AAA implementation on the device
This section describes AAA user management and methods.
User management based on ISP domains and user access types
AAA manages users based on the users' ISP domains and access types.
On a NAS, each user belongs to one ISP domain. The NAS determines the ISP domain to which a user belongs based on the username entered by the user at login.
Figure 9: Determining the ISP domain for a user by username
AAA manages users in the same ISP domain based on the users' access types. The device supports the following user access types:
LAN—LAN users must pass 802.1X or MAC authentication to come online.
Login—Login users include SSH, Telnet, FTP, and terminal users who log in to the device. Terminal users can access through a console, AUX, or Async port.
ADVPN.
X.25 PAD.
Portal—Portal users must pass portal authentication to access the network.
PPP.
IPoE—IPoE users include Layer 2 and Layer 3 leased line users and Set Top Box (STB) users.
IKE—IKE users must pass IKE extended authentication to access the network.
Web—Web users log in to the Web interface of the device through HTTP or HTTPS.
NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend on the configuration of the authentication modules. | ||
AAA methods
AAA supports configuring different authentication, authorization, and accounting methods for different types of users in an ISP domain. The NAS determines the ISP domain and access type of a user. The NAS also uses the methods configured for the access type in the domain to control the user's access.
AAA also supports configuring a set of default methods for an ISP domain. These default methods are applied to users for whom no AAA methods are configured.
The device supports the following authentication methods:
No authentication—This method trusts all users and does not perform authentication. For security purposes, do not use this method.
Local authentication—The NAS authenticates users by itself, based on the locally configured user information including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Remote authentication—The NAS works with a RADIUS, HWTACACS, or LDAP server to authenticate users. The server manages user information in a centralized manner. Remote authentication provides high capacity, reliable, and centralized authentication services for multiple NASs. You can configure backup methods to be used when the remote server is not available.
The device supports the following authorization methods:
No authorization—The NAS performs no authorization exchange. The following default authorization information applies after users pass authentication:
Non-login users can access the network.
Login users obtain the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide.
The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
Local authorization—The NAS performs authorization according to the user attributes locally configured for users.
Remote authorization—The NAS works with a RADIUS, HWTACACS, or LDAP server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is included in the Access-Accept packet. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is included in the authorization response after successful authentication. You can configure backup methods to be used when the remote server is not available.
The device supports the following accounting methods:
No accounting—The NAS does not perform accounting for the users.
Local accounting—Local accounting is implemented on the NAS. It counts and controls the number of concurrent users who use the same local user account, but does not provide statistics for charging.
Remote accounting—The NAS works with a RADIUS server or HWTACACS server for accounting. You can configure backup methods to be used when the remote server is not available.
In addition, the device provides the following login services to enhance device security:
Command authorization—Enables the NAS to let the authorization server determine whether a command entered by a login user is permitted. Login users can execute only commands permitted by the authorization server. For more information about command authorization, see Fundamentals Configuration Guide.
Command accounting—When command authorization is disabled, command accounting enables the accounting server to record all valid commands executed on the device. When command authorization is enabled, command accounting enables the accounting server to record all authorized commands. For more information about command accounting, see Fundamentals Configuration Guide.
User role authentication—Authenticates each user who wants to obtain another user role without logging out or getting disconnected. For more information about user role authentication, see Fundamentals Configuration Guide.