configure an authentication server. If network usage information is expected to be recorded, you also
need to configure an accounting server.
As described above, AAA provides a uniform framework to implement network security management. It
is a security mechanism that enables authenticated and authorized entities to access specific resources
and records operations of the entities. As the AAA framework allows for excellent scalability and
centralized user information management, it has gained wide application.
AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS,
which is often used in practice. For details about RADIUS, refer to RADIUS Configuration.
Introduction to ISP Domain
An Internet service provider (ISP) domain represents a group of users. For a username in the
userid@isp-name format, the access device considers the userid part the username for authentication
and the isp-name part the ISP domain name.
In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. As
users of different ISPs may have different user attributes (such as username and password structure,
service type, and rights), you need to configure ISP domains to distinguish the users. In addition, you
need to configure different attribute sets including AAA methods for the ISP domains.
For the NAS, each user belongs to an ISP domain. If a user does not provide the ISP domain name, the
system considers that the user belongs to the default ISP domain.
Configuring AAA
Configuration Prerequisites
1)
To deploy local authentication, you need to configure local users on the access device. Refer to
User Configuration for details.
2)
To deploy remote authentication, authorization, or accounting, you need to create the RADIUS
schemes to be referenced. For details about RADIUS scheme configuration, refer to RADIUS
Configuration.
Configuration Task List
Perform the tasks in
Table 1-1
to configure AAA.
1-2