H3C Technologies H3C S12500-X Series Switches User Manual

12

NOTE:

The device also provides authentication modules (such as 802.1X) for implementation of user
authentication management policies. If you configure these authentication modules, the ISP domains for
users of the access types depend on the configuration of the authentication modules.

348B

AAA methods

AAA supports configuring different authentication, authorization, and accounting methods for different

types of users in an ISP domain. The NAS determines the ISP domain and access type of a user, and uses

the methods configured for the access type in the domain to control the user's access.
AAA also supports configuring a set of default methods for an ISP domain. These default methods are

used for users for whom no specific AAA methods are configured.
The device supports the following authentication methods:

•

No authentication—This method trusts all users and does not perform authentication. For security
purposes, do not use this method.

•

Local authentication—The NAS authenticates users by itself, based on the locally configured user
information including the usernames, passwords, and attributes. Local authentication allows high

speed and low cost, but the amount of information that can be stored is limited by the size of the

storage space.

•

Remote authentication—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authenticate users. Remote authentication provides centralized information management, high

capacity, high reliability, and support for centralized authentication service for multiple NASs. You

can configure backup methods to be used when the remote server is not available.

The device supports the following authorization methods:

•

No authorization—The NAS performs no authorization exchange. After passing authentication,

users can access the network, except FTP users. When an FTP user passes authentication, the work
directory is set to the root directory of the NAS, but the user cannot access this directory.

•

Local authorization—The NAS performs authorization according to the user attributes locally
configured for users.

•

Remote authorization—The NAS works with a RADIUS, HWTACACS, or LDAP server to authorize
users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work

only after RADIUS authentication is successful, and the authorization information is included in the

Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication,
and the authorization information is included in the authorization response after successful

authentication. You can configure backup methods to be used when the remote server is not

available.

The device supports the following accounting methods:

•

No accounting—The NAS does not perform accounting for the users.

•

Local accounting—Local accounting is implemented on the NAS. It counts and controls the number

of concurrent users who use the same local user account, but does not provide statistics for
charging.

•

Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting.
You can configure backup methods to be used when the remote server is not available.

In addition, the device provides the following login services to enhance device security:

•

Command authorization—Enables the NAS to let the authorization server determine whether a
command entered by a login user is permitted, and allow login users to execute only authorized