1-12HWTACACS Configuration Task ListTask RemarksCreating a HWTACACS scheme RequiredSpecifying the HWTACACS Authentication Servers RequiredSpecifying the HWTACACS Authorization Servers OptionalSpecifying the HWTACACS Accounting Servers OptionalSetting the Shared Key for HWTACACS Packets RequiredConfiguring Attributes Related to the Data Sent to HWTACACS Server OptionalSetting Timers Regarding HWTACACS Servers OptionalDisplaying and Maintaining HWTACACS OptionalConfiguring AAABy configuring AAA, you can provide network access service for legal users, protect the networkingdevices, and avoid unauthorized access and repudiation. In addition, you can configure ISP domains toperform AAA on accessing users.The AAA feature allows you to manage users based on their access types:z LAN users: Users on a LAN who access through, for example, 802.1X authentication or MACaddress authentication.z Login users: Users who log in using, for example, SSH, Telnet, FTP, or HyperTerminal.You can configure separate authentication/authorization/accounting policies for all the other types ofusers.For a user who has logged in to the device, AAA can provide the command authorization service toenhance device security: Allows the authorization server to check each command executed by the loginuser and only authorized commands can be successfully executed.Configuration PrerequisitesFor remote authentication, authorization, or accounting, you must create the RADIUS or HWTACACSscheme first. For RADIUS scheme configuration, refer to Configuring RADIUS. For HWTACACSscheme configuration, refer to Configuring HWTACACS.Creating an ISP DomainAn Internet service provider (ISP) domain represents a group of users belonging to it. For a username inthe userid@isp-name format, the access device considers the userid part the username forauthentication and the isp-name part the domain name.In a networking scenario with multiple ISPs, an access device may connect users of different ISPs. Asusers of different ISPs may have different user attributes (such as username and password structure,service type, and rights), you need to configure ISP domains to distinguish the users. In addition, youneed to configure different attribute sets including AAA methods for the ISP domains.For the NAS, each user belongs to an ISP domain. A NAS can accommodate up to 16 ISP domains,including the default ISP domain named system. If a user does not provide the ISP domain name, thesystem considers that the user belongs to the default ISP domain.