Configuring AAA authentication methods for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process does not send authorization information to a supplicant or trigger accounting.
AAA supports the following authentication methods:
No authentication (none)—All users are trusted and no authentication is performed. Generally, do not use this method.
Local authentication (local)—Authentication is performed by the NAS, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Remote authentication (scheme)—The NAS cooperates with a RADIUS, or HWTACACS server to authenticate users. Remote authentication provides centralized information management, high capacity, high reliability, and support for centralized authentication service for multiple NASs. You can configure local or no authentication as the backup method, which is used when the remote server is not available. No authentication can only be configured for LAN users as the backup method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method.
Before configuring authentication methods, complete the following tasks:
For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication methods do not require a scheme.
Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access.
Determine whether to configure an authentication method for all access types or service types.
Follow these guidelines when you configure AAA authentication methods for an ISP domain:
The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access type.
With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the authorization information, but the authentication process ignores the information.
If you specify the radius-scheme radius-scheme-name local, hwtacacs-scheme hwtacacs-scheme-name local option when you configure an authentication method, local authentication is the backup method and is used only when the remote server is not available.
If you specify only the local or none keyword in an authentication method configuration command, the switch has no backup authentication method and performs only local authentication or does not perform any authentication.
If the method for level switching authentication references an HWTACACS scheme, the switch uses the login username of a user for level switching authentication of the user by default. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on the RADIUS server for level switching authentication, rather than the login username. A username configured on the RADIUS server is in the format of $enablevel$, where level specifies the privilege level to which the user wants to switch. For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for authentication when the domain name is not required.
To configure AAA authentication methods for an ISP domain:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter ISP domain view. | domain isp-name | N/A |
3. Specify the default authentication method for all types of users. | authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is local for all types of users. |
4. Specify the authentication method for LAN users. | authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } | Optional. The default authentication method is used by default. |
5. Specify the authentication method for login users. | authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is used by default. |
6. Specify the authentication method for portal users. | authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is used by default. |
7. Specify the authentication method for privilege level switching. | authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } | Optional. The default authentication method is used by default. |