• Authentication: determines which users can access the network.

• Authorization: authorizes users to access specific services.

• Accounting: records network resource utilization.

• The Internet service provider (ISP) needs to authenticate the account and password of
a home broadband user before allowing the user to access the Internet. In addition,
the ISP records the online duration or traffic of the user. This is the most common
application scenario of the AAA technology.
• The NAS manages users based on domains. Each domain can be configured with
different authentication, authorization, and accounting schemes to perform
authentication, authorization, and accounting for users in the domain.

• Each user belongs to a domain. The domain to which a user belongs is determined by
the character string following the domain name delimiter @ in the user name. For
example, if the user name is user 1@domain 1, the user belongs to domain 1. If the
user name does not end with @, the user belongs to the default domain.
• AAA supports three authentication modes:

▫ Non-authentication: Users are fully trusted and their identities are not checked.
This authentication mode is seldom used for security purposes.

▫ Local authentication: Local user information (including the username, password,

and attributes) is configured on the NAS. In this case, the NAS functions as the
AAA server. Local authentication features fast processing and low operational
costs. The disadvantage is that the amount of stored information is limited by
device hardware. This authentication mode is often used to manage login users,
such as Telnet and FTP users.

▫ Remote authentication: User information (including the username, password, and

attributes) is configured on the authentication server. Remote authentication can
be implemented through RADIUS or HWTACACS. The NAS functions as a client to
communicate with the RADIUS or HWTACACS server.
• The AAA authorization function grants users the permission to access specific networks
or devices. AAA supports the following authorization modes:

▫ Non-authorization: Authenticated users have unrestricted access rights on a

network.

▫ Local authorization: Users are authorized based on the domain configuration on

the NAS.

▫ Remote authorization: The RADIUS or HWTACACS server authorizes users.

▪ In HWTACACS authorization, all users can be authorized by the HWTACACS

server.

▪ RADIUS authorization applies only to the users authenticated by the

RADIUS server. RADIUS integrates authentication and authorization.
Therefore, RADIUS authorization cannot be performed singly.

• When remote authorization is used, users can obtain authorization information from
both the authorization server and NAS. The priority of the authorization information
configured on the NAS is lower than that delivered by the authorization server.
• AAA supports the following accounting modes:

▫ Non-accounting: Users can access the Internet for free, and no activity log is
generated.

▫ Remote accounting: Remote accounting is performed through the RADIUS server

or HWTACACS server.
• Of the protocols that are used to implement AAA, RADIUS is the most commonly used.
RADIUS is a distributed information exchange protocol based on the client/server
structure. It implements user authentication, accounting, and authorization.

• Generally, the NAS functions as a RADIUS client to transmit user information to a

specified RADIUS server and performs operations (for example, accepting or rejecting
user access) based on the information returned by the RADIUS server.

• RADIUS servers run on central computers and workstations to maintain user

authentication and network service access information. The servers receive connection
requests from users, authenticate the users, and send the responses (indicating that
the requests are accepted or rejected) to the clients. RADIUS uses the User Datagram
Protocol (UDP) as the transmission protocol and uses UDP ports 1812 and 1813 as the
authentication and accounting ports, respectively. RADIUS features high real-time
performance. In addition, the retransmission mechanism and standby server
mechanism are also supported, providing good reliability.

• The message exchange process between the RADIUS server and client is as follows:

1. When a user accesses the network, the user initiates a connection request and
sends the username and password to the RADIUS client (NAS).

2. The RADIUS client sends an authentication request packet containing the

username and password to the RADIUS server.
• The authorization-scheme authorization-scheme-name command configures an
authorization scheme for a domain. By default, no authorization scheme is applied to a
domain.

• The authentication-mode { hwtacacs | local | radius } command configures an

authentication mode for the current authentication scheme. By default, local
authentication is used.
• The display domain [ name domain-name ]command displays the configuration of a
domain.

• If the value of Domain-state is Active, the domain is activated.

• If the username does not end with @, the user belongs to the default domain. Huawei
devices support the following default domains:

▫ The default domain is for common users.

▫ The default_admin domain is the default domain for administrators.