Home > HP > Switch > HP A 5120 Manual

HP A 5120 Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual HP A 5120 Manual. The HP manuals for Switch are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 11

    Page 11 1 AAA configuration AAA overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions:  Authentication—Identifies users and determines whether a user is valid.  Authorization—Grants different users different rights and controls their access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print... 
    1 
AAA configuration 
AAA overview 
Authentication, Authorization, and Accounting  (AAA) provides a  uniform  framework  for implementing 
network access management. It provides the following security functions: 
 Authentication—Identifies users and determines whether a user is valid.  
 Authorization—Grants  different  users  different  rights  and  controls  their  access  to  resources  and 
services. For example, a user who has successfully logged in to the device can be granted read and 
print...

    Page 12

    Page 12 2 RADIUS Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting. RADIUS was originally designed for dial-in... 
    2 
RADIUS 
Remote  Authentication  Dial-In  User  Service  (RADIUS)  is  a  distributed  information interaction protocol that 
uses a client/server  model.  RADIUS  can protect networks against unauthorized  access  and  is  often  used 
in network environments where both high security and remote user access are required.  
RADIUS  uses  UDP  as  the  transport  protocol.  It  uses  UDP  port 1812 for authentication  and UDP  port 1813 
for accounting.  
RADIUS  was  originally  designed  for  dial-in...

    Page 13

    Page 13 3 Figure 3 RADIUS basic message exchange process RADIUS operates in the following manner: 1. The host initiates a connection request carrying the username and password to the RADIUS client. 2. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message- Digest 5 (MD5) algorithm and the shared key. 3. The RADIUS server authenticates the username and password. If the... 
    3 
Figure 3 RADIUS basic message exchange process 
 
 
RADIUS operates in the following manner: 
1. The host initiates a connection request carrying the username and password to the RADIUS client. 
2. Having received the username and password, the RADIUS client sends an authentication request 
(Access-Request) to the RADIUS server, with the user password encrypted by using the Message-
Digest 5 (MD5) algorithm and the shared key.  
3. The RADIUS server authenticates the username and password. If the...

    Page 14

    Page 14 4 Figure 4 RADIUS packet format Descriptions of the fields are as follows: 1. The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 Main values of the Code field Code Packet type Description 1 Access-Request From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. 2... 
    4 
Figure 4 RADIUS packet format 
 
 
Descriptions of the fields are as follows: 
1. The Code field (1 byte long) indicates the type of the RADIUS packet. 
Table 1 Main values of the Code field 
Code Packet type Description 
1 Access-Request 
From the client to the server. A packet of this type carries user 
information for the server to authenticate the user. It must 
contain the User-Name attribute and can optionally contain the 
attributes of NAS-IP-Address, User-Password, and NAS-Port. 
2...

    Page 15

    Page 15 5 5. The Attribute field, with a variable length, carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.  Type (1 byte long)—Indicates the type of the attribute. It is in the range 1 to 255. See Table 2 for commonly used attributes for RADIUS authentication, authorization and... 
    5 
5. The Attribute field, with a variable length, carries the specific authentication, authorization, and 
accounting information that defines the configuration details of the request or response. This field 
contains multiple attributes, and each attribute is represented in triplets of Type, Length, and Value.  
 Type (1 byte  long)—Indicates the  type  of  the  attribute.  It  is  in  the  range  1  to  255. See Table  2 for 
commonly  used  attributes  for  RADIUS  authentication, authorization  and...

    Page 16

    Page 16 6 No. Attribute No. Attribute 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Private-Group-id 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38... 
    6 
No. Attribute No. Attribute 
27 Session-Timeout 74 ARAP-Security-Data 
28 Idle-Timeout 75 Password-Retry 
29 Termination-Action 76 Prompt 
30 Called-Station-Id 77 Connect-Info 
31 Calling-Station-Id 78 Configuration-Token 
32 NAS-Identifier 79 EAP-Message 
33 Proxy-State 80 Message-Authenticator 
34 Login-LAT-Service 81 Tunnel-Private-Group-id 
35 Login-LAT-Node 82 Tunnel-Assignment-id 
36 Login-LAT-Group 83 Tunnel-Preference 
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 
38...

    Page 17

    Page 17 7 Figure 5 Segment of a RADIUS packet containing an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS mainly provides AAA services for Point-to-Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical... 
    7 
Figure 5 Segment of a RADIUS packet containing an extended attribute 
 
 
HWTACACS 
HW Terminal  Access  Controller  Access  Control  System (HWTACACS) is  an  enhanced  security  protocol 
based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange 
between the NAS and the HWTACACS server.  
HWTACACS  mainly  provides AAA services for  Point-to-Point Protocol (PPP) users, Virtual Private Dial-up 
Network  (VPDN) users,  and terminal users. In  a  typical...

    Page 18

    Page 18 8 Figure 6 HWTACACS basic message exchange process for a Telnet user Here is the process: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to request the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user inputs the username. 6. After receiving the... 
    8 
Figure 6 HWTACACS basic message exchange process for a Telnet user 
 
 
Here is the process: 
1. A Telnet user sends an access request to the HWTACACS client.  
2. Upon receiving the request, the HWTACACS client sends a start-authentication packet to the 
HWTACACS server. 
3. The HWTACACS server sends back an authentication response to request the username.  
4. Upon receiving the response, the HWTACACS client asks the user for the username. 
5. The user inputs the username. 
6. After receiving the...

    Page 19

    Page 19 9 9. The user inputs the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet that carries the login password. 11. The HWTACACS server sends back an authentication response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorization response, indicating that the user is now authorized.... 
    9 
9. The user inputs the password. 
10. After receiving the login password, the HWTACACS client sends the HWTACACS server a 
continue-authentication packet that carries the login password. 
11. The HWTACACS server sends back an authentication response to indicate that the user has passed 
authentication. 
12. The HWTACACS client sends the user authorization request packet to the HWTACACS server. 
13. The HWTACACS server sends back the authorization response, indicating that the user is now 
authorized....

    Page 20

    Page 20 10 For a user who has logged in to the device, AAA provides the following services to enhance device security:  Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, ensuring that login users execute only commands they are authorized to execute. For more information about command authorization, see the Fundamentals Configuration Guide.  Command... 
    10 
For  a  user  who  has  logged  in  to  the  device,  AAA  provides  the  following  services  to  enhance  device 
security: 
 Command authorization—Enables the NAS to defer to the authorization server to determine whether 
a command entered by a login  user  is permitted  for  the  user,  ensuring  that  login  users  execute only 
commands they  are  authorized  to  execute. For  more  information  about  command  authorization,  see 
the Fundamentals Configuration Guide.  
 Command...
    Start reading HP A 5120 Manual

    Related Manuals for HP A 5120 Manual

    All HP manuals