H3C Technologies H3C S5120 Series Switches User Manual

1-11

A self-service RADIUS server, for example Intelligent Management Center (iMC), is required for the

self-service server localization function to work. With the self-service function, a user can manage and

control his or her accounting information or card number. A server with self-service software is a

self-service server.

Configuring AAA Authentication Methods for an ISP Domain

In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to

the interactive authentication process of username/password/user information during access or service

request. The authentication process neither sends authorization information to a supplicant nor triggers

any accounting.

AAA supports the following authentication methods:

z

No authentication: All users are trusted and no authentication is performed. Generally, this method

is not recommended.

z

Local authentication: Authentication is performed by the NAS, which is configured with the user

information, including the usernames, passwords, and attributes. Local authentication features

high speed and low cost, but the amount of information that can be stored is limited by the

hardware.

z

Remote authentication: The access device cooperates with a RADIUS server to authenticate users.

As for RADIUS, the device can use the standard RADIUS protocol or extended RADIUS protocol in

collaboration with systems like iMC to implement user authentication. Remote authentication

features centralized information management, high capacity, high reliability, and support for

centralized authentication for multiple devices. You can configure local authentication as the

backup method to be used when the remote server is not available.

You can configure AAA authentication to work alone without authorization and accounting. By default,

an ISP domain uses the local authentication method.

Before configuring authentication methods, complete these three tasks:

z

For RADIUS authentication, configure the RADIUS scheme to be referenced first. The local and

none authentication methods do not require any scheme.

z

Determine the access mode or service type to be configured. With AAA, you can configure an

authentication method specifically for each access mode and service type, limiting the

authentication protocols that can be used for access.

z

Determine whether to configure an authentication method for all access modes or service types.

Follow these steps to configure AAA authentication methods for an ISP domain:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter ISP domain view

domain isp-name

—

Specify the default
authentication method for all
types of users

authentication default { local
| none | radius-scheme
radius-scheme-name [ local ] }

Optional

local by default