SROS Command Line Interface Reference Guide

Global Configuration Mode Command Set

 

 

Technology Review (Continued)

AAAstands for authentication, authorization, and accounting. The Secure Router OS AAA subsystem currently supports authentication. Authentication is the means by which a user is granted access to the device (router). For instance, a username/password is authenticated before the user can use the CLI. VPN clients can also verify username/password before getting access through the device.

There are several methods that can be used to authenticate a user:

NONE

Instant access

LINE-PASSWORD

Use the line password (telnet 0-4 or console 0-1)

ENABLE-PASSWORD

Use the enable password

LOCAL-USERS

 

Use the local user database

GROUP <groupname>

Use a group of remote RADIUS servers

The AAA system allows the user to create a named list of these methods to try in order (in case one fails, it falls to the next one). This named list is then attached to a portal (telnet 0-4 or console 0-1). When a user telnets in or accesses the terminal, the AAA system uses the methods from the named list to authenticate the user.

The AAA system must be turned on to be active. By default it is off. Use the aaa on command to activate the AAA system.

If a portal is not explicitly assigned a named list, the name default is automatically assigned to it. The user can customize the default list just like any other list. If no default list is configured, the following default behavior applies (defaults are based on portal):

Instant access (NONE) is assigned to the CONSOLE using the default list (when the list has not been configured).

The local user database is used for TELNETS using the default list (when the list has not been configured).

No access is granted for FTP access using the default list (when the list has not been configured).

Methods fail (and therefore cause the system to proceed to the next configured method) under circumstances such as the following:

LINE and ENABLE passwords fall through if there is no LINE or ENABLE password configured.

LOCAL USERS fall through if the given user is not in the database.

RADIUS servers fall through if the given server(s) cannot be contacted on the network.

Example

For a default list defined with the order [LINE, ENABLE, LOCAL, and GROUP mygroup], the following statements are true:

If there is no LINE password, the list falls through to the ENABLE password.

If there is no ENABLE password, the AAA system prompts the user for a username and password for the local user database.

If the given user is not in the local list, the username and password are handed to the remote servers defined in mygroup.

A failure at any point (password not matching) denies access.

5991-2114

© Copyright 2005 Hewlett-Packard Development Company, L.P.

207

Page 207
Image 207
HP 7000 dl Router manual Group groupname, Example