Operation Manual – AAA-RADIUS-HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA/RADIUS/HWTACACS
Configuration
1-3
is the ISP domain name. The access device considers the
userid
part the username for
authentication and the
isp-name
part the domain name.
In a networking scenario with multiple ISPs, an access device may connect users of
different ISPs. Because users of different ISPs may have different user attributes (such
as username and password structure, service type, and rights), it is required to
configure ISP domains for them and to configure different attribute sets including the
AAA policies (such as the RADIUS schemes) for the ISP domains.
1.1.3 Introduction to RADIUS
As described previously, AAA is a management framework and can be implemented
through multiple protocols. However, RADIUS is usually used in practice.
I. What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
interaction protocol in the client/server model. RADIUS can prevent the network from
interruption of unauthorized access and is often used in network environments where
both high security and remote user access are required. For example, it is often used
for managing a large number of geographically dispersed dial-in users that use
Modems.
The RADIUS service involves three components:
z
Protocol: Based on the UDP, RFC 2865 and RFC 2866 define the RADIUS frame
format and the message transfer mechanism, and use 1812 as the authentication
port and 1813 as the accounting port.
z
Server: The RADIUS server runs on the computer or workstation at the center,
and maintains information for user authentication and network service access.
z
Client: The RADIUS client runs on the network access servers (NASs) located
throughout the network.
In the client/server model of RADIUS, the client passes user information to the
designated RADIUS server and acts on the response of the server (such as
connecting/disconnecting users). The RADIUS server receives user connection
requests, authenticates users, and returns the required information to the client.
In general, the RADIUS server maintains three databases, namely, Users, Clients, and
Dictionary, as shown in
Figure 1-1
:
z
Users: Stores user information such as the username, password, applied
protocols, and IP address.
z
Clients: Stores information about RADIUS clients such as the shared key.
z
Dictionary: Stores the information for interpreting RADIUS protocol attributes and
their values.