18
To configure AAA, perform the following tasks:
Tasks at a
lance
(Required.) Perform at least one of the following tasks to configure local users or AAA schemes:
• Configuring local users
• Configuring RADIUS schemes
• Configuring HWTACACS schemes
• Configuring LDAP schemes
(Required.) Configure AAA methods for ISP domains:
1. (Required.) Creating an ISP domain
2. (Optio
nal.) Configuring ISP domain attributes
3. (Requir
ed.) Perform at least one of the following tasks to configure AAA authentication, authorization, and
accounting methods for the ISP domain:
{ Configuring authentication methods for an ISP domain
{ Configuring authorization methods for an ISP domain
{ Configuring accounting methods for an ISP domain
(Optional.) Enabling the session-control feature
(Optional.) Setting the maximum number of concurrent login users
Configuring AAA schemes
This section includes information on configuring local users, RADIUS schemes, HWTACACS schemes,
and LDAP schemes.
Configuring local users
To implement local authentication, authorization, and accounting, create local users and configure user
attributes on the device. The local users and attributes are stored in the local user database on the device.
A local user is uniquely identified by the combination of a username and a user type. Local users are
classified into the following types:
• Device management user—User who logs in to the device for device management.
• Network access user—User who accesses network resources through the device.
The following shows the configurable local user attributes:
• Service type—Services that the user can use. Local authentication checks the service types of a local
user. If none of the service types is available, the user cannot pass authentication.
Service types include FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
• User state—There are two user states: active and blocked. A user in active state can request
network services. A user in blocked state cannot request authentication, authorization, and
accounting services, but it can request to stop the accounting service in use.
• Upper limit of concurrent logins using the same user name—Maximum number of users who can
concurrently access the device by using the same user name. When the number of local users using
the same user name reaches the upper limit, no more local users can access the device by using that
user name.