Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
21222324252627282930
24 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Accounting
AAA supports the following accounting methods:
None accounting: no accounting required.
Remote accounting: conducted through a RADIUS server or TACACS server.
n
Currently, security gateway supports accounting of PPP users and Telnet users only,
but it does not support real-time accounting of Telnet users.
AAA usually utilizes a Client/Server model, where the client controls user access
and the server stores user information. The framework of AAA thus allows for
good scalability and centralized user information management. Being a
management framework, AAA can be implemented using multiple protocols. In
Comware, AAA is implemented based on RADIUS or HWTACACS.
Introduction to the
RADIUS Protocol
What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
switching protocol in Client/Server model. RADIUS can prevent the network from
interruption of unauthorized access and it is often used in the network
environments where both high security and remote user access are required. For
example, it is often used for managing a large number of scattering dial-in users
that use serial ports and modems. The RADIUS system is an important auxiliary
part of a Network Access Server (NAS).
The RADIUS service involves three components:
Protocol: Based on the UDP/IP layer, RFC2865 and 2866 define the RADIUS
frame format and the message transfer mechanism, and use 1812 as the
authentication port and 1813 as the accounting port.
Server: RADIUS server runs on the computer or workstation at the center, and
contains information on user authentication and network service access.
Client: Located at the Network Access Server (NAS) side. It can be placed
anywhere in the network.
As the RADIUS client, the NAS (a switch or a router) is responsible for passing user
information to a designated RADIUS server and acts on the response returned
from the server (such as connecting/disconnecting users). The RADIUS server
receives user connection requests, authenticates users, and returns the required
information to the NAS.
In general, the RADIUS server maintains three databases, namely, Users, Clients
and Dictionary, as shown in the following figure. "Users" stores user information
such as username, password, applied protocols, and IP address; "Clients" stores
information about RADIUS clients such as shared key; and "Dictionary" stores the
information for interpreting RADIUS protocol attributes and their values.