3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

871

872

873

874

875

876

877

878

879

880

880 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION

speed and low cost, but the amount of information that can be stored is

limited by the hardware.

■ Remote authentication: Both RADIUS and HWTACACS protocols are

supported. In this approach, the device acts as the client to communicate with

the RADIUS or HWTACACS server. With respect to RADIUS, you can use the

standard RADIUS protocol or extended RADIUS protocol to complete

authentication in collaboration with systems like CAMS.

Authorization

AAA supports the following authorization methods:

■ Direct authorization: All users are trusted and authorized. A user gets the

default rights of the system.

■ Local authorization: Users are authorized according to the attributes

configured for them on the device.

■ HWTACACS authorization: Users are authorized using a HWTACACS server.

■ RADIUS authorization: RADIUS authorization is a special process in that users

are authorized only after they pass authentication. In other words,

authorization is bound with authentication. When applying RADIUS scheme,

you must specify the same scheme as the authentication scheme and the

authorization scheme. It is only in this case that the RADIUS authorization

process works. The authentication information is carried in the RADIUS

authentication response.

Accounting

AAA supports the following accounting methods:

■ None accounting: The system does not keep accounts on the users.

■ Local accounting: Local accounting is for controlling the number of local user

connections and collecting statistics on number of users.

■ Remote accounting: Accounting is implemented by a RADIUS server or

HWTACACS server remotely.

AAA usually uses a client/server model, where the client runs on the device that

controls user access and the server stores user information. The framework of

AAA thus allows for excellent scalability and centralized user information

management. Being a management framework, AAA can be implemented

through multiple protocols. Currently, AAA is implemented based on RADIUS or

HWTACACS.

Introduction to ISP

Domain

An Internet service provider (ISP) domain is a group of users that belong to the

same ISP. For a username in the userid@isp-name format, the isp-name following

the @ sign is the ISP domain name. The access device considers the userid part the

username for authentication and the isp-name part the domain name.

In a networking scenario with multiple ISPs, an access device may connect users of

different ISPs. Since users of different ISPs may have different user attributes (such

as username and password structure, service type, and rights), it is required to

configure ISP domains for them and to configure different attribute sets including

the AAA policies (such as the RADIUS schemes) for the ISP domains.