Preface ·········································································································································································· 3

Audience ············································································································································································ 3

Conventions ······································································································································································· 3

About the H3C S9500E documentation set ··················································································································· 5

AAA configuration ····················································································································································· 14

Introduction to AAA ······················································································································································· 14

Introduction to RADIUS ·················································································································································· 15

Client/Server model ·············································································································································· 15

Security and authentication mechanisms ············································································································ 16

Basic message exchange process of RADIUS ···································································································· 16

RADIUS packet format ·········································································································································· 17

Extended RADIUS attributes ································································································································· 22

Introduction to HWTACACS ········································································································································· 22

Differences between HWTACACS and RADIUS ································································································ 22

Basic message exchange process of HWTACACS ··························································································· 23

Domain-based user management ································································································································· 25

AAA-across-VPNs ··························································································································································· 26

Protocols and standards ················································································································································ 26

AAA configuration task list ··········································································································································· 27

Configuring AAA ··························································································································································· 28

Configuration prerequisites ·································································································································· 28

Creating an ISP domain ······································································································································· 28

Configuring ISP domain attributes ······················································································································· 29

Configuring AAA authentication method for an ISP domain············································································ 30

Configuring AAA authorization methods for an ISP domain ··········································································· 31

Configuring AAA accounting methods for an ISP domain ··············································································· 33

Configuring local user attributes ·························································································································· 34

Configuring user group attributes ························································································································ 36

Disconnect user connections ································································································································ 37

Configuring a NAS ID-VLAN binding ················································································································· 37

Displaying and maintaining AAA ································································································································ 38

Configuring RADIUS ······················································································································································ 38

Creating a RADIUS scheme ································································································································· 38

Specifying the VPN instance ································································································································ 39

Specifying the RADIUS authentication/authorization servers ·········································································· 39

Specifying the RADIUS accounting servers and relevant parameters ····························································· 40

Specifying the shared keys for RADIUS packets ································································································ 41

Setting the upper limit of RADIUS request retransmission attempts ·································································· 42

Setting the supported RADIUS server type ·········································································································· 42