Using RADIUS with G6 Devices

Application Note. Using RADIUS with G6 Devices Using RADIUS with G6 Devices MICROSENS GmbH & Co. KG Küferstr. 16 59067 Hamm/Germany Tel. +49 2381 9452-0 FAX +49 2381 9452-100 E-Mail info@microsens.de Web www.microsens.de Summary This Application Note

More information

Configuring Security on the GGSN

Configuring Security on the GGSN CHAPTER 12 This chapter describes how to configure security features on the gateway GPRS support node (GGSN), including Authentication, Authorization, and Accounting (AAA), and RADIUS. IPSec on the Cisco

More information

Request for Comments: D. Spence Consultant D. Mitton Circular Networks August Diameter Network Access Server Application

Request for Comments: D. Spence Consultant D. Mitton Circular Networks August Diameter Network Access Server Application Network Working Group Request for Comments: 4005 Category: Standards Track P. Calhoun G. Zorn Cisco Systems Inc. D. Spence Consultant D. Mitton Circular Networks August 2005 Status of This Memo Diameter

More information

HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples

HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples Part Number: 5200-1366 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject

More information

RADIUS Commands. Cisco IOS Security Command Reference SR

RADIUS Commands. Cisco IOS Security Command Reference SR RADIUS Commands This chapter describes the commands used to configure RADIUS. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation,

More information

HP VSR1000 Virtual Services Router

HP VSR1000 Virtual Services Router HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information

More information

Category: Standards Track Cisco Systems Inc. David Spence Interlink Networks Inc. David Mitton Circular Networks. Feb 2004

Category: Standards Track Cisco Systems Inc. David Spence Interlink Networks Inc. David Mitton Circular Networks. Feb 2004 AAA Working Group Internet-Draft Category: Standards Track Pat R. Calhoun Airespace Inc. Glen Zorn Cisco Systems Inc. David Spence Interlink Networks Inc. David Mitton Circular Networks Feb 2004 Diameter

More information

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x First Published: August 01, 2014 Last Modified: November 13, 2015 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San

More information

Configuring 802.1X Port-Based Authentication

Configuring 802.1X Port-Based Authentication CHAPTER 10 This chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 3750 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments,

More information

Network Access Flows APPENDIXB

Network Access Flows APPENDIXB APPENDIXB This appendix describes the authentication flows in Cisco Identity Services Engine (ISE) by using RADIUS-based Extensible Authentication Protocol (EAP) and non-eap protocols. Authentication verifies

More information

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible

More information

Configuring Web-Based Authentication

Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure

More information

Managing External Identity Sources

Managing External Identity Sources CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other

More information

Logging in to the CLI

Logging in to the CLI Contents Logging in to the CLI 1 Login methods 1 Logging in through the console port 2 Introduction 2 Configuration procedure 2 Logging in through the AUX port 5 Configuration prerequisites 5 Configuration

More information

Configuring Basic AAA on an Access Server

Configuring Basic AAA on an Access Server Configuring Basic AAA on an Access Server Document ID: 10384 Contents Introduction Before You Begin Conventions Prerequisites Components Used Network Diagram General AAA Configuration Enabling AAA Specifying

More information

Overview. RADIUS Protocol CHAPTER

Overview. RADIUS Protocol CHAPTER CHAPTER 1 The chapter provides an overview of the RADIUS server, including connection steps, RADIUS message types, and using Cisco Access Registrar as a proxy server. Cisco Access Registrar is a RADIUS

More information

AAA Authorization and Authentication Cache

AAA Authorization and Authentication Cache AAA Authorization and Authentication Cache First Published: March 16, 2006 Last Updated: March 1, 2006 The AAA Authorization and Authentication Cache feature allows you to cache authorization and authentication

More information

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS The RADIUS security system is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication

More information

HPE IMC UAM Device User Authentication Configuration Examples

HPE IMC UAM Device User Authentication Configuration Examples HPE IMC UAM Device User Authentication Configuration Examples Part Number: 5200-1375 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without

More information

With 802.1X port-based authentication, the devices in the network have specific roles.

With 802.1X port-based authentication, the devices in the network have specific roles. This chapter contains the following sections: Information About 802.1X, page 1 Licensing Requirements for 802.1X, page 9 Prerequisites for 802.1X, page 9 802.1X Guidelines and Limitations, page 9 Default

More information

Chapter 4 Configuring 802.1X Port Security

Chapter 4 Configuring 802.1X Port Security Chapter 4 Configuring 802.1X Port Security Overview HP devices support the IEEE 802.1X standard for authenticating devices attached to LAN ports. Using 802.1X port security, you can configure an HP device

More information

Access Service Security

Access Service Security CHAPTER 4 Access Service Security The access service security paradigm presented in this guide uses the authentication, authorization, and accounting (AAA) facility: Authentication requires dial-in users

More information

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER 4 CHAPTER This chapter describes how to configure the Terminal Access Controller Access Control System Plus (TACACS+) protocol on NX-OS devices. This chapter includes the following sections: Information

More information

Symbols INDEX. <cr> baud rates? command xiv. transmit line speed, configuring. buffers. XRemote size TR-224 busy-message command

Symbols INDEX. <cr> baud rates? command xiv. transmit line speed, configuring. buffers. XRemote size TR-224 busy-message command INDEX Symbols B xv baud rates? command xiv transmit line speed, configuring TR-208 buffers A XRemote size TR-224 busy-message command TR-17 absolute-timeout command TR-2 access-class (LAT) command

More information

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups Configuring a device to use authentication, authorization, and accounting (AAA) server groups provides a way to group existing server hosts. Grouping existing server hosts allows you to select a subset

More information

802.1x Configuration. Page 1 of 11

802.1x Configuration. Page 1 of 11 802.1x Configuration Page 1 of 11 Contents Chapter1 Configuring 802.1X...3 1.1 Brief Introduction to 802.1X Configuration... 3 1.1.1 Architecture of 802.1X...3 1.1.2 Rule of 802.1x... 5 1.1.3 Configuring

More information

User Databases. ACS Internal Database CHAPTER

User Databases. ACS Internal Database CHAPTER CHAPTER 12 The Cisco Secure Access Control Server Release 4.2, hereafter referred to as ACS, authenticates users against one of several possible databases, including its internal database. You can configure

More information

HPE IMC UAM 802.1X Authentication Configuration Examples

HPE IMC UAM 802.1X Authentication Configuration Examples HPE IMC UAM 802.1X Authentication Configuration Examples Part Number: 5200-1365 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without notice.

More information

Configuring IEEE 802.1X Port-Based Authentication

Configuring IEEE 802.1X Port-Based Authentication CHAPTER 44 This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage

More information

Operation Manual Login and User Interface. Table of Contents

Operation Manual Login and User Interface. Table of Contents Table of Contents Table of Contents Chapter 1 Switch Login... 1-1 1.1 Setting Up Configuration Environment Through the Console Port... 1-1 1.2 Setting Up Configuration Environment Through Telnet... 1-2

More information

Vendor-Proprietary Attribute

Vendor-Proprietary Attribute RADIUS s The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. However, some vendors have extended

More information

Configuring Switch Security

Configuring Switch Security CHAPTER 9 The authentication, authorization, and accounting (AAA) mechanism verifies the identity of, grants access to, and tracks the actions of users managing a switch. The Cisco MDS 9020 Fabric Switch

More information

Configuring Authorization

Configuring Authorization The AAA authorization feature is used to determine what a user can and cannot do. When AAA authorization is enabled, the network access server uses information retrieved from the user s profile, which

More information

Cisco IOS Firewall Authentication Proxy

Cisco IOS Firewall Authentication Proxy Cisco IOS Firewall Authentication Proxy This feature module describes the Cisco IOS Firewall Authentication Proxy feature. It includes information on the benefits of the feature, supported platforms, configuration

More information

Login management commands

Login management commands Contents Login management commands 1 CLI login configuration commands 1 display telnet client configuration 1 telnet 1 telnet ipv6 2 telnet server enable 3 User interface configuration commands 3 acl (user

More information

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to The feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to utilize Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication for PPP connections between

More information

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7) HP MSR Router Series Layer 2 - WAN Access Configuration Guide(V7) Part number: 5998-6465 Software version: CMW710-R0106 Document version: 6PW101-20140807 Legal and notice information Copyright 2014 Hewlett-Packard

More information

REMOTE AUTHENTICATION DIAL IN USER SERVICE

REMOTE AUTHENTICATION DIAL IN USER SERVICE AAA / REMOTE AUTHENTICATION DIAL IN USER SERVICE INTRODUCTION TO, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES Peter R. Egli INDIGOO.COM 1/12 Contents 1. AAA - Access Control 2.

More information

Cisco Transport Manager Release 9.2 Basic External Authentication

Cisco Transport Manager Release 9.2 Basic External Authentication Cisco Transport Manager Release 9.2 Basic External Authentication August 23, 2010 This document describes the basic external authentication functionality in Cisco Transport Manager (CTM) Release 9.2. Contents

More information

Operation Manual SSH H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Operation Manual SSH H3C S3610&S5510 Series Ethernet Switches. Table of Contents Table of Contents Table of Contents... 1-1 1.1 SSH Overview... 1-1 1.2 Configuring the SSH Server... 1-5 1.2.1 Enabling SSH Server... 1-5 1.2.2 Configuring the Protocols for the SSH Client User Interface

More information

RADIUS Logical Line ID

RADIUS Logical Line ID The feature, also known as the Logical Line Identification (LLID) Blocking feature enables administrators to track their customers on the basis of the physical lines on which customer calls originate.

More information

Configuring Client-Initiated Dial-In VPDN Tunneling

Configuring Client-Initiated Dial-In VPDN Tunneling Configuring Client-Initiated Dial-In VPDN Tunneling Client-initiated dial-in virtual private dialup networking (VPDN) tunneling deployments allow remote users to access a private network over a shared

More information

Table of Contents 1 SSH Configuration 1-1

Table of Contents 1 SSH Configuration 1-1 Table of Contents 1 SSH Configuration 1-1 SSH Overview 1-1 Introduction to SSH 1-1 Algorithm and Key 1-1 Asymmetric Key Algorithm 1-2 SSH Operating Process 1-2 Configuring the SSH Server 1-4 SSH Server

More information

Terminal Services Commands translate lat

Terminal Services Commands translate lat translate lat translate lat To translate a connection request to another protocol connection type when receiving a local-area transport (LAT) request, use the translate lat command in global configuration

More information

Configuring Web-Based Authentication

Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure

More information

RADIUS for Multiple UDP Ports

RADIUS for Multiple UDP Ports RADIUS security servers are identified on the basis of their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address

More information

AAA Administration. Setting up RADIUS. Information About RADIUS

AAA Administration. Setting up RADIUS. Information About RADIUS Setting up RADIUS, page 1 Setting up TACACS+, page 26 Maximum Local Database Entries, page 37 Information About Configuring Maximum Local Database Entries, page 37 Configuring Maximum Local Database Entries

More information

Configuring Security Features on an External AAA Server

Configuring Security Features on an External AAA Server CHAPTER 3 Configuring Security Features on an External AAA Server The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users

More information

Configuring Authentication Proxy

Configuring Authentication Proxy The Cisco IOS Firewall Authentication Proxy feature provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols.

More information

Request for Comments: 4072 Category: Standards Track Lucent Technologies G. Zorn Cisco Systems August 2005

Request for Comments: 4072 Category: Standards Track Lucent Technologies G. Zorn Cisco Systems August 2005 Network Working Group Request for Comments: 4072 Category: Standards Track P. Eronen, Ed. Nokia T. Hiller Lucent Technologies G. Zorn Cisco Systems August 2005 Diameter Extensible Authentication Protocol

More information

Configuring RADIUS and TACACS+

Configuring RADIUS and TACACS+ 28 CHAPTER The authentication, authorization, and accounting (AAA) mechanism verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches

More information