99. The user enters the password.10. After receiving the login password, the HWTACACS client sends the HWTACACS server acontinue-authentication packet that carries the login password.11. The HWTACACS server sends back an authentication response to indicate that the user haspassed authentication.12. The HWTACACS client sends the user authorization request packet to the HWTACACS server.13. The HWTACACS server sends back the authorization response, indicating that the user is nowauthorized.14. Detecting that the user is now authorized, the HWTACACS client pushes its CLI to the user.15. The HWTACACS client sends a start-accounting request to the HWTACACS server.16. The HWTACACS server sends back an accounting response, indicating that it has received thestart-accounting request.17. The user logs off.18. The HWTACACS client sends a stop-accounting request to the HWTACACS server.19. The HWTACACS server sends back a stop-accounting response, indicating that thestop-accounting request has been received.Domain-based user managementA NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NASdetermines the ISP domain for a user by the username entered by the user at login, as shown in Figure7.Figure 7 Determining the ISP domain of a user by the usernameAuthentication, authorization, and accounting of a user depend on the AAA methods configured for thedomain to which the user belongs. If no specific AAA methods are configured for the domain, defaultmethods are used. By default, a domain uses local authentication, local authorization, and localaccounting.AAA allows you to manage users based on their access types:• LAN users—Users on a LAN who must pass 802.1X or MAC address authentication to access thenetwork.• Login users—Users who want to log in to the device, including SSH users, Telnet users, FTP users,and terminal users.• Portal users—Users who must pass portal authentication to access the network.
