Hello everyone, I am Bernie, an IT pre-sales engineer.

If a branch of an enterprise wants to access the headquarters network, the headquarters network must not be accessible to anyone, only those who have passed the authentication can access it. Such as access to OA system, reimbursement system, ERP system and so on.

At this time, AAA authentication and authorization services come in handy.

AAA is a security service that provides authentication (Authentication), authorization (Authorization) and accounting (Accounting). It can be used to verify whether a user account is legitimate and authorized to access services, and to record access to network resources.

About certification

Authentication means: verifying whether a user has access to a certain network.

The authentication methods in AAA can be divided into three cases: no authentication, local authentication and remote authentication.

Not certified

Very simple, it means that the server completely trusts the user and does not perform any identity check on the visiting user. In fact, most networks will not use the non-authentication method, because it is too simple and rude, and it is not safe.

local authentication

It is to configure the user's local information as a parameter on the NAS storage. The local authentication processing speed is fast and the authentication cost is low. However, since the authentication information is stored locally, the amount of stored data is often relatively small.

remote authentication

This method is a bit taller. It configures the authentication information on the remote server, and cooperates with the auxiliary authentication through the authentication server.

One point needs to be specially explained here. If an authentication scheme adopts a composite authentication method, that is, multiple authentication methods coexist. For example: local authentication is configured first, and then remote authentication is configured. Then, when the local authentication fails or there is no response, it will transfer to the remote authentication.

About authorization

Authorization refers to specifying which services a user is authorized to access on the network. AAA authorization methods support: no authorization, local authorization and remote authorization.

not authorized

That is, no authorization processing is performed on the user. There are no restrictions on user access, and any service you want to access can be accessed.

local authorization

Authorize based on the relevant authorization attributes configured on the NAS storage.

remote authorization

Configure authorization information according to the remote server, configure the authorization level, and so on.

Special Note: If an authorization scheme adopts multiple authorization methods, they will also take effect in the order of configuration, just like authentication. For example: configure remote authorization first, and then configure local authorization. If there is a problem with the remote authorization method, it will switch to requesting local authorization.

About billing

Billing is to record a user's use of a certain service or access to a certain resource. Different from authentication and authorization, accounting has no local accounting method. Only: No Billing and Remote Billing.

no billing

Internet access is free, and services are free, such as the portal of a certain enterprise, the portal of the government, and so on.

remote billing

Record the user's online time or service time through the remote server to calculate the cost of the service. For example, we can record the host name of a certain host, the time when it started to go online, the service duration, and the uplink and downlink traffic during the service period. In this way, we can calculate the cost of traffic or the cost of services.

AAA domain

After talking about authentication, authorization and accounting, let's learn more about the concept of AAA domain. In fact, AAA manages users according to domains, that is, different domains can be associated with different authentication, authorization, and accounting schemes.

In a computer network, each host belongs to its own domain. As shown in the figure below, PC1 belongs to areaA, and PC2 belongs to areaB. If the domain where the device is located is not configured, the default domain is default.

Summarize

The above is all sharing about AAA authentication. For specific authentication configuration, you can first configure the domain authentication scheme, and then configure the domain authorization scheme and authorization method. As shown below

The article comes from: IT One Finger Zen , if you reprint this article, please contact 【IT One Finger Zen】Journal Toutiao.