Configuring authentication methods for an ISP domain
In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting.
AAA supports the following authentication methods:
No authentication (none)—All users are trusted and no authentication is performed. Generally, do not use this method.
Local authentication (local)—Authentication is performed by the NAS, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication allows high speed and low cost, but the amount of information that can be stored is limited by the size of the storage space.
Remote authentication (scheme)—The NAS cooperates with a RADIUS or HWTACACS server to authenticate users. Remote authentication provides centralized information management, high capacity, high reliability, and support for centralized authentication service for multiple NASs. You can configure local or no authentication as the backup method, which is used when the remote server is not available. You can configure the no authentication method only for LAN users as the backup method of remote authentication.
You can configure AAA authentication to work alone without authorization and accounting. If you configure an authentication method that references a RADIUS scheme and an authorization method that does not reference a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server carries the authorization information, but the device ignores the information.
By default, an ISP domain uses the local authentication method.
Configuration prerequisites
Before configuring authentication methods, complete the following tasks:
For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. Local and none authentication methods do not require a scheme.
Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type to limit the authentication protocols that users can use for access.
Determine whether to configure the default authentication method for all access types or service types.
Configuration guidelines
Follow these guidelines when you configure authentication methods:
If you configure an authentication method that references a RADIUS scheme and an authorization method that does not reference a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the authorization information, but the device ignores the information.
You can configure a default authentication method for an ISP domain. The default method is used for all users who support the authentication method and have no specific authentication method configured.
You can configure local authentication (local) or no authentication (none) as the backup for remote authentication that is used when the remote authentication server is unavailable.
Local authentication (local) and no authentication (none) cannot have a backup method.
If the method for level switching authentication references an HWTACACS scheme, by default the device uses the login username of the user for level switching authentication of the user. If the method for level switching authentication references a RADIUS scheme, the system uses the username configured for the corresponding privilege level on the RADIUS server for level switching authentication, rather than the login username. A username configured on the RADIUS server is in the format $enablevel$, where level specifies the privilege level to which the user wants to switch. For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for authentication when the domain name is not required.
Configuration procedure
To configure authentication methods for an ISP domain:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter ISP domain view. | domain isp-name | N/A |
3. Specify the default authentication method for all types of users. | authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is local for all types of users. |
4. Specify the authentication method for LAN users. | authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } | Optional. The default authentication method is used by default. |
5. Specify the authentication method for login users. | authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is used by default. |
6. Specify the authentication method for portal users. | authentication portal { local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authentication method is used by default. |
7. Specify the authentication method for privilege level switching. | authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } | Optional. The default authentication method is used by default. |