i
Table of Contents
1 AAA Overview············································································································································1-1
Introduction to AAA ·································································································································1-1
Introduction to RADIUS···························································································································1-2
Client/Server Model·························································································································1-2
Security and Authentication Mechanisms ·······················································································1-3
Basic Message Exchange Process of RADIUS ··············································································1-3
RADIUS Packet Format···················································································································1-4
Extended RADIUS Attributes ··········································································································1-8
Introduction to HWTACACS····················································································································1-9
Differences Between HWTACACS and RADIUS············································································1-9
Basic Message Exchange Process of HWTACACS ·······································································1-9
Domain-Based User Management········································································································1-11
Protocols and Standards·······················································································································1-12
RADIUS Attributes ································································································································1-12
Commonly Used Standard RADIUS Attributes ·············································································1-12
Proprietary RADIUS Sub-Attributes of H3C ··················································································1-14
2 AAA Configuration ····································································································································2-1
AAA Configuration Considerations and Task List···················································································2-1
Configuring AAA Schemes ·····················································································································2-2
Configuring Local Users ··················································································································2-2
Configuring RADIUS Schemes ·······································································································2-7
Configuring HWTACACS Schemes ······························································································2-19
Configuring AAA Methods for ISP Domains ·························································································2-25
Configuration Prerequisites ···········································································································2-26
Creating an ISP Domain················································································································2-26
Configuring ISP Domain Attributes································································································2-26
Configuring AAA Authentication Methods for an ISP Domain ······················································2-27
Configuring AAA Authorization Methods for an ISP Domain ························································2-29
Configuring AAA Accounting Methods for an ISP Domain····························································2-31
Tearing Down User Connections Forcibly ····························································································2-33
Configuring a NAS ID-VLAN Binding····································································································2-34
Displaying and Maintaining AAA···········································································································2-34
3 AAA Configuration Examples ··················································································································3-1
AAA Configuration Examples··················································································································3-1
AAA for Telnet Users by an HWTACACS Server ···········································································3-1
AAA for Telnet Users by Separate Servers·····················································································3-2
Authentication/Authorization for SSH/Telnet Users by a RADIUS Server ······································3-4
AAA for Portal Users by a RADIUS Server ·····················································································3-7
AAA for 802.1X Users by a RADIUS Server·················································································3-15
Level Switching Authentication for Telnet Users by an HWTACACS Server································3-22
