HP A 5120 Manual
Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
31 HWTACACS configuration task list Task Remarks Creating an HWTACACS scheme Required Specifying the HWTACACS authentication servers Required Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers Optional Setting the shared keys for HWTACACS packets Required Setting the username format and traffic statistics units Optional Specifying a source IP address for outgoing HWTACACS packets Optional Setting timers for controlling communication with HWTACACS servers Optional Displaying and maintaining HWTACACS Optional Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create an HWTACACS scheme and enter HWTACACS scheme view: To do… Use the command… Remarks Enter system view system-view — Create an HWTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs- scheme-name Required Not defined by default NOTE: Up to 16 HWTACACS schemes can be configured. A scheme can be deleted only when it is not referenced. Specifying the HWTACACS authentication servers Follow these steps to specify the HWTACACS authentication servers: To do… Use the command… Remarks Enter system view system-view — Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme- name — Specify the primary HWTACACS authentication server primary authentication ip-address [ port- number ] Required Configure at least one command. No authentication server is specified by default. Specify the secondary HWTACACS authentication server secondary authentication ip-address [ port-number ]
32 NOTE: If both the primary and secondary authentication servers are specified, the secondary one is used when the primary one is not reachable. If redundancy is not required, specify only the primary HWTACACS authentication server. The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails. You can remove an authentication server only when no active TCP connection for sending authentication packets is using it. Specifying the HWTACACS authorization servers Follow these steps to specify the HWTACACS authorization servers: To do… Use the command… Remarks Enter system view system-view — Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme- name — Specify the primary HWTACACS authorization server primary authorization ip-address [ port- number ] Required Configure at least one command. No authorization server is specified by default. Specify the secondary HWTACACS authorization server secondary authorization ip-address [ port-number ] NOTE: If both the primary and secondary authorization servers are specified, the secondary one is used when the primary one is not reachable. If redundancy is not required, specify only the primary HWTACACS authorization server. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails. You can remove an authorization server only when no active TCP connection for sending authorization packets is using it. Specifying the HWTACACS accounting servers Follow these steps to specify the HWTACACS accounting servers and perform related configurations: To do… Use the command… Remarks Enter system view system-view — Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme- name — Specify the primary HWTACACS accounting server primary accounting ip-address [ port-number ] Required Configure at least one command. No accounting server is specified by default. Specify the secondary HWTACACS accounting server secondary accounting ip-address [ port-number ]
33
To do… Use the command… Remarks
Enable the device to buffer
stop-accounting requests
getting no responses
stop-accounting-buffer enable Optional
Enabled by default
Set the maximum number of
stop-accounting request
transmission attempts
retry stop-accounting retry-times Optional
100 by default
NOTE:
If both the primary and secondary accounting servers are specified, the secondary server is used when the
primary server is not reachable.
If redundancy is not required, specify only the primary HWTACACS accounting server.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the
configuration will fail.
You can remove an accounting server only when no active TCP connection for sending accounting packets is
using it.
HWTACACS does not support keeping accounts on FTP users.
Setting the shared keys for HWTACACS packets
The HWTACACS client and HWTACACS server use the MD5 algorithm to encrypt packets exchanged
between them and use shared keys to verify the packets. Only when they use the same key for an
exchanged packet can they receive the packets and make responses properly.
Follow these steps to set the shared keys for HWTACACS packets:
To do… Use the command… Remarks
Enter system view system-view —
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme-
name —
Set the shared keys for
HWTACACS authentication,
authorization, and accounting
packets
key { accounting | authentication |
authorization } string
Required
No shared key by default
Setting the username format and traffic statistics units
A username is usually in the format of userid@isp-name, where isp-name represents the name of the ISP
domain the user belongs to and is used by the device to determine which users belong to which ISP
domains. However, some HWTACACS servers cannot recognize usernames that contain an ISP domain
name. In this case, the device must remove the domain name of each username before sending the
username. You can set the username format on the device for this purpose.
The device periodically sends accounting updates to HWTACACS accounting servers to report the traffic
statistics of online users. For normal and accurate traffic statistics, make sure that the unit for data flows
and that for packets on the device are consistent with those configured on the HWTACACS servers.
Follow these steps to set the username format and the traffic statistics units for an HWTACACS scheme:
To do… Use the command… Remarks
Enter system view system-view —
34
To do… Use the command… Remarks
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-scheme-
name —
Set the format of usernames sent
to the HWTACACS servers
user-name-format { keep-original |
with-domain | without-domain }
Optional
By default, the ISP domain name
is included in the username.
Specify the unit for data flows or
packets sent to the HWTACACS
servers
data-flow-format { data { byte |
giga-byte | kilo-byte | mega-byte }
| packet { giga-packet | kilo-
packet | mega-packet | one-packet
} }*
Optional
byte for data flows and one-
packet for data packets by
default.
NOTE:
If an HWTACACS server does not support a username with the domain name, configure the device to remove
the domain name before sending the username to the server.
For level switching authentication, the user-name-format keep-original and user-name-format without-domain
commands produce the same results: they ensure that usernames sent to the HWTACACS server carry no ISP
domain name.
Specifying a source IP address for outgoing HWTACACS packets
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS
configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon
receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the
packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server
drops the packet.
Usually, the source address of outgoing HWTACACS packets can be the IP address of the NAS’s any
interface that can communicate with the HWTACACS server.
You can specify the source IP address for outgoing HWTACACS packets in HWTACACS scheme view for
a specific HWTACACS scheme, or in system view for all HWTACACS schemes.
Before sending an HWTACACS packet, a NAS selects a source IP address in this order:
1. The source IP address specified for the HWTACACS scheme.
2. The source IP address specified in system view.
3. The IP address of the outbound interface specified by the route.
Follow these steps to specify a source IP address for all HWTACACS schemes:
To do… Use the command… Remarks
Enter system view system-view —
Specify a source IP address
for outgoing HWTACACS
packets
hwtacacs nas-ip ip-address
Required
By default, the IP address of the outbound
interface is used as the source IP address.
Follow these steps to specify a source IP address for a specific HWTACACS scheme:
To do… Use the command… Remarks
Enter system view system-view —
35
To do… Use the command… Remarks
Enter HWTACACS scheme
view
hwtacacs scheme hwtacacs-
scheme-name —
Specify a source IP address
for outgoing HWTACACS
packets
nas-ip ip-address
Required
By default, the IP address of the outbound
interface is used as the source IP address.
Setting timers for controlling communication with HWTACACS servers
Follow these steps to set timers regarding HWTACACS servers:
To do… Use the command… Remarks
Enter system view system-view —
Enter HWTACACS scheme view hwtacacs scheme hwtacacs-
scheme-name —
Set the HWTACACS server
response timeout timer timer response-timeout seconds Optional
5 seconds by default
Set the quiet timer for the primary
server timer quiet minutes Optional
5 minutes by default
Set the real-time accounting
interval timer realtime-accounting minutes Optional
12 minutes by default
NOTE:
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS
accounting server periodically. If the device does not receive any response to the information, it does not forcibly
disconnect the online users.
The real-time accounting interval must be a multiple of 3.
The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the
HWTACACS server. A shorter interval requires higher performance.
Displaying and maintaining HWTACACS
To do… Use the command… Remarks
Display configuration information or
statistics of HWTACACS schemes
display hwtacacs [ hwtacacs-server-
name [ statistics ] ] [ slot slot-number ] [
| { begin | exclude | include } regular-
expression ]
Available in any view
Display information about buffered
stop-accounting requests that get no
responses
display stop-accounting-buffer
hwtacacs-scheme hwtacacs-scheme-
name [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Clear HWTACACS statistics
reset hwtacacs statistics { accounting |
all | authentication | authorization } [
slot slot-number ]
Available in user view
36 Configuring AAA methods for ISP domains You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain view. Each ISP domain has a set of default AAA methods, which are local authentication, local authorization, and local accounting by default and can be customized. If you do not configure any AAA methods for an ISP domain, the device uses the system default AAA methods for authentication, authorization, and accounting of the users in the domain. Configuration prerequisites To use local authentication for users in an ISP domain, configure local user accounts (see ―Configuring local user attributes―) on the access device. To use remote authentication, authorization, and accounting, create the required RADIUS and HWTACACS schemes as described in ―Configuring RADIUS schemes― and ―Configuring HWTACACS schemes.― Creating an ISP domain In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. Because users of different ISPs may have different user attributes (for example, different username and password structure, service type, and rights), you must configure ISP domains to distinguish the users and configure different AAA methods for the ISP domains. On a NAS, each user belongs to an ISP domain. A NAS can accommodate up to 16 ISP domains, including the factory default ISP domain, which is named system. If a user does not provide the ISP domain name at login, the system considers that the user belongs to the default ISP domain. Follow these steps to create an ISP domain: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter ISP domain view domain isp-name Required Return to system view quit — Specify the default ISP domain domain default enable isp- name Optional By default, the default ISP domain is the factory default ISP domain system. NOTE: To delete the default ISP domain, you must change it to a non-default ISP domain (with the domain default disable command) first. Configuring ISP domain attributes Follow these steps to configure ISP domain attributes: To do… Use the command… Remarks Enter system view system-view —
37
To do… Use the command… Remarks
Enter ISP domain view domain isp-name —
Place the ISP domain to the state of
active or blocked state { active | block }
Optional
By default, an ISP domain is in the
active state, and users in the domain
can request network services.
Specify the maximum number of
active users in the ISP domain
access-limit enable max-user-
number
Optional
No limit by default
Configure the idle cut function idle-cut enable minute [ flow ]
Optional
Disabled by default
This command is effective for only
LAN users and portal users.
Configure the self-service server
location function self-service-url enable url-string Optional
Disabled by default
Specify the default authorization
user profile
authorization-attribute user-
profile profile-name
Optional
By default, an ISP domain has no
default authorization user profile.
NOTE:
If a user passes authentication but is authorized with no user profile, the device authorizes the default user profile
of the ISP domain to the user and restricts the user’s behavior based on the profile. For more information about
the user profile, see the chapter “User profile configuration.”
A self-service RADIUS server, such as Intelligent Management Center (iMC), is required for the self-service server
location function to work. With the self-service function, a user can manage and control his or her accounting
information or card number. A server with self-service software is a self-service server.
Configuring AAA authentication methods for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the
interactive authentication process of username/password/user information during an access or service
request. The authentication process does not send authorization information to a supplicant or trigger
accounting.
AAA supports the following authentication methods:
No authentication (none)—All users are trusted and no authentication is performed. Generally, do
not use this method.
Local authentication (local)—Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication features
high speed and low cost, but the amount of information that can be stored is limited by the
hardware.
Remote authentication (scheme)—The access device cooperates with a RADIUS or HWTACACS
server to authenticate users. The device can use the standard RADIUS protocol or extended RADIUS
protocol in collaboration with systems like iMC to implement user authentication. Remote
authentication features centralized information management, high capacity, high reliability, and
support for centralized authentication service for multiple access devices. You can configure local or
38
no authentication as the backup method to be used when the remote server is not available. No
authentication can only be configured for LAN users as the backup method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting. By default,
an ISP domain uses the local authentication method.
Before configuring authentication methods, complete the following tasks:
For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require any scheme.
Determine the access mode or service type to be configured. With AAA, you can configure an
authentication method for each access mode and service type, limiting the authentication protocols
that can be used for access.
Determine whether to configure an authentication method for all access modes or service types.
Follow these steps to configure AAA authentication methods for an ISP domain:
To do… Use the command… Remarks
Enter system view system-view —
Enter ISP domain view domain isp-name —
Specify the default
authentication method for all
types of users
authentication default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name [
local ] }
Optional
local by default
Specify the authentication
method for LAN users
authentication lan-access { local | none |
radius-scheme radius-scheme-name [ local |
none ] }
Optional
The default authentication
method is used by default.
Specify the authentication
method for login users
authentication login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name [
local ] }
Optional
The default authentication
method is used by default.
Specify the authentication
method for portal users
authentication portal { local | none |
radius-scheme radius-scheme-name [ local ]
}
Optional
The default authentication
method is used by default.
Specify the authentication
method for privilege level
switching
authentication super { hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name }
Optional
The default authentication
method is used by default.
39 NOTE: The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode. With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server does include the authorization information, but the authentication process ignores the information. With the radius-scheme radius-scheme-name local, or hwtacacs-scheme hwtacacs-scheme-name local keyword and argument combination configured, local authentication is the backup method and is used only when the remote server is not available. If you specify only the local or none keyword in an authentication method configuration command, the device has no backup authentication method and performs only local authentication or does not perform any authentication. If the method for level switching authentication references an HWTACACS scheme, the device uses the login username of a user for level switching authentication of the user by default. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on the RADIUS server for level switching authentication, rather than the original username, the login username or the username entered by the user. A username configured on the RADIUS server is in the format of $enablevel$, where level specifies the privilege level to which the user wants to switch. For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for authentication when the domain name is not required. Configuring AAA authorization methods for an ISP domain In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration. AAA supports the following authorization methods: No authorization (none)—The access device performs no authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and other login users have only the rights of Level 0 (visiting). Local authorization (local)—The access device performs authorization according to the user attributes configured for users. Remote authorization (scheme)—The access device cooperates with a RADIUS or an HWTACACS server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is carried in the authorization response after successful authentication. You can configure local authorization or no authorization as the backup method to be used when the remote server is not available. Before configuring authorization methods, complete the following tasks: 1. For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme; otherwise, it does not take effect. 2. Determine the access mode or service type to be configured. With AAA, you can configure an authorization scheme for each access mode and service type, limiting the authorization protocols that can be used for access.
40
3. Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do… Use the command… Remarks
Enter system view system-view —
Enter ISP domain view domain isp-name —
Specify the default
authorization method for all
types of users
authorization default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional
local by default
Specify the command
authorization method
authorization command { hwtacacs-scheme
hwtacacs-scheme-name [ local | none ] |
local | none }
Optional
The default authorization
method is used by default.
Specify the authorization
method for LAN users
authorization lan-access { local | none |
radius-scheme radius-scheme-name [ local
| none ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for login users
authorization login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for portal users
authorization portal { local | none |
radius-scheme radius-scheme-name [ local
] }
Optional
The default authorization
method is used by default.
NOTE:
The authorization method specified with the authorization default command is for all types of users and has a
priority lower than that for a specific access mode.
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as
the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to
the NAS says that the server is not responding.
With the radius-scheme radius-scheme-name local, or hwtacacs-scheme hwtacacs-scheme-name [ local |
none ] keyword and argument combination configured, local authorization or no authorization is the backup
method and is used only when the remote server is not available.
If you specify only the local or none keyword in an authorization method configuration command, the device
has no backup authorization method and performs only local authorization or does not perform any
authorization.
The authorization information from the RADIUS server is sent to the RADIUS client along with the authentication
response message. You cannot specify a separate RADIUS authorization server. If you use RADIUS for
authorization and authentication, you must use the same scheme setting for authorization and authentication;
otherwise, the system will display an error message.
Configuring AAA accounting methods for an ISP domain
In AAA, accounting is a separate process at the same level as authentication and authorization. Its
responsibility is to send accounting start/update/end requests to the specified accounting server.
Accounting is not required, and accounting method configuration is optional.
AAA supports the following accounting methods:
No accounting (none)—The system does not perform accounting for the users.