283
Domain-based user management
A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A
NAS determines the ISP domain for a user by the username entered by the user at login. For a
username in the
userid
@
isp-name
format, the access device considers the
userid
part the username
for authentication and the
isp-name
part the ISP domain name.
In a networking scenario with multiple ISPs, a NAS can connect users of different ISPs. Different ISP
users can have different user attributes (such as username and password structure), different
service type, and different rights. To manage these ISP users, you need to create ISP domains and
then configure AAA methods and domain attributes for each ISP domain
On the NAS, each user belongs to an ISP domain. If a user provides no ISP domain name at login,
the NAS considers the user belongs to the default ISP domain.
AAA allows you to manage users based on their access types:
•
LAN
users
—Users on a LAN who must pass 802.1X or MAC address authentication to access
the network.
•
Login
users
—Users who want to log in to the device, including SSH users, Telnet users, Web
users, FTP users, and terminal users.
In addition, AAA provides command authorization for login users to improve device security.
Command authentication enables the NAS to defer to the authorization server to determine whether
a command entered by a login user is permitted for the user, and allows login users to execute only
authorized commands.
Configuration prerequisites
To deploy local authentication, configure local users on the access device. See "
."
To deploy remote authentication, authorization, or accounting, configure the RADIUS schemes to be
referenced. See "
Recommended configuration procedure
Step Remarks
1.
Optional.
Create ISP domains and specify one of them as the default ISP
domain.
By default, there is an ISP domain named
system
, which is the
default ISP domain.
2.
Configuring authentication
methods for the ISP domain
Optional.
Configure authentication methods for various types of users.
By default, all types of users use local authentication.
3.
Configuring authorization
methods for the ISP domain
Optional.
Specify the authorization methods for various types of users.
By default, all types of users use local authorization.
4.
Configuring accounting methods
for the ISP domain
Required.
Specify the accounting methods for various types of users.
By default, all types of users use local accounting.
Summary of Contents for FlexNetwork NJ5000
Page 12: ...x Index 440 ...
Page 39: ...27 Figure 16 Configuration complete ...
Page 67: ...55 Figure 47 Displaying the speed settings of ports ...
Page 78: ...66 Figure 59 Loopback test result ...
Page 158: ...146 Figure 156 Creating a static MAC address entry ...
Page 183: ...171 Figure 171 Configuring MSTP globally on Switch D ...
Page 243: ...231 Figure 237 IPv6 active route table ...