3Com 10014298 Switch User Manual


 
216 CHAPTER 9: AAA AND RADIUS OPERATION
The network security mentioned here refers to access control, including:
Which user can access the network server
Which service can the authorized user enjoy
How to keep accounts for the user who is using network resource
AAA provides the following services:
Authenticates whether the user can access the network server.
Authorizes the user with specified services.
Accounts for network resources that are consumed by the user.
Generally, by applying client/server architecture, AAA framework boasts the
following advantages:
Good scalability.
Ability to use standard authentication schemes.
Easy control, and convenient for centralized management of user information.
Ability to use multiple-level backup systems to enhance the security of the
whole framework.
As mentioned above, AAA is a management framework, so it can be implemented
by some protocols. RADIUS is frequently used.
Remote Authentication Dial-In User Service (RADIUS) is distributed information
switching protocol in Client/Server architecture. RADIUS can prevent the network
from an interruption by unauthorized access, and it is often used in the network
environments requiring both high security and remote user access. For example, it
is often used for managing a large number of scattering dial-in users who use
serial ports and modems. RADIUS system is the important auxiliary part of
Network Access Server (NAS).
After the RADIUS system is started, if the user wants to access other networks or
use network resources through connection to NAS (dial-in access server in PSTN
environment or Ethernet switch with access function in Ethernet environment), the
RADIUS client transmits the user's AAA request to the RADIUS server. The RADIUS
server has a user database recording all user authentication and network services
information. On receiving the user's request from NAS, the RADIUS server
performs AAA through user database query and update, and returns the
configuration information and accounting data to NAS. NAS then controls
supplicant and corresponding connections, while the RADIUS protocol regulates
how to transmit configuration and accounting information between NAS and
RADIUS.
NAS and RADIUS exchange the information with UDP packets. During the
interaction, both sides encrypt the packets with keys before uploading user
configuration information (like password etc.) to avoid being intercepted or stolen.