No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


AAA Architecture

AAA uses the client/server structure. AAA architecture features good scalability and facilitates centralized user information management. Figure 1-2 shows the AAA architecture.

Figure 1-2  AAA architecture


AAA supports the following authentication modes:

  • Non-authentication: Users are completely trusted without validity check. This mode is rarely used.

  • Local authentication: User information is configured on the network access server (NAS). This mode features fast processing and low operation cost. The major limitation of local authentication is that information storage is subject to the device hardware capacity.

  • Remote authentication: User information is configured on the authentication server. AAA can remotely authenticate users through the Remote Authentication Dial In User Service (RADIUS) or Huawei Terminal Access Controller Access Control System (HWTACACS) protocol.


AAA supports the following authorization modes:

  • Non-authorization: Users are not authorized.

  • Local authorization: authorizes users according to the attributes configured on the NAS for the local user accounts.

  • HWTACACS authorization: authorizes users through the HWTACACS server.

  • RADIUS authorization: Users pass the RADIUS authorization upon passing the RADIUS authentication. RADIUS integrates authentication and authorization. Therefore, RADIUS authorization cannot be performed separately.

  • If-authenticated authorization: applies to scenarios where users must be authenticated and the authentication process is separated from the authorization process. That is, this mode is available for only local authentication and HWTACACS authentication, and is unavailable for RADIUS authentication.
    • After local authentication is successful, local authorization is used.
    • After HWTACACS authentication is successful, all rights are enabled. That is, HWTACACS authorization is not required.


AAA supports the following accounting modes:

  • Non-accounting: Users are not charged.

  • Remote accounting: supports remote accounting through the RADIUS or HWTACACS server.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14746

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next