Authorization; Accounting; Introduction To Isp Domain - H3C S5600 Series Operation Manual

convenient centralized management and is feature-rich. However, to implement remote
authentication, a server is needed and must be configured properly.

Authorization

AAA supports the following authorization methods:
Direct authorization: Users are trusted and directly authorized.
Local authorization: Users are authorized according to the related attributes configured for their
local accounts on this device.
RADIUS authorization: Users are authorized after they pass RADIUS authentication. In RADIUS
protocol, authentication and authorization are combined together, and authorization cannot be
performed alone without authentication.
HWTACACS authorization: Users are authorized by a TACACS server.

Accounting

AAA supports the following accounting methods:
None accounting: No accounting is performed for users.
Local accounting: It is not used for charging purposes, but for collecting statistics and limiting the
number of local user connections.
Remote accounting: User accounting is performed on a remote RADIUS or TACACS server.

Introduction to ISP Domain

An Internet service provider (ISP) domain is a group of users who belong to the same ISP.
In a multi-ISP environment, the users connected to the same access device may belong to different
domains. Since the users of different ISPs may have different attributes (such as different forms of
username and password, different service types/access rights), it is necessary to distinguish the users
by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS scheme, and so on) for
each ISP domain independently in ISP domain view. Authentication, authorization, and accounting of a
user depends on the AAA methods configured for the domain that the user belongs to. The ISP domain
of a user is determined by the username used for login.
If the user enters the username in the form of userid@domain-name, the NAS device uses domain
domain-name to authenticate the user.
If the user enters the username in the form of userid, the NAS device uses the default domain to
authenticate the user.
The AAA feature allows you to manage users based on their access types:
LAN users: Users on a LAN who access through, for example, 802.1X authentication or MAC
authentication.
Login users: Users who log in to the device using, for example, SSH, Telnet, and FTP.
This feature allows you to configure different authentication, authorization, and accounting methods for
different users in a domain, or based on their access types if the login username must be in the form of
userid.
1-2