3Com 4200G 12-Port Configuration Manual page 182

168 C 23: AAA&RADIUS C
HAPTER
Introduction to ISP
Domain
Introduction to
RADIUS
ONFIGURATION
Generally, AAA adopts the client/server structure, where the client acts as the
managed resource and the server stores user information. This structure has good
scalability and facilitates the centralized management of user information.
An Internet service provider (ISP) domain is a group of users who belong to the same
ISP. For a user name in the format of userid@isp-name, the isp-name following the @
character is the ISP domain name. The access device uses userid as the user name for
authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different compositions of user name and password, different
service types/rights), it is necessary to distinguishes the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
AAA is a management framework. It can be implemented by not only one protocol.
But in practice, the most commonly used protocol for AAA is RADIUS.
What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed information
interacting protocol in client/server structure. It can prevent unauthorized access to
the network and is commonly used in network environments where both high
security and remote user access service are required.
The RADIUS service involves three components:
Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the frame format
■
and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
Server: The RADIUS server runs on a computer or workstation at the center. It
■
stores and maintains the information on user authentication and network service
access.
Client: The RADIUS clients run on the dial-in access server device. They can be
■
deployed anywhere in the network.
RADIUS is based on client/server model. Acting as a RADIUS client, the switch passes
user information to a designated RADIUS server, and makes processing (such as
connecting/disconnecting users) depending on the responses returned from the
server. The RADIUS server receives user's connection requests, authenticate users, and
return all required information to the switch.
Generally, the RADIUS server maintains the following three databases (as shown in
Figure 54):
Users: This database stores information about users (such as user name, password,
■
adopted protocol and IP address).
Clients: This database stores the information about RADIUS clients (such as shared
■
keys).
Dictionary: This database stores the information used to interpret the attributes
■
and attribute values of the RADIUS protocol.