Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series

201

202

203

204

205

206

207

208

209

210

SROS Command Line Interface Reference Guide Global Configuration Mode Command Set

Technology Review (Continued)

AAA stands for authentication, authorization, and accounting. The Secure Router OS AAA subsystem currently

supports authentication. Authentication is the means by which a user is granted access to the device (router).

For instance, a username/password is authenticated before the user can use the CLI. VPN clients can also

verify username/password before getting access through the device.

There are several methods that can be used to authenticate a user:

NONE Instant access

LINE-PASSWORD Use the line password (telnet 0-4 or console 0-1)

ENABLE-PASSWORD Use the enable password

LOCAL-USERS

Use the local user database

GROUP <groupname>

Use a group of remote RADIUS servers

The AAA system allows the user to create a named list of these methods to try in order (in case one fails, it falls

to the next one). This named list is then attached to a portal (telnet 0-4 or console 0-1). When a user telnets in or

accesses the terminal, the AAA system uses the methods from the named list to authenticate the user.

The AAA system must be turned on to be active. By default it is off. Use the

aaa on

command to activate the

AAA system.

If a portal is not explicitly assigned a named list, the name

default

is automatically assigned to it. The user can

customize the

default

list just like any other list. If no

default

list is configured, the following default behavior

applies (defaults are based on portal):

• Instant access (NONE) is assigned to the CONSOLE using the default list (when the list has not been

configured).

• The local user database is used for TELNETS using the default list (when the list has not been

configured).

• No access is granted for FTP access using the default list (when the list has not been configured).

Methods fail (and therefore cause the system to proceed to the next configured method) under circumstances

such as the following:

• LINE and ENABLE passwords fall through if there is no LINE or ENABLE password configured.

• LOCAL USERS fall through if the given user is not in the database.

• RADIUS servers fall through if the given server(s) cannot be contacted on the network.

Example

For a default list defined with the order [LINE, ENABLE, LOCAL, and GROUP

mygroup

], the following

statements are true:

• If there is no LINE password, the list falls through to the ENABLE password.

• If there is no ENABLE password, the AAA system prompts the user for a username and password for

the local user database.

• If the given user is not in the local list, the username and password are handed to the remote servers

defined in mygroup.

• A failure at any point (password not matching) denies access.