30Configuring AAA authentication method for an ISP domainIn AAA, authentication, authorization, and accounting are separate processes. Authenticationrefers to the interactive authentication process of username/password/user information during anaccess or service request. The authentication process neither sends authorization information to asupplicant nor triggers any accounting.AAA supports the following authentication methods:• No authentication (none): All users are trusted and no authentication is performed. Thismethod is not recommended.• Local authentication (local): Authentication is performed by the NAS, which is configuredwith the user information, including the usernames, passwords, and attributes. Localauthentication allows high speed and low cost, but limits the amount of information that canbe stored because of hardware.• Remote authentication (scheme): The access device cooperates with a RADIUS orHWTACACS server to authenticate users. As for RADIUS, the device can use the standardRADIUS protocol or extended RADIUS protocol in collaboration with systems like CAMS andiMC to implement user authentication. Remote authentication provides centralized informationmanagement, high capacity, high reliability, and support for centralized authentication formultiple devices. You can configure local authentication as the backup in case the remoteserver is not available.You can configure AAA authentication to work alone without authorization and accounting. Bydefault, an ISP domain uses the local authentication method.Before configuring authentication methods, complete these three tasks:• For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme tobe referenced first. The local and none authentication methods do not require any scheme.• Determine the access mode or service type to be configured. With AAA, you can configurean authentication method specifically for each access mode and service type, limiting theauthentication protocols that can be used for access.• Determine whether to configure an authentication method for all access modes or servicetypes.Follow these steps to configure AAA authentication methods for an ISP domain:To do… Use the command… Remarks1. Enter system view system-view —2. Enter ISP domain view domain isp-name —3. Specify the defaultauthentication method for alltypes of usersauthentication default {hwtacacs-scheme hwtacacs-scheme-name [ local ] | local |none | radius-scheme radius-scheme-name [ local ] }Optionallocal by default4. Specify the authenticationmethod for LAN usersauthentication lan-access {local | none | radius-schemeradius-scheme-name [ local ] }OptionalThe default authentication methodis used by default.