beautypg.com

Domain-based user management – H3C Technologies H3C SecBlade LB Cards User Manual

Page 56

background image

45

9.

The user enters the password.

10.

After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that carries the login password.

11.

The HWTACACS server sends back an authentication response to indicate that the user has

passed authentication.

12.

The HWTACACS client sends the user authorization request packet to the HWTACACS server.

13.

The HWTACACS server sends back the authorization response, indicating that the user is now
authorized.

14.

Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user.

15.

The HWTACACS client sends a start-accounting request to the HWTACACS server.

16.

The HWTACACS server sends back an accounting response, indicating that it has received the

start-accounting request.

17.

The user logs off.

18.

The HWTACACS client sends a stop-accounting request to the HWTACACS server.

19.

The HWTACACS server sends back a stop-accounting response, indicating that the

stop-accounting request has been received.

Domain-based user management

A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS
determines the ISP domain for a user by the username entered by the user at login, as shown in

Figure

26

.

Figure 26 Determining the ISP domain of a user by the username

Authentication, authorization, and accounting of a user depends on the AAA methods configured for the

domain that the user belongs to. If no specific AAA methods are configured for the domain, the default

methods are used. By default, a domain uses local authentication, local authorization, and local
accounting.
AAA allows you to manage login users, including SSH, Telnet, Web, FTP, and terminal users.
In addition, AAA provides the following services for login users to enhance device security:

Command authorization—Enables the NAS to defer to the authorization server to determine
whether a command entered by a login user is permitted, and allows login users to execute only
authorized commands. For more information about command authorization, see System

Management Configuration Guide.

This manual is related to the following products: