Domain-based user management
A NAS manages users based on Internet service provider (ISP) domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain a user belongs to by the username entered by the user at login, as shown in Figure 7.
Figure 7: Determining the ISP domain of a user by the username
The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain to which the user belongs. If no specific AAA methods are configured for the domain, the default methods are used. By default, a domain uses local authentication, local authorization, and local accounting.
AAA allows you to manage users based on their access types:
LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access the network.
Login users—Users who want to log in to the switch, including SSH users, Telnet users, Web users, FTP users, and terminal users.
Portal users—Users who must pass portal authentication to access the network.
In addition, AAA provides the following services for login users to enhance switch security:
Command authorization—Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute. For more information about command authorization, see Fundamentals Configuration Guide.
Command accounting—Allows the accounting server to record all commands executed on the switch or all authorized commands successfully executed. For more information about command accounting, see Fundamentals Configuration Guide.
Level switching authentication—Allows the authentication server to authenticate users who perform privilege level switching. As long as passing level switching authentication, users can switch their user privilege levels, without logging out and disconnecting current connections. For more information about user privilege level switching, see Fundamentals Configuration Guide.
You can configure different authentication, authorization, and accounting methods for different types of users in a domain. See "Configuring AAA methods for ISP domains."