Aaa for mpls l3vpns, Protocols and standards – H3C Technologies H3C S12500-X Series Switches User Manual

13

commands. For more information about command authorization, see Fundamentals Configuration

Guide.

•

Command accounting—When command authorization is disabled, command accounting enables
the accounting server to record all valid commands executed on the device. When command

authorization is enabled, command accounting enables the accounting server to record all

authorized commands. For more information about command accounting, see Fundamentals

Configuration Guide.

•

User role authentication—Authenticates each user who wants to obtain a temporary user role

without logging out or getting disconnected. For more information about temporary user role
authorization, see Fundamentals Configuration Guide.

159B

AAA for MPLS L3VPNs

In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy

AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For

example, in the network shown in

684H

Figure 9

, you can deploy the AAA across VPNs feature, so that the PE

at the left side of the MPLS backbone serves as a NAS and transparently delivers the AAA packets of

private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication.
Authentication packets of private users in different VPNs do not affect each other.

Figure 9 Network diagram

160B

Protocols and standards

The following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP:

•

RFC 2865, Remote Authentication Dial In User Service (RADIUS)

•

RFC 2866, RADIUS Accounting

•

RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support

•

RFC 2868, RADIUS Attributes for Tunnel Protocol Support

•

RFC 2869, RADIUS Extensions

•

RFC 1492, An Access Control Protocol, Sometimes Called TACACS

•

RFC 1777, Lightweight Directory Access Protocol

•

RFC 2251, Lightweight Directory Access Protocol (v3)