Operation Manual – AAAH3C S5600 Series Ethernet Switches Chapter 1 AAA Overview1-2z Remote authentication: Users are authenticated remotely through RADIUS orHWTACACS protocol. This device (for example, a H3C series switch) acts as theclient to communicate with the RADIUS or TACACS server. You can use standardor extended RADIUS protocols in conjunction with such systems asiTELLIN/CAMS for user authentication. Remote authentication allows convenientcentralized management and is feature-rich. However, to implement remoteauthentication, a server is needed and must be configured properly.1.1.2 AuthorizationAAA supports the following authorization methods:z Direct authorization: Users are trusted and directly authorized.z Local authorization: Users are authorized according to the related attributesconfigured for their local accounts on this device.z RADIUS authorization: Users are authorized after they pass RADIUSauthentication. In RADIUS protocol, authentication and authorization arecombined together, and authorization cannot be performed alone withoutauthentication.z HWTACACS authorization: Users are authorized by a TACACS server.1.1.3 AccountingAAA supports the following accounting methods:z None accounting: No accounting is performed for users.z Remote accounting: User accounting is performed on a remote RADIUS orTACACS server.1.1.4 Introduction to ISP DomainAn Internet service provider (ISP) domain is a group of users who belong to the sameISP. For a username in the format of userid@isp-name or userid.isp-name, theisp-name following the "@" or “.” character is the ISP domain name. The access deviceuses userid as the username for authentication, and isp-name as the domain name.In a multi-ISP environment, the users connected to the same access device maybelong to different domains. Since the users of different ISPs may have differentattributes (such as different forms of username and password, different servicetypes/access rights), it is necessary to distinguish the users by setting ISP domains.You can configure a set of ISP domain attributes (including AAA policy, RADIUSscheme, and so on) for each ISP domain independently in ISP domain view.