3com 4210 PWR 9-Port 3CR17341-91-ME 用户手册
产品代码
3CR17341-91-ME
238
C
HAPTER
20: AAA O
VERVIEW
Accounting
AAA supports the following accounting methods:
■
None accounting: No accounting is performed for users.
■
Remote accounting: User accounting is performed on a remote RADIUS server.
Introduction to ISP
Domain
An Internet service provider (ISP) domain is a group of users who belong to the
same ISP. For a user name in the format of userid@isp-name, the isp-name
following the "@" character is the ISP domain name. The access device uses userid
as the user name for authentication, and isp-name as the domain name.
same ISP. For a user name in the format of userid@isp-name, the isp-name
following the "@" character is the ISP domain name. The access device uses userid
as the user name for authentication, and isp-name as the domain name.
In a multi-ISP environment, the users connected to the same access device may
belong to different domains. Since the users of different ISPs may have different
attributes (such as different forms of user name and password, different service
types/access rights), it is necessary to distinguish the users by setting ISP domains.
belong to different domains. Since the users of different ISPs may have different
attributes (such as different forms of user name and password, different service
types/access rights), it is necessary to distinguish the users by setting ISP domains.
You can configure a set of ISP domain attributes (including AAA policy, RADIUS
scheme, and so on) for each ISP domain independently in ISP domain view.
scheme, and so on) for each ISP domain independently in ISP domain view.
Introduction to AAA
Services
Services
Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one
protocol. But in practice, the most commonly used service for AAA is RADIUS.
protocol. But in practice, the most commonly used service for AAA is RADIUS.
What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed service based
on client/server structure. It can prevent unauthorized access to your network and
is commonly used in network environments where both high security and remote
user access service are required.
on client/server structure. It can prevent unauthorized access to your network and
is commonly used in network environments where both high security and remote
user access service are required.
The RADIUS service involves three components:
■
Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message
format and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
format and message transfer mechanism of RADIUS, and define 1812 as the
authentication port and 1813 as the accounting port.
■
Server: RADIUS Server runs on a computer or workstation at the center. It
stores and maintains user authentication information and network service
access information.
stores and maintains user authentication information and network service
access information.
■
Client: RADIUS Client runs on network access servers throughout the network.
RADIUS operates in the client/server model.
■
A switch acting as a RADIUS client passes user information to a specified
RADIUS server, and takes appropriate action (such as establishing/terminating
user connection) depending on the responses returned from the server.
RADIUS server, and takes appropriate action (such as establishing/terminating
user connection) depending on the responses returned from the server.
■
The RADIUS server receives user connection requests, authenticates users, and
returns all required information to the switch.
returns all required information to the switch.
Generally, a RADIUS server maintains the following three databases (see
Figure 77):
Figure 77):