HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

111

112

113

114

115

116

117

118

119

120

Preparing Your LAN

A LAN requires you to synchronize items on the supplicant, access point, and AAA server. The

following table lists the items you need to synchronize on each node and provides notes on

configuring each item.

Table 32 LAN Configuration Items

NotesNodesItem

The shared secret configured on the access device and AAA

server must match for the two to communicate. Use the Access

Devices link to configure this item on AAA servers.

Shared Secret

• Access Device

• AAA Server

Most access devices require you to enable EAP. You do not

need to specify an EAP method, but you must enable support

for EAP.

• Access Device

EAP Support

Verify the supplicants support the EAP methods the AAA server

supports. Enable EAP on the supplicants. Configure the same

EAP Method

• Client Supplicant

• AAA Server

EAP method on the supplicant and the AAA server. Use the

Local Realms link to configure this item on AAA servers.

Required for TTLS. Verify the supplicant has an anonymous user

configured on it, and configure a tunnel realm for that

EAP Tunnel Realm

• Client Supplicant

• AAA Server

anonymous user on the AAA server. For example, if supplicant's

anonymous user is: anonymous@tunnel.com, you should

configure a realm for: tunnel.com. You must configure tunnel

realms for TTLS. Configuring tunnel realms for PEAP is optional.

Use the Local Realms link to configure this item on AAA servers.

The AAA server must have access to a repository with

information for each user. Use the Local Realms link and select

• AAA Server

Users

the users icon to administer a specific set of Users associated

with a realm.

For TLS only. The digital certificate identifying the client

• Client Supplicant

Client Certificate

For TLS only. Used by AAA server to authenticate client

certificates. Use the Server Properties link and select Certificate

• AAA Server

Client CA Certificate

Path Properties. In the Certificate Authority Path field, configure

the location of the client CA certificate on the AAA server.

For TLS, TTLS, and PEAP only. The digital certificate identifying

the AAA server. Use the Server Properties link and select

• AAA Server

Server Certificate

Certificate Path Properties. In the Certificate Path field, configure

the location of the client CA certificate on the AAA server.

For TLS, TTLS, and PEAP only. Used by clients to authenticate

the AAA server certificate.

• Client Supplicant

Server CA Certificate

Determining the EAP Authentication Method to Use

Choose EAP methods based on your security requirements and the clients you support. First, create

an inventory of the clients you support. Clients need specific supplicant software for each EAP

method (LAN access devices must only support EAP). For wireless clients, you must use supplicants

that support the hardware platforms, operating systems, and WLAN cards in your environment.

Ideally, you should try to use client hardware and software that allows you to use one EAP method

for all your clients. This may mean avoiding solutions that are proprietary or support only a small

variety of clients.

Next, determine which of the following features are important to you:

Preparing Your LAN 113