Aaa for mpls l3vpns, Protocols and standards – H3C Technologies H3C S12500-X Series Switches User Manual
Page 25
13
commands. For more information about command authorization, see Fundamentals Configuration
Guide.
•
Command accounting—When command authorization is disabled, command accounting enables
the accounting server to record all valid commands executed on the device. When command
authorization is enabled, command accounting enables the accounting server to record all
authorized commands. For more information about command accounting, see Fundamentals
Configuration Guide.
•
User role authentication—Authenticates each user who wants to obtain a temporary user role
without logging out or getting disconnected. For more information about temporary user role
authorization, see Fundamentals Configuration Guide.
159B
AAA for MPLS L3VPNs
In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy
AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs. For
example, in the network shown in
684H
Figure 9
, you can deploy the AAA across VPNs feature, so that the PE
at the left side of the MPLS backbone serves as a NAS and transparently delivers the AAA packets of
private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication.
Authentication packets of private users in different VPNs do not affect each other.
Figure 9 Network diagram
160B
Protocols and standards
The following protocols and standards are related to AAA, RADIUS, HWTACACS, and LDAP:
•
RFC 2865, Remote Authentication Dial In User Service (RADIUS)
•
RFC 2866, RADIUS Accounting
•
RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support
•
RFC 2868, RADIUS Attributes for Tunnel Protocol Support
•
RFC 2869, RADIUS Extensions
•
RFC 1492, An Access Control Protocol, Sometimes Called TACACS
•
RFC 1777, Lightweight Directory Access Protocol
•
RFC 2251, Lightweight Directory Access Protocol (v3)