AAAcan be implemented through multiple protocols. The device supports RADIUS, which is most often used. For more information about RADIUS, see "Configuring RADIUS."
A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login. For a username in the
In a networking scenario with multiple ISPs, a NAS can connect users of different ISPs. Different ISP users can have different user attributes (such as username and password structure), different service type, and different rights. To manage these ISP users, you need to create ISP domains and then configure AAA methods and domain attributes for each ISP domain
On the NAS, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the NAS considers the user belongs to the default ISP domain.
AAA allows you to manage users based on their access types:
•LAN
•Login
In addition, AAA provides command authorization for login users to improve device security. Command authentication enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, and allows login users to execute only authorized commands.
Configuration prerequisites
To deploy local authentication, configure local users on the access device. See "Configuring users."
To deploy remote authentication, authorization, or accounting, configure the RADIUS schemes to be referenced. See "Configuring RADIUS."
Recommended configuration procedure
Step |
| Remarks | |
|
| Optional. | |
1. | Create ISP domains and specify one of them as the default ISP | ||
domain. | |||
|
| By default, there is an ISP domain named system, which is the default | |
|
| ISP domain. | |
|
|
| |
2. | Optional. | ||
Configure authentication methods for various types of users. | |||
| |||
|
|
By default, all types of users use local authentication.
353