beautypg.com

Aaa implementation on the device – H3C Technologies H3C S6300 Series Switches User Manual

Page 26

background image

11

2.

After receiving the request, the LDAP client establishes a TCP connection with the LDAP server.

3.

To obtain the right to search, the LDAP client uses the administrator DN and password to send an
administrator bind request to the LDAP server.

4.

The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an

acknowledgement to the LDAP client.

5.

The LDAP client sends a user DN search request with the username of the Telnet user to the LDAP
server.

6.

After receiving the request, the LDAP server searches for the user DN by the base DN, search
scope, and filtering conditions. If a match is found, the LDAP server sends a response to notify the

LDAP client of the successful search. There might be one or more user DNs found.

7.

The LDAP client uses the obtained user DN and the entered user password as parameters to send
a user DN bind request to the LDAP server, which checks whether the user password is correct.

8.

The LDAP server processes the request, and sends a response to notify the LDAP client of the bind
operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the
parameter to send a user DN bind request to the LDAP server. This process continues until a DN is

bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client

notifies the user of the login failure and denies the user's access request.

9.

The LDAP client and server perform authorization exchanges. If another scheme (for example, an
HWTACACS scheme) is expected for authorization, the LDAP client exchanges authorization

packets with the HWTACACS authorization server instead.

10.

After successful authorization, the LDAP client notifies the user of the successful login.

AAA implementation on the device

This section describes AAA user management and methods.

User management based on ISP domains and user access types

AAA manages users based on the users' ISP domains and access types.
On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a user

belongs based on the username entered by the user at login.

Figure 8 Determining the ISP domain for a user by username

 

AAA manages users in the same ISP domain based on the users' access types. The device supports the

following user access types:

LAN—LAN users must pass 802.1X or MAC authentication to come online.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: