beautypg.com

Configuring aaa, Overview – H3C Technologies H3C S6300 Series Switches User Manual

Page 16

background image

1

Configuring AAA

Overview

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing

network access management. AAA specifies the following security functions:

Authentication—Identifies users and verifies their validity.

Authorization—Grants different users different rights, and controls the users' access to resources

and services. For example, you can permit office users to read and print files and prevent guests
from accessing files on the device.

Accounting—Records network usage details of users, including the service type, start time, and
traffic. This function enables time-based and traffic-based charging and user behavior auditing.

AAA uses a client/server model. The client runs on the access device, or the network access server (NAS),

which authenticates user identities and controls user access. The server maintains user information
centrally. See

Figure 1

.

Figure 1 AAA network diagram

To access networks or resources beyond the NAS, a user sends its identity information to the NAS. The

NAS transparently passes the user information to AAA servers and waits for the authentication,

authorization, and accounting result. Based on the result, the NAS determines whether to permit or deny

the access request.
AAA has various implementations, including RADIUS, HWTACACS, and LDAP. RADIUS is most often

used.
The network in

Figure 1

has one RADIUS server and one HWTACACS server. You can use different

servers to implement different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and use the RADIUS server for accounting.
You can choose the security functions provided by AAA as needed. For example, if your company wants

employees to be authenticated before they access specific resources, you would deploy an

authentication server. If network usage information is needed, you would also configure an accounting
server.
The device performs dynamic password authentication.

Remote user

NAS

RADIUS server

HWTACACS server

Internet

Network

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: