Configuring AAA 1761HWTACACS configuration task listConfiguring AAA By configuring AAA, you can provide network access service for legal users,protect the networking devices, and avoid unauthorized access and bilking. Inaddition, you can configure ISP domains to perform AAA on accessing users.In AAA, users are divided into LAN-access users (such as 802.1x users and MACauthentication users), login users (such as SSH, Telnet, FTP, and terminal accessusers), Portal users, PPP users, VoIP users, command line users (that is, commandline authentication users). Except for command line users, you can configureseparate authentication/authorization/accounting policies for all the other type ofusers. Command line users can be configured with authorization policyindependently.ConfigurationPrerequisitesFor remote authentication, authorization, or accounting, you must create theRADIUS or HWTACACS scheme first.■ RADIUS scheme: Reference a configured RADIUS scheme to implementauthentication/authorization and accounting. For RADIUS schemeconfiguration, refer to “Configuring RADIUS” on page 1769.■ HWTACACS scheme: Reference a configured HWTACACS scheme toimplement authentication/authorization and accounting. For HWTACACSscheme configuration, refer to “Configuring HWTACACS” on page 1777.Creating an ISP Domain For the NAS, each accessing user belongs to an ISP domain. Up to 16 ISP domainscan be configured on a NAS. If a user does not provide the ISP domain name, thesystem considers that the user belongs to the default ISP domain.“Setting the Upper Limit of RADIUS Request Retransmission Attempts”on page 1772Optional“Setting the Supported RADIUS Server Type” on page 1772 Optional“Setting the Status of RADIUS Servers” on page 1772 Optional“Configuring Attributes Related to the Data Sent to the RADIUS Server”on page 1773Optional“Setting Timers Regarding RADIUS Servers” on page 1774 Optional“Configuring RADIUS Accounting-on” on page 1775 Optional“Configuring an IP Address for the Security Policy Server” on page 1776 Optional“Enabling the Listening Port of the RADIUS Client” on page 1776 OptionalTask Remarks“Creating a HWTACACS scheme” on page 1777 Required“Specifying the HWTACACS Authentication Servers” on page 1777 Required“Specifying the HWTACACS Authorization Servers” on page 1777 Optional“Specifying the HWTACACS Accounting Servers” on page 1778 Optional“Setting the Shared Key for HWTACACS Packets” on page 1779 Required“Configuring Attributes Related to the Data Sent to the TACACS Server”on page 1779Optional“Setting Timers Regarding HWTACACS Servers” on page 1780 OptionalTask Remarks