HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 21 to Favourites

image text

Enable zoom

11
from the clients within the management range. A shared key is used to ensure secure communication
between a RADIUS client and the RADIUS server.
 RADIUS authentication and authorization. RADIUS accounting is not supported.
Upon receiving a RADIUS packet, a device working as the RADIUS server checks whether the sending
client is under its management. If yes, it verifies the packet validity by using the shared key, checks
whether there is an account with the username, whether the password is correct, and whether the user
attributes meet the requirements defined on the RADIUS server (for example, whether the account has
expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication
succeeds, or denies the client if the authentication fails.
NOTE:
The UDP port number for RADIUS authentication is 1812 in the standard RADIUS protocol, but is 1645
on HP devices. Specify 1645 as the authentication port number when you use an HP device as a
RADIUS client.
Protocols and standards
The following protocols and standards are related to AAA, RADIUS, and HWTACACS:
 RFC 2865, Remote Authentication Dial In User Service (RADIUS)
 RFC 2866, RADIUS Accounting
 RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
 RFC 2868, RADIUS Attributes for Tunnel Protocol Support
 RFC 2869, RADIUS Extensions
 RFC 1492, An Access Control Protocol, Sometimes Called TACACS
RADIUS attributes
Commonly used standard RADIUS attributes
No. Attribute Description
1 User-Name Name of the user to be authenticated.
2 User-Password User password for PAP authentication, present only in Access-Request packets
in PAP authentication mode.
3 CHAP-Password Digest of the user password for CHAP authentication, present only in Access-
Request packets in CHAP authentication mode.
4 NAS-IP-Address
IP address for the server to identify a client. Usually, a client is identified by the
IP address of the access interface on the NAS, namely the NAS IP address.
This attribute is present in only Access-Request packets.
5 NAS-Port Physical port of the NAS that the user accesses.
6 Service-Type Type of service that the user has requested or type of service to be provided.
7 Framed-Protocol Encapsulation protocol.
8 Framed-IP-Address IP address to be configured for the user.
11 Filter-ID Name of the filter list.

Add page 22 to Favourites

image text

Enable zoom

12
No. Attribute Description
12 Framed-MTU
Maximum transmission unit (MTU) for the data link between the user and NAS.
For example, with 802.1X EAP authentication, NAS uses this attribute to notify
the server of the MTU for EAP packets, so as to avoid oversized EAP packets.
14 Login-IP-Host IP address of the NAS interface that the user accesses.
15 Login-Service Type of the service that the user uses for login.
18 Reply-Message Text to be displayed to the user, which can be used by the server to indicate,
for example, the reason of the authentication failure.
26 Vendor-Specific Vendor specific attribute. A packet can contain one or more such proprietary
attributes, each of which can contain one or more sub-attributes.
27 Session-Timeout Maximum duration of service to be provided to the user before termination of
the session.
28 Idle-Timeout Maximum idle time permitted for the user before termination of the session.
31 Calling-Station-Id
User identification that the NAS sends to the server. With the LAN access
service provided by an HP device, this attribute carries the MAC address of
the user in the format HHHH-HHHH-HHHH.
32 NAS-Identifier Identification that the NAS uses for indicating itself.
40 Acct-Status-Type
Type of the Accounting-Request packet. Possible values are as follows:
 1—ptart
 2—Stop
 3—Interium-Update
 4—Reset-Charge
 7—Accounting-On (Defined in 3GPP, the 3rd Generation Partnership
Project)
 8—Accounting-Off EDefined in 3GPPF
 9 to 14—Reserved for tunnel accounting
 15—Reserved for failed
45 Acct-Authentic
Authentication method used by the user. Possible values are as follows:
 1—RADIUS
 2—iocal
 3—oemote
60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP
authenticationK
61 NAp-Port-Type
Type of the physical port of the NAS that is authenticating the user. Possible
values are as follows:
 15—Ethernet
 16—Any type of ADSL
 17—Cable (with cable for cable TVF
 201—VLAN
 202—ATM
If the port is an ATM or Ethernet one and VLANs are implemented on it, the
value of this attribute is 201K
79 EAm-Message Used for encapsulating EAP packets to allow the NAS to authenticate dial-in
users via EAP without having to understand the EAP protocolK

Add page 23 to Favourites

image text

Enable zoom

13
No. Attribute Description
80 Message-
Authenticator
Used for authentication and checking of authentication packets to prevent
spoofing Access-Requests. This attribute is used when RADIUS supports EAP
authentication.
87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user.

HP proprietary RADIUS sub-attributes
No. Sub-attribute Description
1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps.
2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps.
3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps.
4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps.
5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps.
6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps.
15 Remanent_Volume Remaining, available total traffic of the connection, in different units for
different server types.
20 Command
Operation for the session, used for session control. Possible values are as
follows:
 1—Trigger-Request
 2—Terminate-Request
 3—SetPolicy
 4—Result
 5—PortalClear
24 Control_Identifier
Identification for retransmitted packets. For retransmitted packets of the
same session, this attribute must take the same value; for retransmitted
packets of different sessions, this attribute may take the same value. The
client response of a retransmitted packet must also carry this attribute and
the value of the attribute must be the same.
For Accounting-Request packets of the start, stop, and interim update types,
the Control-Identifier attribute, if present, makes no sense.
25 Result_Code Result of the Trigger-Request or SetPolicy operation. A value of zero means
the operation succeeded, any other value means the operation failed.
26 Connect_ID Index of the user connection
28 Ftp_Directory
Working directory of the FTP user.
For an FTP user, when the RADIUS client acts as the FTP server, this
attribute is used to set the FTP directory on the RADIUS client.
29 Exec_Privilege Priority of the EXEC user
59 NAS_Startup_Timestam
p
Startup time of the NAS in seconds, which is represented by the time
elapsed after 00:00:00 on Jan. 1, 1970 (UTC).
60 Ip_Host_Addr
IP address and MAC address of the user carried in authentication and
accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is
required between the IP address and the MAC address.
61 User_Notify Information that needs to be sent from the server to the client transparently

Add page 24 to Favourites

image text

Enable zoom

14
No. Sub-attribute Description
62 User_HeartBeat
Hash value assigned after an 802.1X user passes authentication, which is
a 32-byte string. This attribute is stored in the user list on the device and is
used for verifying the handshake messages from the 802.1X user. This
attribute exists in only Access-Accept and Accounting-Request packets.
140 User_Group
User groups assigned after the SSL VPN user passes authentication. A user
may belong to more than one user group. In this case, the user groups are
delimited by semi-colons. This attribute is used for cooperation with the SSL
VPN device.
141 Security_Level Security level assigned after the SSL VPN user passes security
authentication
201 Input-Interval-Octets Bytes input within a real-time accounting interval
202 Output-Interval-Octets Bytes output within a real-time accounting interval
203 Input-Interval-Packets Packets input within an accounting interval, in the unit set on the device
204 Output-Interval-Packets Packets output within an accounting interval, in the unit set on the device
205 Input-Interval-
Gigawords Result of bytes input within an accounting interval divided by 4G bytes
206 Output-Interval-
Gigawords Result of bytes output within an accounting interval divided by 4G bytes
207 Backup-NAS-IP Backup source IP address for sending RADIUS packets
255 Product_ID Product name

AAA configuration considerations and task list
To configure AAA, you must complete these tasks on the NAS:
1. Configure the required AAA schemes.
 Local authentication—Configure local users and the related attributes, including the usernames and
passwords of the users to be authenticated.
 Remote authentication—Configure the required RADIUS and HWTACACS schemes, and configure
user attributes on the servers accordingly.
2. Configure AAA methods for the users’ ISP domains.
 Authentication method—No authentication (none), local authentication (local), or remote
authentication (scheme)
 Authorization method—No authorization (none), local authorization (local), or remote authorization
(scheme)
 Accounting method—No accounting (none), local accounting (local), or remote accounting
(scheme)

Add page 25 to Favourites

image text

Enable zoom

							15 
Figure 9 AAA configuration diagram 
  
 
Table 4 AAA configuration task list 
Task Remarks 
Configuring AAA 
schemes 
Configuring local users 
Required 
Complete at least one task. Configuring RADIUS schemes 
Configuring HWTACACS schemes 
Configuring AAA 
methods for ISP domains 
Creating an ISP domain Required 
Configuring ISP domain attributes Optional 
Configuring AAA authentication methods for 
an ISP domain 
Required 
Complete at least one task. 
Configuring AAA authorization methods for 
an ISP domain 
Configuring AAA accounting methods for an 
ISP domain 
Tearing down user connections forcibly Optional 
Configuring a network device as a RADIUS server Optional 
Displaying and maintaining AAA Optional 
 
 NOTE: 
For login users, you must configure the login authentication mode for the user interfaces as scheme 
before performing the above configurations. For more information, see the Fundamentals Configuration 
Guide.  Configure the RADIUS, HWTACACS 
schemes to be referenced
none/ local/ schemeAuthorization method
Accounting method
Configure AAA methods 
Create an ISP domain and enter its view
local (default method)
none
scheme
Authentication method 
Configure local users and related attributes
none/ local/ scheme
+
+
Local AAA
Remote AAA
No AAA

Add page 26 to Favourites

image text

Enable zoom

16
Configuring AAA schemes
Configuring local users
For local authentication, you must create local users and configure user attributes on the device in
advance. The local users and attributes are stored in the local user database on the device. A local user
is uniquely identified by a username. Configurable local user attributes are as follows:
 Service type
Types of services that the user can use. Local authentication checks the service types of a local user. If
none of the service types is available, the user cannot pass authentication.
Service types include FTP, LAN access, Portal, SSH, Telnet, and Terminal.
 User state
Indicates whether or not a local user can request network services. There are two user states: active and
blocked. A user in the active state can request network services, but a user in the blocked state cannot.
 Maximum number of users using the same local user account
Indicates how many users can use the same local user account for local authentication.
 Expiration time
Indicates the expiration time of a local user account. A user must use a local user account that has not
expired to pass local authentication.
 User group
Each local user belongs to a local user group and bears all attributes of the group, such as the password
control attributes and authorization attributes. For more information about local user group, see
―Configuring user group attributes.―
 Password control attributes
Password control attributes help you improve the security of local users’ passwords. Password control
attributes include password aging time, minimum password length, and password composition policy.
You can configure a password control attribute in system view, user group view, or local user view,
making the attribute effective for all local users, all local users in a group, or only the local user. A
password control attribute with a smaller effective range has a higher priority. For more information about
password management and global password configuration, see the chapter ―Password control
configuration. ―
 Binding attributes
Binding attributes are used to control the scope of users. Binding attributes are checked during
authentication. If the attributes of a user do not match the binding attributes configured for the user on the
access device, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP
address, access port, MAC address, and native VLAN. For more information about binding attributes, see
―Configuring local user attributes.―
 Authorization attributes
Authorization attributes indicate the rights that a user has after passing local authentication. Authorization
attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN,
and FTP/SFTP work directory. For more information about authorization attributes, see ―Configuring local
user attributes.―

Add page 27 to Favourites

image text

Enable zoom

17
You can configure an authorization attribute in user group view or local user view, making the attribute
effective for all local users in the group or only for the local user. The setting of an authorization attribute
in local user view takes precedence over that in user group view.
Local user configuration task list
Task Remarks
Configuring local user attributes Required
Configuring user group attributes Optional
Displaying and maintaining local users and local user groups Optional

Configuring local user attributes
Follow these steps to configure attributes for a local user:
To do… Use the command… Remarks
Enter system view system-view —
Set the password display mode for
all local users
local-user password-display-
mode { auto | cipher-force }
Optional
auto by default, indicating to
display the password of a local
user in the way indicated by the
password command.
Add a local user and enter local user
view local-user user-name Required
No local user exists by default.
Configure a password for the local
user
password { cipher | simple }
password Optional
Place the local user to the state of
active or blocked state { active | block }
Optional
When created, a local user is in
the active state by default, and
the user can request network
services.
Set the maximum number of users
using the local user account access-limit max-user-number
Optional
By default, there is no limit on
the maximum number of users
that use the same local user
account.
This limit is not effective for FTP
users.
Configure the
password control
attributes for the
local user
Set the
password aging
time
password-control aging aging-
time
Optional
By default, the setting for the
user group is used. If there is no
such setting for the user group,
the global setting is used.
Set the minimum
password length password-control length length
Optional
By default, the setting for the
user group is used. If there is no
such setting for the user group,
the global setting is used.

Add page 28 to Favourites

image text

Enable zoom

							18 
To do… Use the command… Remarks 
Configure the 
password 
composition 
policy 
password-control composition 
type-number type-number [ 
type-length type-length ] 
Optional 
By default, the setting for the 
user group is used. If there is no 
such setting for the user group, 
the global setting is used. 
Specify the service types for the local 
user 
service-type { ftp | lan-access | 
{ ssh | telnet | terminal } * | 
portal } 
Required 
By default, no service is 
authorized to a local user. 
Configure the binding attributes for 
the local user 
bind-attribute { call-number call-
number [ : subcall-number ] | ip 
ip-address | location port slot-
number subslot-number port-
number | mac mac-address | 
vlan vlan-id } * 
Optional 
By default, no binding attribute 
is configured for a local user. 
ip, location, mac, and vlan are 
supported for LAN users. No 
binding attribute is supported for 
other types of local users.  
Configure the authorization attributes 
for the local user 
authorization-attribute { acl acl-
number | callback-number 
callback-number | idle-cut 
minute | level level | user-
profile profile-name | user-role 
security-audit | vlan vlan-id | 
work-directory directory-name } 
* 
Optional 
By default, no authorization 
attribute is configured for a local 
user. 
For LAN and portal users, only 
acl, idle-cut, user-profile, and 
vlan are supported.  
For SSH and terminal users, only 
level is supported. 
For FTP users, only level and 
work-directory are supported. 
For Telnet users, only level and 
user-role is supported.  
For other types of local users, no 
binding attribute is supported. 
Set the expiration time of the local 
user expiration-date time 
Optional 
Not set by default 
When some users need to 
access the network temporarily, 
create a guest account and 
specify an expiration time for the 
account.  
Assign the local user to a user group group group-name 
Optional 
By default, a local user belongs 
to the default user group system.

Add page 29 to Favourites

image text

Enable zoom

19
NOTE:
 For more information about password control attribute commands, see the chapter “Password control
configuration.”
 On a device supporting the password control feature, local user passwords are not displayed, and the local-user
password-display-mode command is not effective.
 With the local-user password-display-mode cipher-force command configured, a local user password is
always displayed in cipher text, regardless of the configuration of the password command. In this case, if you
use the save command to save the configuration, all existing local user passwords will still be displayed in cipher
text after the device restarts, even if you restore the display mode to auto.
 The access-limit command configured for a local user takes effect only when local accounting is configured.
 If the user interface authentication mode (set by the authentication-mode command in user interface view) is
AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to
the user. If the user interface authentication mode is password (password) or no authentication (none), which
commands a login user can use after login depends on the level configured for the user interface (set by the user
privilege level command in user interface view). For an SSH user using public key authentication, which
commands are available depends on the level configured for the user interface. For more information about user
interface authentication mode and user interface command level, see the Fundamentals Configuration Guide.
 Be cautious when deciding which binding attributes should be configured for a local user. Binding attributes are
checked upon local authentication of a user. If the checking fails, the user fails the authentication.
 Every configurable authorization attribute has its definite application environments and purposes. When
configuring authorization attributes for a local user, consider what attributes are needed.
Configuring user group attributes
User groups simplify local user configuration and management. A user group consists of a group of local
users and has a set of local user attributes. You can configure local user attributes for a user group to
implement centralized user attributes management for the local users in the group. Configurable user
attributes include password control attributes and authorization attributes.
By default, every newly added local user belongs to the system default user group system and bears all
attributes of the group. To change the user group to which a local user belongs, use the user-group
command in local user view.
Follow these steps to configure attributes for a user group:
To do… Use the command… Remarks
Enter system view system-view —
Create a user group and enter user
group view user-group group-name Required
Configure
password control
attributes for the
user group
Set the password
aging time password-control aging aging-time
Optional
By default, the global
setting is used.
Set the minimum
password length password-control length length
Optional
By default, the global
setting is used.
Configure the
password
composition policy
password-control composition type-
number type-number [ type-length
type-length ]
Optional
By default, the global
setting is used.

Add page 30 to Favourites

image text

Enable zoom

							20 
To do… Use the command… Remarks 
Configure the authorization attributes 
for the user group 
authorization-attribute { acl acl-
number | callback-number  
callback-number | idle-cut minute | 
level level | user-profile profile-name 
| vlan vlan-id | work-directory 
directory-name } * 
Optional 
By default, no 
authorization attribute is 
configured for a user 
group. 
 
Displaying and maintaining local users and local user groups 
To do… Use the command… Remarks 
Display local user information 
display local-user [ idle-cut { disable | 
enable } | service-type { ftp | lan-
access | portal | ssh | telnet | 
terminal } | state { active | block } | 
user-name user-name | vlan vlan-id ] 
[ slot slot-number ] [ | { begin | 
exclude | include } regular-expression 
] 
Available in any view 
Display the user group configuration 
information 
display user-group [ group-name ] [ | 
{ begin | exclude | include } regular-
expression ] 
Available in any view 
 
Configuring RADIUS schemes 
A RADIUS scheme  specifies  the  RADIUS  servers  that  the  device  can  cooperate  with  and  defines  a  set  of 
parameters that  the  device  uses  to  exchange  information with the  RADIUS  servers. There  may  be 
authentication/authorization  servers  and  accounting  servers, or primary  servers  and  secondary  servers. 
The parameters mainly include the IP  addresses  of the servers, the shared  keys,  and the RADIUS  server 
type.  
RADIUS scheme configuration task list 
Task Remarks 
Creating a RADIUS scheme Required 
Specifying the RADIUS authentication/authorization servers Required 
Specifying the RADIUS accounting servers and relevant 
parameters Optional 
Setting the shared keys for RADIUS packets Optional 
Setting the maximum number of RADIUS request transmission 
attempts Optional 
Setting the supported RADIUS server type Optional 
Setting the status of RADIUS servers Optional 
Setting the username format and traffic statistics units Optional 
Specifying a source IP address for outgoing RADIUS packets Optional 
Setting timers for controlling communication with RADIUS servers Optional

All HP manuals Comments (0)