beautypg.com

Introduction to isp domain, Configuring aaa, Configuration prerequisites – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 424

background image

37-2

In the AAA network shown in

Figure 37-1

, there are two RADIUS servers. You can determine which of

the authentication, authorization and accounting functions should be assumed by which servers. For

example, you can use RADIUS server 1 for authentication and authorization, and RADIUS server 2 for

accounting.

The three security functions are described as follows:

Authentication: Identifies remote users and judges whether a user is legal.

Authorization: Grants different users different rights. For example, a user logging into the server

can be granted the permission to access and print the files in the server.

Accounting: Records all network service usage information of users, including the service type,

start and end time, and traffic. In this way, accounting can be used for not only charging, but also

network security surveillance.

You can use AAA to provide only one or two security functions, if desired. For example, if your company

only wants employees to be authenticated before they access specific resources, you only need to

configure an authentication server. If network usage information is expected to be recorded, you also

need to configure an accounting server.

As described above, AAA provides a uniform framework to implement network security management. It

is a security mechanism that enables authenticated and authorized entities to access specific resources

and records operations of the entities. As the AAA framework allows for excellent scalability and

centralized user information management, it has gained wide application.

AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS,

which is often used in practice. For details about RADIUS, refer to

MAC Address Configuration

.

Introduction to ISP Domain

An Internet service provider (ISP) domain represents a group of users. For a username in the

userid@isp-name format, the access device considers the userid part the username for authentication

and the isp-name part the ISP domain name.

In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. As

users of different ISPs may have different user attributes (such as username and password structure,

service type, and rights), you need to configure ISP domains to distinguish the users. In addition, you

need to configure different attribute sets including AAA methods for the ISP domains.

For the NAS, each user belongs to an ISP domain. If a user does not provide the ISP domain name, the

system considers that the user belongs to the default ISP domain.

Configuring AAA

Configuration Prerequisites

1) To deploy local authentication, you need to configure local users on the access device. Refer to

Users

for details.

2) To deploy remote authentication, authorization, or accounting, you need to create the RADIUS

schemes to be referenced. For details about RADIUS scheme configuration, refer to

MAC Address

Configuration

.