90 
TACACS authentication, and the authorization information is included in the authorization 
response after successful authentication. You can configure backup methods to be used when 
the remote server is not available. 
The device supports the following accounting methods: 
• No accounting—The device does not perform accounting for the users. 
• Local accounting—Local accounting is implemented on the device. It counts and controls the 
number of concurrent users who use the same local user account, but does not provide 
statistics for charging. 
• Remote accounting—The device works with a remote RADIUS server or TACACS server for 
accounting. You can configure backup methods to be used when the remote server is not 
available. 
On the device, each user belongs to one ISP domain. The device determines the ISP domain to 
which a user belongs based on the username entered by the user at login. 
AAA manages users in the same ISP domain based on the users' access types. The device supports 
the following user access types: 
• LAN—LAN users must pass 802.1X authentication to come online. 
• Login—Login users include Telnet, FTP, and terminal users who log in to the device. Terminal 
users can access through a console or AUX port. 
• Portal—Portal users. 
In a networking scenario with multiple ISPs, the device can connect to users of different ISPs. The 
device supports multiple ISP domains, including a system-defined ISP domain named system. One 
of the ISP domains is the default domain. If a user does not provide an ISP domain name for 
authentication, the device considers the user belongs to the default ISP domain. 
The device chooses an authentication domain for each user in the following order: 
•  The authentication domain specified for the access module (for example, 802.1X). 
•  The ISP domain in the username. 
•  The default ISP domain of the device. 
RADIUS 
RADIUS protocol 
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction 
protocol that uses a client/server model. The protocol can protect networks against unauthorized 
access and is often used in network environments that require both high security and remote user 
access. 
The RADIUS client runs on the NASs located throughout the network. It passes user information to 
RADIUS servers and acts on the responses to, for example, reject or accept user access requests. 
The RADIUS server runs on the computer or workstation at the network center and maintains 
information related to user authentication and network service access. 
RADIUS uses UDP to transmit packets. The RADIUS client and server exchange information with 
the help of shared keys. 
When AAA is implemented by a remote RADIUS server, configure the RADIUS server settings on 
the device that acts as the NAS for the users. 
Enhanced RADIUS features 
The device supports the following enhanced RADIUS features: