beautypg.com

Domain-based user management – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 25

background image

11

4.

The LDAP server processes the request. If the bind operation is successful, the LDAP server sends an

acknowledgement to the LDAP client.

5.

The LDAP client uses the username of the Telnet user to send a user DN search request to the LDAP
server.

6.

After receiving the request, the LDAP server searches for the user DN by the base DN, search
scope and filtering conditions. If a match is found, the LDAP server sends a response to notify the

LDAP client of the successful search. There can be one or multiple user DNs found.

7.

The LDAP client uses the obtained user DN and the entered user password as parameters to send
a user DN bind request to the LDAP server, which checks whether the user password is correct.

8.

The LDAP server processes the request, and sends a response to notify the LDAP client of the bind
operation result. If the bind operation fails, the LDAP client uses another obtained user DN as the

parameter to send a User DN Bind Request to the LDAP server. This process goes on until a DN is
bound successfully or all DNs fail to be bound. If all user DNs fail to be bound, the LDAP client

notifies the user of the login failure and denies the user's access request.

9.

The LDAP client and server exchange authorization messages. If another scheme, for example, an
HWTACACS scheme, is expected for authorization, the LDAP client exchanges authorization

messages with the HWTACACS authorization server instead.

10.

After successful authorization, the LDAP client notifies the user of the successful login.

Domain-based user management

A NAS manages users based on Internet service provider (ISP) domains. In each ISP domain, there are

a collection of users.
On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain a user belongs to

by the username entered by the user at login.

Figure 8 Determining the ISP domain of a user by the username

The authentication, authorization, and accounting of a user depends on the AAA methods configured for

the domain that the user belongs to. If no specific AAA methods are configured for the domain, the
default methods are used. By default, a domain uses local authentication, local authorization, and local

accounting.
AAA allows you to manage users based on their access types:

LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the
network.