3com 2928 User Guide

 

1-1 

Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring 
these three security functions to implement network security management. 
AAA usually uses a client/server model, where the client runs on the network access server (NAS) and 
the server maintains user information centrally. In an AAA network, a NAS is a server for users but a 
client for the AAA servers, as shown in 

AAA networking diagram 

 

 
When a user tries to establish a connection to the NAS and to obtain the rights to access other networks 
or some network resources, the NAS authenticates the user or the corresponding connection. The NAS 
takes the responsibility to transparently pass the user’s AAA information to the server (RADIUS server, 
for example). The RADIUS protocol defines how a NAS and a server exchange user information 
between them.  
In the AAA network shown in 

, there are two RADIUS servers. You can determine which of the 

authentication, authorization and accounting functions should be assumed by which servers. For 
example, you can use RADIUS server 1 for authentication and authorization, and RADIUS server 2 for 
accounting.  
The three security functions are described as follows:  

z

 

Authentication: Identifies remote users and judges whether a user is legal.  

z

 

Authorization: Grants different users different rights. For example, a user logging into the server 
can be granted the permission to access and print the files in the server.  

z

 

Accounting: Records all network service usage information of users, including the service type, 
start and end time, and traffic. In this way, accounting can be used for not only charging, but also 
network security surveillance.  

You can use AAA to provide only one or two security functions, if desired. For example, if your company 
only wants employees to be authenticated before they access specific resources, you only need to