i
Contents
Configuring AAA ························································································································································· 1
AAA overview ···································································································································································1
RADIUS ······································································································································································2
HWTACACS ·····························································································································································7
Domain-based user management ···························································································································9
AAA for MPLS L3VPNs ········································································································································· 10
Protocols and standards ······································································································································· 10
RADIUS attributes ·················································································································································· 11
AAA configuration considerations and task list ·········································································································· 14
Configuring AAA schemes ············································································································································ 15
Configuring local users ········································································································································· 15
Configuring RADIUS schemes ······························································································································ 20
Configuring HWTACACS schemes ····················································································································· 31
Configuring AAA methods for ISP domains ················································································································ 38
Configuration prerequisites ·································································································································· 38
Creating an ISP domain ······································································································································· 38
Configuring ISP domain attributes ······················································································································· 39
Configuring AAA authentication methods for an ISP domain ·········································································· 40
Configuring AAA authorization methods for an ISP domain ··········································································· 42
Configuring AAA accounting methods for an ISP domain ··············································································· 43
Tearing down user connections ···································································································································· 44
Configuring a NAS ID-VLAN binding ·························································································································· 45
Displaying and maintaining AAA ································································································································ 45
AAA configuration examples········································································································································ 45
AAA for Telnet users by an HWTACACS server ······························································································· 45
AAA for Telnet users by separate servers ··········································································································· 47
Authentication/authorization for SSH/Telnet users by a RADIUS server ························································ 48
AAA for 802.1X users by a RADIUS server ······································································································· 51
Level switching authentication for Telnet users by an HWTACACS server ····················································· 58
RADIUS authentication and authorization for Telnet users by a switch··························································· 61
Troubleshooting AAA ···················································································································································· 63
Troubleshooting RADIUS······································································································································· 63
Troubleshooting HWTACACS······························································································································ 64
802.1X overview ······················································································································································· 65
802.1X architecture ······················································································································································· 65
Controlled/uncontrolled port and port authorization status ······················································································ 65
802.1X-related protocols ·············································································································································· 66
Packet formats
························································································································································ 67
EAP over RADIUS ·················································································································································· 68
Initiating 802.1X authentication ··································································································································· 68
802.1X client as the initiator································································································································ 68
Access device as the initiator ······························································································································· 69
802.1X authentication procedures ······························································································································ 69
A comparison of EAP relay and EAP termination ······························································································ 70
EAP relay ································································································································································ 70
EAP termination ····················································································································································· 73
Configuring 802.1X ·················································································································································· 74
HP implementation of 802.1X ······································································································································ 74