H3C Technologies H3C S12500-X Series Switches User Manual
Page 6
i
Contents
HWTACACS ····························································································································································· 7
LDAP ·········································································································································································· 9
AAA implementation on the device ····················································································································· 11
AAA for MPLS L3VPNs ········································································································································· 13
Protocols and standards ······································································································································· 13
RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17
AAA configuration considerations and task list ·········································································································· 17
Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18
Configuring RADIUS schemes ······························································································································ 23
Configuring HWTACACS schemes ····················································································································· 31
Configuring LDAP schemes ·································································································································· 38
Configuring AAA methods for ISP domains ················································································································ 41
Configuration prerequisites ·································································································································· 41
Creating an ISP domain ······································································································································· 41
Configuring ISP domain attributes ······················································································································· 42
Configuring authentication methods for an ISP domain ··················································································· 42
Configuring authorization methods for an ISP domain ····················································································· 43
Configuring accounting methods for an ISP domain ························································································· 44
Enabling the session-control feature ····························································································································· 45
Setting the maximum number of concurrent login users ···························································································· 46
Displaying and maintaining AAA ································································································································ 46
AAA for SSH users by an HWTACACS server ··········································································································· 46
Network requirements ··········································································································································· 46
Configuration procedure ······································································································································ 47
Verifying the configuration ··································································································································· 48
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ··································· 48
Network requirements ··········································································································································· 48
Configuration procedure ······································································································································ 48
Verifying the configuration ··································································································································· 50
Authentication and authorization for SSH users by a RADIUS server ······································································ 50
Network requirements ··········································································································································· 50
Configuration procedure ······································································································································ 50
Verifying the configuration ··································································································································· 53
Authentication for SSH users by an LDAP server ········································································································ 53
Network requirements ··········································································································································· 53
Configuration procedure ······································································································································ 54
Verifying the configuration ··································································································································· 58
Troubleshooting RADIUS ··············································································································································· 58
RADIUS authentication failure ······························································································································ 58
RADIUS packet delivery failure ···························································································································· 58
RADIUS accounting error ····································································································································· 59
Troubleshooting HWTACACS ······································································································································ 59
Troubleshooting LDAP ···················································································································································· 59