12
•
LAN
—LAN users must pass 802.1X or MAC authentication to come online.
•
Login
—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal
users can access through console ports.
•
Portal
—Portal users must pass portal authentication to access the network.
•
Web
—Web users log in to the Web interface of the device through HTTP or HTTPS.
NOTE:
The device also provides authentication modules (such as 802.1X) for implementation of user
authentication management policies. If you configure these authentication modules, the ISP domains for
users of the access types depend on the configuration of the authentication modules.
AAA methods
AAA supports configuring different authentication, authorization, and accounting methods for different
types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS
also uses the methods configured for the access type in the domain to control the user's access.
AAA also supports configuring a set of default methods for an ISP domain. These default methods are
applied to users for whom no AAA methods are configured.
The device supports the following authentication methods:
•
No authentication
—This method trusts all users and does not perform authentication. For security
purposes, do not use this method.
•
Local authentication
—The NAS authenticates users by itself, based on the locally configured user
information including the usernames, passwords, and attributes. Local authentication allows high
speed and low cost, but the amount of information that can be stored is limited by the size of the
storage space.
•
Remote authentication
—The NAS works with a RADIUS, HWTACACS, or LDAP server to
authenticate users. The server manages user information in a centralized manner. Remote
authentication provides high capacity, reliable, and centralized authentication services for multiple
NASs. You can configure backup methods to be used when the remote server is not available.
The device supports the following authorization methods:
•
No authorization
—The NAS performs no authorization exchange. The following default
authorization information applies after users pass authentication:
{
Non-login users can access the network.
{
Login users are assigned the default user role. For more information about the default user role
feature, see
Fundamentals Configuration Guide
.
{
FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working
directory. However, the users do not have permission to access the root directory.
•
Local authorization
—The NAS performs authorization according to the user attributes locally
configured for users.
•
Remote authorization
—The NAS works with a RADIUS, HWTACACS, or LDAP server to authorize
users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work
only after RADIUS authentication is successful, and the authorization information is included in the
Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication,
and the authorization information is included in the authorization response after successful
authentication. You can configure backup methods to be used when the remote server is not
available.