Operation Manual – AAA & RADIUS & HWTACACS & EAD
Quidway S3900 Series Ethernet Switches-Release 1510
Chapter 1 AAA & RADIUS & HWTACACS
Configuration
Huawei Technologies Proprietary
1-2
bound together, and you cannot perform RADIUS authorization alone without
RADIUS authentication.
z HWTACACS authorization: Users are authorized by TACACS server.
III. Accounting
AAA supports the following accounting methods:
z None accounting: No accounting is performed for users.
z Remote accounting: User accounting is performed on the remote RADIUS server
or TACACS server.
Generally, AAA adopts the client/server structure, where the client acts as the managed
resource and the server stores user information. This structure has good scalability and
facilitates the centralized management of user information.
1.1.2 Introduction to ISP Domain
An Internet service provider (ISP) domain is a group of users who belong to the same
ISP. For a user name in the format of userid@isp-name, the isp-name following the @
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different compositions of user name and password, different service
types/rights), it is necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
1.1.3 Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But
in practice, the most commonly used protocol for AAA is RADIUS.
I. What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information
exchange protocol in client/server structure. It can prevent unauthorized access to the
network and is commonly used in network environments where both high security and
remote user access service are required.
The RADIUS service involves three components:
z Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format
and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
To Next Page
Loading...
