1752
C
93: AAA/RADIUS/HWTACACS C
HAPTER
Introduction to ISP
Domain
ONFIGURATION
speed and low cost, but the amount of information that can be stored is
limited by the hardware.
Remote authentication: Both RADIUS and HWTACACS protocols are
■
supported. In this approach, the device (such as a router or switch) acts as the
client to communicate with the RADIUS or HWTACACS server. With respect to
RADIUS, you can use the standard RADIUS protocol or extended RADIUS
protocol to complete authentication in collaboration with systems like
iTELLIN/CAMS.
Authorization
AAA supports the following authorization methods:
Direct authorization: All users are trusted and authorized. A user gets the
■
default rights of the system.
Local authorization: Users are authorized according to the attributes
■
configured for them on the device.
RADIUS authorization: RADIUS authorization is bound with RADIUS
■
authentication. RADIUS authorization can work only after RADIUS
authentication is successful. The authorization information is carried in the
RADIUS authentication response.
HWTACACS authorization: Users are authorized using a HWTACACS server.
■
Accounting
AAA supports the following accounting methods:
No accounting: The system does not keep accounts on the users.
■
Local accounting: Local accounting is for controlling the number of local user
■
connections and collecting statistics on number of users; it does not provide
statistics on the charges of users. Note that the controlling of the local user
connections does not affect the local authentication and authorization.
Remote accounting: Accounting is implemented by a RADIUS server or
■
HWTACACS server remotely.
AAA usually uses a client/server model, where the client runs on the device that
controls user access and the server stores user information. The framework of
AAA thus allows for excellent scalability and centralized user information
management. Being a management framework, AAA can be implemented
through multiple protocols. Currently, AAA is implemented based on RADIUS or
HWTACACS.
An Internet service provider (ISP) domain is a group of users that belong to the
same ISP. For a username in the userid@isp-name format, the isp-name following
the @ sign is the ISP domain name. The access device considers the userid part the
username for authentication and the isp-name part the domain name.
In a networking scenario with multiple ISPs, an access device may connect users of
different ISPs. Since users of different ISPs may have different user attributes (such
as username and password structure, service type, and rights), it is required to
configure ISP domains for them and to configure different attribute sets including
the AAA policies (such as the RADIUS schemes) for the ISP domains.