Home > HP > Switch > HP A 5120 Manual

HP A 5120 Manual

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 304
    Add page 21 to Favourites
    image text
    Enable zoom 
    							11 
from the clients within the management range. A shared key is used to ensure secure communication 
between a RADIUS client and the RADIUS server.  
 RADIUS authentication and authorization. RADIUS accounting is not supported. 
Upon  receiving  a  RADIUS  packet, a device working  as the  RADIUS  server checks  whether  the  sending 
client  is  under  its  management.  If  yes,  it  verifies  the  packet  validity by using  the  shared  key,  checks 
whether  there  is  an  account  with the  username,  whether the password is  correct,  and  whether  the  user 
attributes  meet  the  requirements  defined on the  RADIUS  server (for  example, whether  the  account  has 
expired). Then,  the  RADIUS  server  assigns the corresponding  authority to  the  client  if  the authentication 
succeeds, or denies the client if the authentication fails.   
 NOTE: 
The UDP port number for RADIUS authentication is 1812 in the standard RADIUS protocol, but is 1645 
on HP devices. Specify 1645 as the authentication port number when you use an HP device as a 
RADIUS client.  
Protocols and standards 
The following protocols and standards are related to AAA, RADIUS, and HWTACACS: 
 RFC 2865, Remote Authentication Dial In User Service (RADIUS) 
 RFC 2866, RADIUS Accounting 
 RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support 
 RFC 2868, RADIUS Attributes for Tunnel Protocol Support 
 RFC 2869, RADIUS Extensions 
 RFC 1492, An Access Control Protocol, Sometimes Called TACACS 
RADIUS attributes 
Commonly used standard RADIUS attributes 
No. Attribute Description 
1 User-Name Name of the user to be authenticated. 
2 User-Password User password for PAP authentication, present only in Access-Request packets 
in PAP authentication mode. 
3 CHAP-Password Digest of the user password for CHAP authentication, present only in Access-
Request packets in CHAP authentication mode. 
4 NAS-IP-Address 
IP address for the server to identify a client. Usually, a client is identified by the 
IP address of the access interface on the NAS, namely the NAS IP address. 
This attribute is present in only Access-Request packets. 
5 NAS-Port Physical port of the NAS that the user accesses. 
6 Service-Type Type of service that the user has requested or type of service to be provided. 
7 Framed-Protocol Encapsulation protocol. 
8 Framed-IP-Address IP address to be configured for the user. 
11 Filter-ID Name of the filter list.
    Add page 22 to Favourites
    image text
    Enable zoom 
    							12 
No. Attribute Description 
12 Framed-MTU 
Maximum transmission unit (MTU) for the data link between the user and NAS. 
For example, with 802.1X EAP authentication, NAS uses this attribute to notify 
the server of the MTU for EAP packets, so as to avoid oversized EAP packets. 
14 Login-IP-Host IP address of the NAS interface that the user accesses. 
15 Login-Service Type of the service that the user uses for login. 
18 Reply-Message Text to be displayed to the user, which can be used by the server to indicate, 
for example, the reason of the authentication failure. 
26 Vendor-Specific Vendor specific attribute. A packet can contain one or more such proprietary 
attributes, each of which can contain one or more sub-attributes. 
27 Session-Timeout Maximum duration of service to be provided to the user before termination of 
the session. 
28 Idle-Timeout Maximum idle time permitted for the user before termination of the session. 
31 Calling-Station-Id 
User identification that the NAS sends to the server. With the LAN access 
service provided by an HP device, this attribute carries the MAC address of 
the user in the format HHHH-HHHH-HHHH.  
32 NAS-Identifier Identification that the NAS uses for indicating itself. 
40 Acct-Status-Type 
Type of the Accounting-Request packet. Possible values are as follows: 
 1—ptart 
 2—Stop 
 3—Interium-Update 
 4—Reset-Charge 
 7—Accounting-On (Defined in 3GPP, the 3rd Generation Partnership 
Project) 
 8—Accounting-Off EDefined in 3GPPF 
 9 to 14—Reserved for tunnel accounting 
 15—Reserved for failed 
45 Acct-Authentic 
Authentication method used by the user. Possible values are as follows: 
 1—RADIUS 
 2—iocal 
 3—oemote 
60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP 
authenticationK 
61 NAp-Port-Type 
Type of the physical port of the NAS that is authenticating the user. Possible 
values are as follows: 
 15—Ethernet 
 16—Any type of ADSL 
 17—Cable (with cable for cable TVF 
 201—VLAN 
 202—ATM 
If the port is an ATM or Ethernet one and VLANs are implemented on it, the 
value of this attribute is 201K 
79 EAm-Message Used for encapsulating EAP packets to allow the NAS to authenticate dial-in 
users via EAP without having to understand the EAP protocolK
    Add page 23 to Favourites
    image text
    Enable zoom 
    							13 
No. Attribute Description 
80 Message-
Authenticator 
Used for authentication and checking of authentication packets to prevent 
spoofing Access-Requests. This attribute is used when RADIUS supports EAP 
authentication. 
87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user. 
 
HP proprietary RADIUS sub-attributes 
No. Sub-attribute Description 
1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. 
2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps. 
3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps. 
4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. 
5 Output-Average-Rate Average rate in the direction from the NAS to the user, in bps. 
6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. 
15 Remanent_Volume Remaining, available total traffic of the connection, in different units for 
different server types. 
20 Command 
Operation for the session, used for session control. Possible values are as 
follows: 
 1—Trigger-Request 
 2—Terminate-Request 
 3—SetPolicy 
 4—Result 
 5—PortalClear 
24 Control_Identifier 
Identification for retransmitted packets. For retransmitted packets of the 
same session, this attribute must take the same value; for retransmitted 
packets of different sessions, this attribute may take the same value. The 
client response of a retransmitted packet must also carry this attribute and 
the value of the attribute must be the same. 
For Accounting-Request packets of the start, stop, and interim update types, 
the Control-Identifier attribute, if present, makes no sense. 
25 Result_Code Result of the Trigger-Request or SetPolicy operation. A value of zero means 
the operation succeeded, any other value means the operation failed. 
26 Connect_ID Index of the user connection 
28 Ftp_Directory 
Working directory of the FTP user. 
For an FTP user, when the RADIUS client acts as the FTP server, this 
attribute is used to set the FTP directory on the RADIUS client. 
29 Exec_Privilege Priority of the EXEC user 
59 NAS_Startup_Timestam
p 
Startup time of the NAS in seconds, which is represented by the time 
elapsed after 00:00:00 on Jan. 1, 1970 (UTC). 
60 Ip_Host_Addr 
IP address and MAC address of the user carried in authentication and 
accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is 
required between the IP address and the MAC address. 
61 User_Notify Information that needs to be sent from the server to the client transparently
    Add page 24 to Favourites
    image text
    Enable zoom 
    							14 
No. Sub-attribute Description 
62 User_HeartBeat 
Hash value assigned after an 802.1X user passes authentication, which is 
a 32-byte string. This attribute is stored in the user list on the device and is 
used for verifying the handshake messages from the 802.1X user. This 
attribute exists in only Access-Accept and Accounting-Request packets.  
140 User_Group 
User groups assigned after the SSL VPN user passes authentication. A user 
may belong to more than one user group. In this case, the user groups are 
delimited by semi-colons. This attribute is used for cooperation with the SSL 
VPN device. 
141 Security_Level Security level assigned after the SSL VPN user passes security 
authentication 
201 Input-Interval-Octets Bytes input within a real-time accounting interval 
202 Output-Interval-Octets Bytes output within a real-time accounting interval 
203 Input-Interval-Packets Packets input within an accounting interval, in the unit set on the device 
204 Output-Interval-Packets Packets output within an accounting interval, in the unit set on the device 
205 Input-Interval-
Gigawords Result of bytes input within an accounting interval divided by 4G bytes  
206 Output-Interval-
Gigawords Result of bytes output within an accounting interval divided by 4G bytes 
207 Backup-NAS-IP Backup source IP address for sending RADIUS packets 
255 Product_ID Product name 
 
AAA configuration considerations and task list 
To configure AAA, you must complete these tasks on the NAS:  
1. Configure the required AAA schemes. 
 Local  authentication—Configure  local  users  and the related  attributes,  including the usernames  and 
passwords of the users to be authenticated.  
 Remote  authentication—Configure  the  required  RADIUS and  HWTACACS  schemes,  and  configure 
user attributes on the servers accordingly. 
2. Configure AAA methods for the users’ ISP domains. 
 Authentication  method—No  authentication  (none),  local  authentication  (local),  or  remote 
authentication (scheme) 
 Authorization  method—No  authorization  (none),  local  authorization  (local),  or  remote  authorization 
(scheme) 
 Accounting  method—No  accounting  (none),  local  accounting  (local),  or  remote  accounting 
(scheme)
    Add page 25 to Favourites
    image text
    Enable zoom 
    							15 
Figure 9 AAA configuration diagram 
  
 
Table 4 AAA configuration task list 
Task Remarks 
Configuring AAA 
schemes 
Configuring local users 
Required 
Complete at least one task. Configuring RADIUS schemes 
Configuring HWTACACS schemes 
Configuring AAA 
methods for ISP domains 
Creating an ISP domain Required 
Configuring ISP domain attributes Optional 
Configuring AAA authentication methods for 
an ISP domain 
Required 
Complete at least one task. 
Configuring AAA authorization methods for 
an ISP domain 
Configuring AAA accounting methods for an 
ISP domain 
Tearing down user connections forcibly Optional 
Configuring a network device as a RADIUS server Optional 
Displaying and maintaining AAA Optional 
 
 NOTE: 
For login users, you must configure the login authentication mode for the user interfaces as scheme 
before performing the above configurations. For more information, see the Fundamentals Configuration 
Guide.  Configure the RADIUS, HWTACACS 
schemes to be referenced
none/ local/ schemeAuthorization method
Accounting method
Configure AAA methods 
Create an ISP domain and enter its view
local (default method)
none
scheme
Authentication method 
Configure local users and related attributes
none/ local/ scheme
+
+
Local AAA
Remote AAA
No AAA
    Add page 26 to Favourites
    image text
    Enable zoom 
    							16 
Configuring AAA schemes 
Configuring local users 
For  local  authentication,  you must create  local  users and configure user attributes on  the  device in 
advance. The  local  users  and  attributes  are  stored  in the  local  user  database on the  device. A  local  user 
is uniquely identified by a username. Configurable local user attributes are as follows: 
 Service type 
Types  of  services  that  the  user  can  use. Local  authentication  checks  the  service  types  of  a  local  user.  If 
none of the service types is available, the user cannot pass authentication. 
Service types include FTP, LAN access, Portal, SSH, Telnet, and Terminal. 
 User state 
Indicates  whether  or  not  a  local  user  can  request  network  services.  There  are  two  user  states:  active  and 
blocked. A user in the active state can request network services, but a user in the blocked state cannot.  
 Maximum number of users using the same local user account 
Indicates how many users can use the same local user account for local authentication. 
 Expiration time 
Indicates  the  expiration  time  of  a  local  user  account.  A  user  must  use  a  local  user  account  that  has  not 
expired to pass local authentication. 
 User group 
Each local user belongs to a local user group and bears all attributes of the group, such as the password 
control  attributes  and  authorization  attributes.  For  more  information  about  local  user  group,  see 
―Configuring user group attributes.― 
 Password control attributes 
Password  control  attributes  help  you  improve  the  security  of  local  users’ passwords.  Password  control 
attributes include password aging time, minimum password length, and password composition policy.  
You  can  configure  a  password  control  attribute  in  system  view,  user  group  view,  or  local  user  view, 
making  the  attribute  effective  for  all  local  users,  all  local  users  in  a  group,  or  only  the  local  user.  A 
password control attribute with a smaller effective range has a higher priority. For more information about 
password  management  and  global  password  configuration,  see the  chapter  ―Password control 
configuration. ― 
 Binding attributes 
Binding  attributes  are used  to control  the  scope  of  users.  Binding  attributes  are  checked  during 
authentication. If the attributes of a user do not match the binding attributes configured for the user on the 
access device, the user cannot pass authentication. Binding attributes include the ISDN calling number, IP 
address, access port, MAC address, and native VLAN. For more information about binding attributes, see 
―Configuring local user attributes.― 
 Authorization attributes 
Authorization attributes indicate the rights that a user has after passing local authentication. Authorization 
attributes include the ACL, PPP callback number, idle cut function, user level, user role, user profile, VLAN, 
and FTP/SFTP work directory. For more information about authorization attributes, see ―Configuring local 
user attributes.―
    Add page 27 to Favourites
    image text
    Enable zoom 
    							17 
You  can  configure  an  authorization  attribute  in  user  group  view  or  local  user  view,  making  the  attribute 
effective for all local users in the group or only for the local user. The setting of an  authorization attribute 
in local user view takes precedence over that in user group view. 
Local user configuration task list 
Task Remarks 
Configuring local user attributes Required 
Configuring user group attributes Optional 
Displaying and maintaining local users and local user groups Optional 
 
Configuring local user attributes 
Follow these steps to configure attributes for a local user: 
To do… Use the command… Remarks 
Enter system view system-view — 
Set the password display mode for 
all local users 
local-user password-display-
mode { auto | cipher-force } 
Optional 
auto by default, indicating to 
display the password of a local 
user in the way indicated by the 
password command. 
Add a local user and enter local user 
view local-user user-name Required 
No local user exists by default. 
Configure a password for the local 
user 
password { cipher | simple } 
password Optional 
Place the local user to the state of 
active or blocked state { active | block } 
Optional 
When created, a local user is in 
the active state by default, and 
the user can request network 
services. 
Set the maximum number of users 
using the local user account access-limit max-user-number 
Optional 
By default, there is no limit on 
the maximum number of users 
that use the same local user 
account. 
This limit is not effective for FTP 
users. 
Configure the 
password control 
attributes for the 
local user 
Set the 
password aging 
time 
password-control aging aging-
time 
Optional 
By default, the setting for the 
user group is used. If there is no 
such setting for the user group, 
the global setting is used. 
Set the minimum 
password length password-control length length 
Optional 
By default, the setting for the 
user group is used. If there is no 
such setting for the user group, 
the global setting is used.
    Add page 28 to Favourites
    image text
    Enable zoom 
    							18 
To do… Use the command… Remarks 
Configure the 
password 
composition 
policy 
password-control composition 
type-number type-number [ 
type-length type-length ] 
Optional 
By default, the setting for the 
user group is used. If there is no 
such setting for the user group, 
the global setting is used. 
Specify the service types for the local 
user 
service-type { ftp | lan-access | 
{ ssh | telnet | terminal } * | 
portal } 
Required 
By default, no service is 
authorized to a local user. 
Configure the binding attributes for 
the local user 
bind-attribute { call-number call-
number [ : subcall-number ] | ip 
ip-address | location port slot-
number subslot-number port-
number | mac mac-address | 
vlan vlan-id } * 
Optional 
By default, no binding attribute 
is configured for a local user. 
ip, location, mac, and vlan are 
supported for LAN users. No 
binding attribute is supported for 
other types of local users.  
Configure the authorization attributes 
for the local user 
authorization-attribute { acl acl-
number | callback-number 
callback-number | idle-cut 
minute | level level | user-
profile profile-name | user-role 
security-audit | vlan vlan-id | 
work-directory directory-name } 
* 
Optional 
By default, no authorization 
attribute is configured for a local 
user. 
For LAN and portal users, only 
acl, idle-cut, user-profile, and 
vlan are supported.  
For SSH and terminal users, only 
level is supported. 
For FTP users, only level and 
work-directory are supported. 
For Telnet users, only level and 
user-role is supported.  
For other types of local users, no 
binding attribute is supported. 
Set the expiration time of the local 
user expiration-date time 
Optional 
Not set by default 
When some users need to 
access the network temporarily, 
create a guest account and 
specify an expiration time for the 
account.  
Assign the local user to a user group group group-name 
Optional 
By default, a local user belongs 
to the default user group system.
    Add page 29 to Favourites
    image text
    Enable zoom 
    							19 
 NOTE: 
 For more information about password control attribute commands, see the chapter “Password control 
configuration.” 
 On a device supporting the password control feature, local user passwords are not displayed, and the local-user 
password-display-mode command is not effective. 
 With the local-user password-display-mode cipher-force command configured, a local user password is 
always displayed in cipher text, regardless of the configuration of the password command. In this case, if you 
use the save command to save the configuration, all existing local user passwords will still be displayed in cipher 
text after the device restarts, even if you restore the display mode to auto.  
 The access-limit command configured for a local user takes effect only when local accounting is configured. 
 If the user interface authentication mode (set by the authentication-mode command in user interface view) is 
AAA (scheme), which commands a login user can use after login depends on the privilege level authorized to 
the user. If the user interface authentication mode is password (password) or no authentication (none), which 
commands a login user can use after login depends on the level configured for the user interface (set by the user 
privilege level command in user interface view). For an SSH user using public key authentication, which 
commands are available depends on the level configured for the user interface. For more information about user 
interface authentication mode and user interface command level, see the Fundamentals Configuration Guide. 
 Be cautious when deciding which binding attributes should be configured for a local user. Binding attributes are 
checked upon local authentication of a user. If the checking fails, the user fails the authentication. 
 Every configurable authorization attribute has its definite application environments and purposes. When 
configuring authorization attributes for a local user, consider what attributes are needed.  
Configuring user group attributes 
User groups simplify local user configuration and management. A user group consists of a group of local 
users  and  has  a  set  of  local  user  attributes.  You  can  configure  local  user  attributes  for  a  user  group  to 
implement  centralized  user  attributes  management for the  local  users  in  the  group. Configurable  user 
attributes include password control attributes and authorization attributes. 
By  default,  every  newly  added  local  user  belongs  to  the  system  default  user  group system and  bears  all 
attributes  of  the  group.  To  change  the  user  group  to  which  a  local  user  belongs,  use  the user-group 
command in local user view. 
Follow these steps to configure attributes for a user group: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a user group and enter user 
group view user-group group-name Required 
Configure 
password control 
attributes for the 
user group 
Set the password 
aging time password-control aging aging-time 
Optional 
By default, the global 
setting is used. 
Set the minimum 
password length password-control length length 
Optional 
By default, the global 
setting is used. 
Configure the 
password 
composition policy 
password-control composition type-
number type-number [ type-length 
type-length ] 
Optional 
By default, the global 
setting is used.
    Add page 30 to Favourites
    image text
    Enable zoom 
    							20 
To do… Use the command… Remarks 
Configure the authorization attributes 
for the user group 
authorization-attribute { acl acl-
number | callback-number  
callback-number | idle-cut minute | 
level level | user-profile profile-name 
| vlan vlan-id | work-directory 
directory-name } * 
Optional 
By default, no 
authorization attribute is 
configured for a user 
group. 
 
Displaying and maintaining local users and local user groups 
To do… Use the command… Remarks 
Display local user information 
display local-user [ idle-cut { disable | 
enable } | service-type { ftp | lan-
access | portal | ssh | telnet | 
terminal } | state { active | block } | 
user-name user-name | vlan vlan-id ] 
[ slot slot-number ] [ | { begin | 
exclude | include } regular-expression 
] 
Available in any view 
Display the user group configuration 
information 
display user-group [ group-name ] [ | 
{ begin | exclude | include } regular-
expression ] 
Available in any view 
 
Configuring RADIUS schemes 
A RADIUS scheme  specifies  the  RADIUS  servers  that  the  device  can  cooperate  with  and  defines  a  set  of 
parameters that  the  device  uses  to  exchange  information with the  RADIUS  servers. There  may  be 
authentication/authorization  servers  and  accounting  servers, or primary  servers  and  secondary  servers. 
The parameters mainly include the IP  addresses  of the servers, the shared  keys,  and the RADIUS  server 
type.  
RADIUS scheme configuration task list 
Task Remarks 
Creating a RADIUS scheme Required 
Specifying the RADIUS authentication/authorization servers Required 
Specifying the RADIUS accounting servers and relevant 
parameters Optional 
Setting the shared keys for RADIUS packets Optional 
Setting the maximum number of RADIUS request transmission 
attempts Optional 
Setting the supported RADIUS server type Optional 
Setting the status of RADIUS servers Optional 
Setting the username format and traffic statistics units Optional 
Specifying a source IP address for outgoing RADIUS packets Optional 
Setting timers for controlling communication with RADIUS servers Optional
    All HP manuals Comments (0)

    Related Manuals for HP A 5120 Manual