1-2
requirements. For example, you can use the HWTACACS server for authentication and authorization,
and the RADIUS server for accounting.
The three security functions are described as follows:
z
Authentication: Identifies remote users and judges whether a user is legal.
z
Authorization: Grants different users different rights. For example, a user logging into the server
can be granted the permission to access and print the files in the server.
z
Accounting: Records all network service usage information of users, including the service type,
start and end time, and traffic. In this way, accounting can be used for not only charging, but also
network security surveillance.
You can use AAA to provide only one or two security functions, if desired. For example, if your
company only wants employees to be authenticated before they access specific resources, you only
need to configure an authentication server. If network usage information is expected to be recorded,
you also need to configure an accounting server.
As described above, AAA provides a uniform framework to implement network security management.
It is a security mechanism that enables authenticated and authorized entities to access specific
resources and records operations of the entities. The AAA framework thus allows for excellent
scalability and centralized user information management.
AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS,
HWTACACS for AAA, and RADIUS is often used in practice.
Introduction to RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol
in a client/server model. RADIUS can protect networks against unauthorized access and is often used
in network environments where both high security and remote user access are required. Based on
UDP, RADIUS uses UDP port 1812 for authentication and 1813 for accounting. RADIUS defines the
RADIUS packet format and message transfer mechanism.
RADIUS was originally designed for dial-in user access. With the diversification of access methods,
RADIUS has been extended to support more access methods, for example, Ethernet access and
ADSL access. It uses authentication and authorization in providing access services and uses
accounting to collect and record usage information of network resources.
Client/Server Model
z
Client: The RADIUS client runs on the NASs located throughout the network. It passes user
information to designated RADIUS servers and acts on the responses (for example, rejects or
accepts user access requests).
z
Server: The RADIUS server runs on the computer or workstation at the network center and
maintains information related to user authentication and network service access. It listens to
connection requests, authenticates users, and returns the processing results (for example,
rejecting or accepting the user access request) to the clients.
In general, the RADIUS server maintains three databases, namely, Users, Clients, and Dictionary, as
shown in
Figure 1-2
:
Summary of Contents for 4210G Series
Page 459: ...4 8...
Page 493: ...12 1...
Page 968: ...19 6 000f e235 dc71 1 Config static GigabitEthernet 1 0 1 NOAGED 1 mac address es found...