30
Configuring AAA authentication method for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication
refers to the interactive authentication process of username/password/user information during an
access or service request. The authentication process neither sends authorization information to a
supplicant nor triggers any accounting.
AAA supports the following authentication methods:
•
No authentication (none): All users are trusted and no authentication is performed. This
method is not recommended.
•
Local authentication (local): Authentication is performed by the NAS, which is configured
with the user information, including the usernames, passwords, and attributes. Local
authentication allows high speed and low cost, but limits the amount of information that can
be stored because of hardware.
•
Remote authentication (scheme): The access device cooperates with a RADIUS or
HWTACACS server to authenticate users. As for RADIUS, the device can use the standard
RADIUS protocol or extended RADIUS protocol in collaboration with systems like CAMS and
iMC to implement user authentication. Remote authentication provides centralized information
management, high capacity, high reliability, and support for centralized authentication for
multiple devices. You can configure local authentication as the backup in case the remote
server is not available.
You can configure AAA authentication to work alone without authorization and accounting. By
default, an ISP domain uses the local authentication method.
Before configuring authentication methods, complete these three tasks:
•
For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to
be referenced first. The local and none authentication methods do not require any scheme.
•
Determine the access mode or service type to be configured. With AAA, you can configure
an authentication method specifically for each access mode and service type, limiting the
authentication protocols that can be used for access.
•
Determine whether to configure an authentication method for all access modes or service
types.
Follow these steps to configure AAA authentication methods for an ISP domain:
To do…
Use the command…
Remarks
1.
Enter system view
system-view
—
2.
Enter ISP domain view
domain
isp-name
—
3.
Specify the default
authentication method for all
types of users
authentication default
{
hwtacacs-scheme
hwtacacs-
scheme-name
[
local
] |
local
|
none
|
radius-scheme
radius-
scheme-name
[
local
] }
Optional
local
by default
4.
Specify the authentication
method for LAN users
authentication lan-access
{
local
|
none
|
radius-scheme
radius-scheme-name
[
local
] }
Optional
The default authentication method
is used by default.
