Operation Manual – AAA & RADIUS & HWTACACS & EADH3C S7500 Series Ethernet SwitchesChapter 1 AAA & RADIUS & HWTACACSConfiguration1-2z Local authentication: User information (including user name, password, andattributes) is configured on the device. Local authentication is fast and lowersoperational cost. However, the information storage capacity is limited by devicehardware.z Remote authentication: Users are authenticated remotely through the RADIUSprotocol or HWTACACS protocol. The device (for example, an H3C series switch)acts as a client to communicate with the RADIUS server or TACACS server. ForRADIUS protocol, both standard and extended RADIUS protocols can be used.II. AuthorizationAAA supports the following authorization methods:z Direct authorization: Users are trusted and authorized directly.z Local authorization: Users are authorized according to the related attributesconfigured for their local accounts on the device.z RADIUS authorization: Users are authorized after they pass the RADIUSauthentication. RADIUS combines authentication and authorization; you cannotperform RADIUS authorization without RADIUS authentication.z HWTACACS authorization: Users are authorized by TACACS server.III. AccountingAAA supports the following accounting methods:z No accounting: No accounting is performed for users.z Remote accounting: User accounting is performed through a remote RADIUSserver or TACACS server.Generally, AAA is based on a client/server model, where the client acts as the managedresource and the server stores user information. This model features good scalabilityand facilitates the centralized management of user information.1.1.2 Introduction to ISP DomainAn Internet service provider (ISP) domain is a group of users who belong to the sameISP. For a user name in the format of userid@isp-name, isp-name following the @character is the ISP domain name. The access device uses userid as the user name forauthentication and isp-name as the domain name.In a multi-ISP environment, the users connected to the same access device maybelong to different domains. Because the users of different ISPs may have differentattributes (such as different user name and password compositions, different servicetypes/rights), it is necessary to distinguish the users by setting ISP domains.You can configure a set of ISP domain attributes (including AAA policy and RADIUSscheme) for each ISP domain independently in ISP domain view.