Introduction to AAA

AAA is the abbreviation for Authentication, Authorization and Accounting:

• Authentication: Authenticates users' identities.

• Authorization: Grants certain privileges according to the configuration.
• Accounting: Records the fees users should pay for their network resource usage.

Hillstone devices support the following authentication methods:

• Local authentication: Configures user information (including username, password and properties) on Hillstone devices. Local authentication is fast, and can reduce operation cost, but the amount of information that will be stored is limited by the hardware of the device. By default, Hillstone devices use local authentication.
• External authentication: Hillstone devices also support external authentication over RADIUS and LDAP protocol. User information is stored in an external RADIUS or LDAP server, and Hillstone devices authenticate users by the RADIUS or LDAP server.

Hillstone devices support the following authorization methods:

• Local authorization: Authorizes user privileges according to the configurations of Hillstone devices.
• Authorization after external authentication: RADIUS/LDAP authentication is mapped to an authorization.

External Authentication Procedure

When a user has established a connection from a terminal to a Hillstone device and gained access or management privilege, the Hillstone device can authenticate the user via the configured RADIUS or LDAP server. The diagram below shows the external authentication procedure:

As shown above, the procedure is:

1. The user sends username and password to the Hillstone device.
2. The Hillstone device receives the username and password and then sends an authentication request to the RADIUS/LDAP server.
3. If the request is legal, the RADIUS/LDAP server performs authentication. If passed, the RADIUS/LDAP server returns the information configured by the user to the Hillstone device, otherwise returns denial information. The security between the Hillstone device and RADIUS/LDAP server is guaranteed by the shared secret (secret key or cipher text).