advertisement
Configuring AAA
The web interface supports configuring Internet Service Provider (ISP) domains and configuring AAA methods for ISP domains.
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions:
•
Authentication—Identifies users and determines whether a user is valid.
•
Authorization—Grants different users different rights and controls their access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
•
Accounting—Records all network service usage information of users, including the service type, start time, and traffic. The accounting function not only provides the information required for charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers.
Figure 435 Network diagram for AAA
AAA can be implemented through multiple protocols. The device supports using RADIUS, the most commonly used protocol in practice. For more information about RADIUS, see "
For more information about AAA and ISP, see H3C WA Series WLAN Access Points Security
Configuration Guide.
Configuring AAA
Configuration prerequisites
• To deploy local authentication, configure local users on the access device as described in
406
• To deploy remote authentication, authorization, or accounting, create the RADIUS schemes to be referenced as described in "
Recommended configuration procedure
Step Remarks
1.
Optional.
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP domain.
2.
3.
4.
Optional.
Configure authentication methods for various types of users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of users.
By default, all types of users use local accounting.
AAA user types include LAN access users (such as 802.1x authentication users and MAC authentication users), login users (such as
SSH, Telnet, FTP, terminal access users), PPP users,
Portal users, and
Command users.
Configuring an ISP domain
1.
Select Authentication > AAA from the navigation tree.
The Domain Setup page appears.
407
Figure 436 Domain Setup page
2.
3.
Configure an ISP domain as described in
Click Apply.
Table 135 Configuration items
Item Description
Domain Name
Enter the ISP domain name, which is for identifying the domain.
You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).
Default Domain
Specify whether to use the ISP domain as the default domain. Options include:
•
Enable—Uses the domain as the default domain.
•
Disable—Uses the domain as a non-default domain.
There can only be one default domain at a time. If you specify a second domain as the default domain, the original default domain will become a non-default domain.
Configuring authentication methods for the ISP domain
1.
2.
Select Authentication > AAA from the navigation tree.
Click the Authentication tab to enter the authentication method configuration page.
408
Figure 437 Authentication method configuration page
3.
4.
5.
Configure authentication methods for different types of users in the domain, as described in Table
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 136 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthN
Name
Secondary
Method
Configure the default authentication method and secondary authentication method for all types of users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local authentication.
LAN-access AuthN Configure the authentication method and secondary authentication method for LAN access users.
Name
Secondary
Method
Options include:
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
409
Item Description
Login AuthN
Name
Secondary
Method
Configure the authentication method and secondary authentication method for login users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
PPP AuthN
Name
Secondary
Method
Portal AuthN
Name
Configure the authentication method and secondary authentication method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS authentication. You must specify the
HWTACACS scheme to be used.
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
Configure the authentication method for Portal users.
Options include:
•
Local—Performs local authentication.
•
None—All users are trusted and no authentication is performed. Generally, do not use this mode.
•
RADIUS—Performs RADIUS authentication. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authentication methods.
Configuring authorization methods for the ISP domain
1.
Select Authentication > AAA from the navigation tree.
2.
Click the Authorization tab to enter the authorization method configuration page.
410
Figure 438 Authorization method configuration page
3.
4.
5.
Configure authorization methods for different types of users in the domain, as described in Table
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 137 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthZ
Name
Secondary
Method
Configure the default authorization method and secondary authorization method for all types of users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local authorization.
LAN-access AuthZ Configure the authorization method and secondary authorization method for LAN access users.
Name
Secondary
Method
Options include:
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
411
Item Description
Login AuthZ
Name
Secondary
Method
Configure the authorization method and secondary authorization method for login users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
PPP AuthZ
Name
Secondary
Method
Portal AuthZ
Name
Command AuthZ
Name
Configure the authorization method and secondary authorization method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configure the authorization method for Portal users.
Options include:
•
Local—Performs local authorization.
•
None—All users are trusted and authorized. A user gets the default rights of the system.
•
RADIUS—Performs RADIUS authorization. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configure the authorization method for command users.
Options include:
•
HWTACACS—Performs HWTACACS authorization. You must specify the HWTACACS scheme to be used.
•
Not Set—Uses the default authorization methods.
Configuring accounting methods for the ISP domain
1.
2.
Select Authentication > AAA from the navigation tree.
Click the Accounting tab to enter the accounting method configuration page.
412
Figure 439 Accounting method configuration page
3.
4.
5.
Configure accounting methods for different types of users in the domain, as described in
.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Table 138 Configuration items
Item Description
Select an ISP domain
Select the ISP domain for which you want to specify authentication methods.
Accounting
Optional
Specify whether to enable the accounting optional feature.
With the feature enabled, a user that will be disconnected otherwise can use the network resources even when there is no accounting server available or communication with the current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates for the user anymore.
Name
Secondary
Method
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Restore the default, that is, local accounting.
413
Item Description
LAN-access
Accounting
Name
Secondary
Method
Configure the accounting method and secondary accounting method for LAN access users.
Options include:
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Login Accounting
Name
Secondary
Method
PPP Accounting
Name
Secondary
Method
Portal Accounting
Name
Configure the accounting method and secondary accounting method for login users.
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Configure the accounting method and secondary accounting method for PPP users.
Options include:
•
HWTACACS—Performs HWTACACS accounting. You must specify the HWTACACS scheme to be used.
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
Configure the accounting method for Portal users.
Options include:
•
Local—Performs local accounting.
•
None—Performs no accounting.
•
RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be used.
•
Not Set—Uses the default accounting methods.
AAA configuration example
Network requirements
As shown in
, configure the AC to perform local authentication, authorization, and accounting for Telnet users.
414
Figure 440 Network diagram
Configuration procedure
1.
Configure a local user: a. b. c. d. e. f. g. h. i.
Select Authentication > Users from the navigation tree.
The local user management page appears.
Click Add.
Enter telnet the username.
Enter abcd as the password.
Enter abcd again to confirm the password.
Select Common User as the user type.
Select Configure as the level.
Select Telnet as the service type.
Click Apply.
Figure 441 Configuring the local user
2.
Configure ISP domain test. a.
Select Authentication > AAA from the navigation tree.
The Domain Setup page appears, as shown in Figure 442 .
415
b. c.
Enter test as the domain name.
Click Apply.
Figure 442 Configuring ISP domain test
3.
Configure the ISP domain to use local authentication for login users: a.
Select Authentication > AAA from the navigation tree b. c.
Click the Authentication tab.
Select the domain test. d. e. f.
Select the Login AuthN box and select the authentication method Local.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
416
Figure 443 Configuring the ISP domain to use local authentication
4.
Configure the ISP domain to use local authorization for login users: a. b.
Select Authentication > AAA from the navigation tree.
Click the Authorization tab. c. d.
Select the domain test.
Select the Login AuthZ box and select the authorization method Local. e. f.
Click Apply.
A configuration progress dialog box appears.
After the configuration progress is complete, click Close.
Figure 444 Configuring the ISP domain to use local authorization
5.
Log in to the CLI, enable Telnet service, and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
417
6.
Verify the configuration
Telnet to the AC and enter the username telnet@test and password abcd. You should be serviced as a user in domain test.
418
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement