1752 CHAPTER 93: AAA/RADIUS/HWTACACS C ONFIGURATIONspeed and low cost, but the amount of information that can be stored islimited by the hardware.■ Remote authentication: Both RADIUS and HWTACACS protocols aresupported. In this approach, the device (such as a router or switch) acts as theclient to communicate with the RADIUS or HWTACACS server. With respect toRADIUS, you can use the standard RADIUS protocol or extended RADIUSprotocol to complete authentication in collaboration with systems likeiTELLIN/CAMS.AuthorizationAAA supports the following authorization methods:■ Direct authorization: All users are trusted and authorized. A user gets thedefault rights of the system.■ Local authorization: Users are authorized according to the attributesconfigured for them on the device.■ RADIUS authorization: RADIUS authorization is bound with RADIUSauthentication. RADIUS authorization can work only after RADIUSauthentication is successful. The authorization information is carried in theRADIUS authentication response.■ HWTACACS authorization: Users are authorized using a HWTACACS server.AccountingAAA supports the following accounting methods:■ No accounting: The system does not keep accounts on the users.■ Local accounting: Local accounting is for controlling the number of local userconnections and collecting statistics on number of users; it does not providestatistics on the charges of users. Note that the controlling of the local userconnections does not affect the local authentication and authorization.■ Remote accounting: Accounting is implemented by a RADIUS server orHWTACACS server remotely.AAA usually uses a client/server model, where the client runs on the device thatcontrols user access and the server stores user information. The framework ofAAA thus allows for excellent scalability and centralized user informationmanagement. Being a management framework, AAA can be implementedthrough multiple protocols. Currently, AAA is implemented based on RADIUS orHWTACACS.Introduction to ISPDomainAn Internet service provider (ISP) domain is a group of users that belong to thesame ISP. For a username in the userid@isp-name format, the isp-name followingthe @ sign is the ISP domain name. The access device considers the userid part theusername for authentication and the isp-name part the domain name.In a networking scenario with multiple ISPs, an access device may connect users ofdifferent ISPs. Since users of different ISPs may have different user attributes (suchas username and password structure, service type, and rights), it is required toconfigure ISP domains for them and to configure different attribute sets includingthe AAA policies (such as the RADIUS schemes) for the ISP domains.
