9.
The user enters the password.
10.
After receiving the login password, the HWTACACS client sends the HWTACACS server a
continue-authentication packet that includes the login password.
11.
If the authentication succeeds, the HWTACACS server sends back an authentication response to
indicate that the user has passed authentication.
12.
The HWTACACS client sends a user authorization request packet to the HWTACACS server.
13.
If the authorization succeeds, the HWTACACS server sends back an authorization response,
indicating that the user is now authorized.
14.
Knowing that the user is now authorized, the HWTACACS client pushes its CLI to the user and
permits the user to log in.
15.
The HWTACACS client sends a start-accounting request to the HWTACACS server.
16.
The HWTACACS server sends back an accounting response, indicating that it has received the
start-accounting request.
17.
The user logs off.
18.
The HWTACACS client sends a stop-accounting request to the HWTACACS server.
19.
The HWTACACS server sends back a stop-accounting response, indicating that the
stop-accounting request has been received.
AAA implementation on the device
This section describes AAA user management and methods.
User management based on ISP domains and user access types
AAA manages users based on their ISP domains and access types.
On a NAS, each user belongs to one ISP domain. Typically, a NAS determines the ISP domain a user
belongs to by the username entered by the user at login.
Figure 7 Determining the ISP domain for a user by the username
AAA manages users in the same ISP domain based on their access types. The device only supports the
login users. Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal
users can access through console ports.
9