11
configured with a managed client range, the RADIUS server processes only the RADIUS packets
from the clients within the management range. A shared key is used to ensure secure
communication between a RADIUS client and the RADIUS server.
• RADIUS authentication and authorization. RADIUS accounting is not supported.
Upon receiving a RADIUS packet, a device working as the RADIUS server checks whether the sending
client is under its management. If yes, it verifies the packet validity by using the shared key, checks
whether there is an account with the username, whether the password is correct, and whether the user
attributes meet the requirements defined on the RADIUS server (for example, whether the account has
expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication
succeeds, or denies the client if the authentication fails.
NOTE:
RADIUS server running the standard RADIUS protocol listens on UDP port 1812 for authentication
requests, but an HP switch listens on UDP port 1645 instead when acting as the RADIUS server. Be sure to
specify 1645 as the authentication port number on the RADIUS client when you use an HP switch as the
RADIUS server.
AAA across MPLS L3VPNs
In an MPLS L3VPN scenario where clients in different VPNs need to be centrally authenticated, you can
deploy AAA across VPNs to enable forwarding RADIUS and HWTACACS packets across MPLS VPNs.
With the AAA across VPNs feature, the PE at the left side of the MPLS backbone serves as a NAS and
transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN
3 for centralized authentication, as shown in Figure 9.
Authentication packets of private users in different
VPNs do not aff
ect each other.
Figure 9 Network diagram
NOTE:
Together with the AAA across MPLS L3VPNs feature, you can implement portal authentication across
MPLS L3VPNs on MCEs. For more information about MCE, see
Layer 3 - IP Routing Configuration Guide
.
Protocols and standards
The following protocols and standards are related to AAA, RADIUS, and HWTACACS:
• RFC 2865, Remote Authentication Dial In User Service (RADIUS)
To Next Page
Loading...
Need help?
General