3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

Configuring AAA 31

Creating an ISP Domain

and Setting the Related

Attributes

Creating an ISP domain

An Internet service provider (ISP) domain is a group of users that belong to the

same ISP. For a username in the userid@isp-name format,

gw20010608@3com163.net for example, the isp-name (3com163.net) following

the @ sign is the ISP domain name. When receiving a connection request from a

user named userid@isp-name, the security gateway system considers the userid

part as the username for authentication and the isp-name part as the domain

name.

The purpose of introducing ISP domain settings is to support the multi-ISP

application environment, where one access device might access users of different

ISPs. Because the attributes of ISP users, such as username and password formats,

can be different, you must differentiate them through setting ISP domains. In ISP

domain view, you can configure a complete set of exclusive ISP domain attributes

on a per-ISP domain basis, including an AAA scheme.

For 3Com Series Security Gateways, each supplicant belongs to an ISP domain. Up

to 16 domains can be configured in the system. If a user has not reported its ISP

domain name, the system puts it into the default domain.

Perform the following configurations in system view.

By default, the default ISP domain in the system is system.

Configuring an AAA scheme

Users can configure authentication, authorization and charging schemes in the

following two modes.

1 AAA binding mode

In this mode, you can use the scheme command to specify a scheme. If you

choose the RADIUS or HWTACAS scheme, the corresponding RADIUS or

HWTACAS server will perform the authentication, authorization and accounting

tasks. That is, you cannot specify different schemes for authentication,

authorization and accounting respectively. If you use the local scheme, only

authentication and authorization but not accounting is implemented.

When the radius-scheme radius-scheme-name local or hwtacacs-scheme

hwtacacs-scheme-name local command is configured, the local scheme applies as

a backup scheme in case the RADIUS or TACACS server is not available. If the

RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only local authentication is

performed and the RADIUS, HWTACACS or none scheme cannot be adopted. If

the none scheme applies as the first scheme, no RADIUS or HWTACACS scheme

can be adopted.

Tab le 13 Create/delete an ISP domain

Operation Command

Create an ISP domain or enter the view of a

specified domain.

domain { isp-name | default { disable |

enable isp-name } }

Remove a specified ISP domain. undo domain isp-name