HP Networking: AAA Configuration for HP A and E series Switches and Router

AAA Configuration for HP A and E series Switches and Router

[8:50 PM | 0 comments ]

Before diving into configuration let me first describe what AAA is all about.

AAA stands for authentication, authorization and accounting, a system in IP-based networking to control what computer resources (routers,switches, firewalls, wireless access points, WLC, WCS) users have access to and to keep track of the activity of users over a network.

Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.

Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user’s authorization level.

Accounting is the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

AAA services often require a server that is dedicated to providing the three services. RADIUS, TACACs are an example of an AAA service. In my post i am using 2 ACS box running in high availability in Global Data Center for AAA and using Microsoft Active Directory as a database for end user authentication.

Now lets dig into configuration.

AAA for Telnet users by an HWTACACS server on HP A Series Switches

======================================================================

Local-user unetadmin –>This sets the local user, in case ACS server fails.

password simple icewater

service-type ssh telnet terminal

authorization-attribute level 3 –>Level 3 is the highest level in HP A series, like privilege 15 in cisco devices.

!

super password level 3 cipher rainwater –>This is like Enable password in cisco.

!

User-interface vty 0 15

Authentication-mode scheme –>It means we are using AAA scheme.

user privilege level 3 –>If authentication by AAA user will be directed to privilege 3.

quit

!

hwtacacs scheme acs –>We need to define a scheme first.

primary authentication x.x.x.x –>Where x.x.x.x is primary ACS server.

secondary authentication y.y.y.y –>Where y.y.y.y is secondary ACS server.

primary authorization x.x.x.x

secondary authorization y.y.y.y

primary accounting x.x.x.x

secondary accounting y.y.y.y

!

key authentication HP_ASeries –>Key should match with the key configured in ACS box. Note:- This is case -sensitive.

key authorization HP_ASeries

key accounting HP_ASeries

user-name-format without-domain

nas-ip z.z.z.z –> This is the source of the AAA conversation from the device to the ACS box, either it should be management interface or the ip that is configured on the ACS box for this particular device.

quit

!

domain upm_acs –>Configured “scheme” should be embedded into a “Domain” to define the hierarchy for AAA.

authentication default hwtacacs-scheme acs local –>This means the AAA will first try ACS primary then secondary and if both fails then local.

authorization default hwtacacs-scheme acs local

accounting default hwtacacs-scheme acs local

authentication login hwtacacs-scheme acs local

authorization login hwtacacs-scheme acs local

accounting login hwtacacs-scheme acs local

access-limit disable

state active

idle-cut disable

self-service-url disable

user-group upm_acs –>We need to define user-group as same as Domain name.

domain default enable upm_acs –>This is the main command to enable the domain for AAA, in case if we have multiple domain configured, like one for TACACS, other for Radius.

AAA for HP E Series Switches:

================================

# Configure the switch to use AAA for Telnet users.

password manager user-name –>Manager is highest level of access in HP E series.

password manager user-name unetadmin

password: icewater

confirm : icewater

aaa authentication login privilege-mode –>Login straight into Manager mode, no need to type “Enable” after successful login.

aaa authentication telnet login radius local –>This means for telnet AAA will first try ACS primary then secondary and if both fails then local.

aaa authentication telnet login radius local

aaa authentication telnet enable radius local

aaa authentication ssh login radius local –>This is for SSH.

aaa authentication ssh enable radius local

aaa accounting exec start-stop radius

!

radius-server host x.x.x.x key HP_ESeries –>Define primary Radius server host and the key.

radius-server host y.y.y.y key HP_ESeries –>Define secondary Radius server host and the key.

ip source-interface radius z.z.z.z –>This is the source of the AAA conversation from the device to the ACS box, either it should be management interface or the ip that is configured on the ACS box for this particular device.

Refer to http://afrozahmad.com/blog/hp/aaa-configuration-for-hp-a-and-e-series-switches/

0 comments

Post a Comment

Introduce myself

Chat Box

Google Maps

Visitor Locations

Lunar Calendar

Link URL

Followers

Tham khảo Blogroll