Introduction to isp domain, Configuring aaa, Configuration prerequisites – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 424
37-2
In the AAA network shown in
, there are two RADIUS servers. You can determine which of
the authentication, authorization and accounting functions should be assumed by which servers. For
example, you can use RADIUS server 1 for authentication and authorization, and RADIUS server 2 for
accounting.
The three security functions are described as follows:
Authentication: Identifies remote users and judges whether a user is legal.
Authorization: Grants different users different rights. For example, a user logging into the server
can be granted the permission to access and print the files in the server.
Accounting: Records all network service usage information of users, including the service type,
start and end time, and traffic. In this way, accounting can be used for not only charging, but also
network security surveillance.
You can use AAA to provide only one or two security functions, if desired. For example, if your company
only wants employees to be authenticated before they access specific resources, you only need to
configure an authentication server. If network usage information is expected to be recorded, you also
need to configure an accounting server.
As described above, AAA provides a uniform framework to implement network security management. It
is a security mechanism that enables authenticated and authorized entities to access specific resources
and records operations of the entities. As the AAA framework allows for excellent scalability and
centralized user information management, it has gained wide application.
AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS,
which is often used in practice. For details about RADIUS, refer to
Introduction to ISP Domain
An Internet service provider (ISP) domain represents a group of users. For a username in the
userid@isp-name format, the access device considers the userid part the username for authentication
and the isp-name part the ISP domain name.
In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. As
users of different ISPs may have different user attributes (such as username and password structure,
service type, and rights), you need to configure ISP domains to distinguish the users. In addition, you
need to configure different attribute sets including AAA methods for the ISP domains.
For the NAS, each user belongs to an ISP domain. If a user does not provide the ISP domain name, the
system considers that the user belongs to the default ISP domain.
Configuring AAA
Configuration Prerequisites
1) To deploy local authentication, you need to configure local users on the access device. Refer to
for details.
2) To deploy remote authentication, authorization, or accounting, you need to create the RADIUS
schemes to be referenced. For details about RADIUS scheme configuration, refer to
.