Authentication, Authorization, and Accounting (AAA) is a technology that is used to check whether a user has permission to access a network, authorizes exactly what a user is allowed to access, and makes records regarding the network resources used by a user. VRP is capable of supporting the AAA authentication and authorization services locally within the ARG3 series of routers, which is commonly referred to as a Network Access Server or NAS, however accounting services are generally supported through an external AAA accounting server. The example here demonstrates how users that are considered part of the Huawei domain are able to gain access to resources that are located within the displayed destination network. The Network Access Server (NAS) operates as the gateway device that may perform authentication and authorization of users, or support the AAA server’s authentication and authorization of users. In the case of the AAA server,those users that are authenticated and authorized to access the destination network may also initiate accounting within the AAA server for the duration of users active session.
AAA supports three authentication modes. Non-authentication completely trusts users and does not check their validity. This is seldom used for obvious security reasons. Local authentication configures user information, including the user name, password, and attributes of local users, on a Network Access Server (NAS). Local authentication has advantages such as fast processing and low operation costs. The disadvantage of local authentication is the limited information storage because of the hardware. Remote authentication configures user information including the user name, password, and attributes on the authentication server. AAA can remotely authenticate users using the Remote Authentication Dial In User Service (RADIUS) protocol or the Huawei Terminal Access Controller Access Control System (HWTACACS) protocol. As the client, the NAS communicates with the RADIUS or HWTACACS server.
If several authentication modes are used in an authentication scheme, these authentication modes take effect in the sequence with which the configuration modes were configured. If remote authentication was configured before local authentication and if a login account exists on the local device but is unavailable on the remote server, the AR2200 considers the user using this account as having failed to be authenticated by the remote authentication, and therefore local authentication is not performed. Local authentication would be used only when the remote authentication server did not respond. If non-authentication is configured, it must be configured as the last mode to take effect
The AAA Authorization function is used to determine the permission for users to gain access to specific networks or devices, as such AAA supports various authorization modes. In non-authorization mode users are not authorized. Local authorization however authorizes users according to the related attributes of the local user accounts configured on the NAS. Alternatively, HWTACACS can be used to authorize users through a TACACS server.
An If-authenticated authorization mode can be used where users are considered authorized in the event that those users are able to be authenticated in either the local or remote authentication mode. RADIUS authorization authorizes users after they are authenticated using a RADIUS authentication server. Authentication and authorization of the RADIUS protocol are bound together, so RADIUS cannot be used to perform only authorization. If multiple authorization modes are configured in an authorization scheme, authorization is performed in the sequence in which the configuration modes were configured. If configured, non-authorization must be the last mode to take effect.
The accounting process can be used to monitor the activity and usage of authorized users who have gained access to network resources. AAA accounting supports two specific accounting modes. Non-accounting can be used, and provides free services for users without any record of users, or activity logs.
Remote accounting on the other hand supports accounting using the RADIUS server or the HWTACACS server. These servers must be used in order to support accounting due to the requirement for additional storage capacity necessary to store information regarding access and activity logs of each authorized user. The example demonstrates a very general representation of some of the typical information that is commonly recorded within user accounting logs.
The device uses domains to manage users. Authentication, authorization, and accounting schemes can be applied to a domain so that the device can authenticate, authorize, or charge users in the domain using the schemes. Each user of the device belongs to a domain. The domain to which a user belongs is determined by the character string suffixed to the domain name delimiter that can be @, |, or %.
For example, if the user name is user@huawei, the user belongs to the huawei domain. If the user name does not contain an @, the user belongs to the default domain named default in the system. The device has two default domains: default (global default domain for common access users) and default_admin (global default domain for administrators). The two domains can be modified but cannot be deleted.
If the domain of an access user cannot be obtained, the default domain is used. The default domain is used for access users such as NAC access users. Local authentication is performed by default for users in this domain. The default_admin domain is used for administrators such as the administrators who log in using HTTP, SSH, Telnet, FTP, and terminals. Local authentication is performed by default for users in this domain. The device supports a maximum of 32 domains, including the two default domains.
The AR2200 router can be used as a Network Access Server (NAS) in order to implement authentication and authorization schemes. The example demonstrates the typical process that is necessary in order to successfully implement local AAA. Users for authentication must be created using the local-user <user-name> password [cipher \simple]<password> privilege level <level > command. This command specifies a user name. If the user-name contains a domain name delimiter such as @, the character before @ is the user name and the character behind @ is the domain name. If the value does not contain @, the entire character string is the user name and the domain name is the default domain.
An authentication scheme is created in order to authenticate users and must be created before additional authentication-relevant configuration can be performed. The authentication scheme must be defined as either local, radius, hwtacacs or none. With the exception of the none parameter, the other authentication modes can be listed in the order in which authentication is to be attempted, for example should the authentication-mode hwtacacs local command be used, and if HWTACACS authentication fails, the AR2200E router will start local authentication. The authorization scheme must also be created to authorize users (except in the case of Radius server support), by creating an authorization scheme defining the authorization-mode. The authorization-mode command supports modes for hwtacacs, local, if-authenticated and none authorization.
The domain <domain-name> command is used to create a new domain, and the implementation of the authentication-scheme <authentication-scheme> and the authorization-scheme <authorization-scheme> under the domain view will apply the authentication and authorization schemes to that domain.
The configuration of the local AAA domain and schemes for both authentication and authorization can be verified through the display domain or display domain name <domain-name> commands. Using the display domain command provides brief information regarding all domains that have been created, including the domain name and a domain index that is used to reference each created domain.
The display domain name <domain-name> command provides specific configuration details in reference to the domain defined under the domain-name parameter. Along with the domain-name is the domain-state which presents as either Active or Block, where block refers to a domain that is in blocking state, and prevents users in this domain from being able to log in. This is implemented through an optional state [active | block] command implemented under the AAA domain view. A domain is in an active state after being created by default.
The authentication-scheme-name associates the created authentication-scheme with the domain; the same applies for the authorization-scheme. The accountingscheme is not configured locally and therefore an accounting scheme has not been associated with the created domain, and as such the default accounting scheme is listed for the domain by default. In the event that non-local (i.e RADIUS or HWTACACS) configuration is implemented to support AAA services, these will be associated with the domain under the server-template fields
The configuration of VRP in local mode will supports both authentication and authorization schemes, the accounting scheme requires the support of remote management through a HWTACACS or RADIUS server.
If a user is created without defining the domain to which the user belongs, the user will be automatically associated with the default domain, named default.