H3C S7500 Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

521

522

523

524

525

526

527

528

529

530

Operation Manual – AAA & RADIUS & HWTACACS & EAD

H3C S7500 Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACACS

Configuration

1-2

z Local authentication: User information (including user name, password, and

attributes) is configured on the device. Local authentication is fast and lowers

operational cost. However, the information storage capacity is limited by device

hardware.

z Remote authentication: Users are authenticated remotely through the RADIUS

protocol or HWTACACS protocol. The device (for example, an H3C series switch)

acts as a client to communicate with the RADIUS server or TACACS server. For

RADIUS protocol, both standard and extended RADIUS protocols can be used.

II. Authorization

AAA supports the following authorization methods:

z Direct authorization: Users are trusted and authorized directly.

z Local authorization: Users are authorized according to the related attributes

configured for their local accounts on the device.

z RADIUS authorization: Users are authorized after they pass the RADIUS

authentication. RADIUS combines authentication and authorization; you cannot

perform RADIUS authorization without RADIUS authentication.

z HWTACACS authorization: Users are authorized by TACACS server.

III. Accounting

AAA supports the following accounting methods:

z No accounting: No accounting is performed for users.

z Remote accounting: User accounting is performed through a remote RADIUS

server or TACACS server.

Generally, AAA is based on a client/server model, where the client acts as the managed

resource and the server stores user information. This model features good scalability

and facilitates the centralized management of user information.

1.1.2 Introduction to ISP Domain

An Internet service provider (ISP) domain is a group of users who belong to the same

ISP. For a user name in the format of userid@isp-name, isp-name following the @

character is the ISP domain name. The access device uses userid as the user name for

authentication and isp-name as the domain name.

In a multi-ISP environment, the users connected to the same access device may

belong to different domains. Because the users of different ISPs may have different

attributes (such as different user name and password compositions, different service

types/rights), it is necessary to distinguish the users by setting ISP domains.

You can configure a set of ISP domain attributes (including AAA policy and RADIUS

scheme) for each ISP domain independently in ISP domain view.