39
To configure AAA authentication methods for an ISP domain:
To do…
Use the command…
Remarks
1.
Enter system view.
system-view
—
2.
Enter ISP domain view.
domain
isp-name
—
3.
Specify the default
authentication method
for all types of users.
authentication default
{
hwtacacs-scheme
hwtacacs-scheme-name
[
local
] |
local
|
none
|
radius-scheme
radius-scheme-name
[
local
] }
Optional.
It is set to
local
by default.
4.
Specify the
authentication method
for LAN users.
authentication lan-access
{
local
|
none
|
radius-scheme
radius-scheme-name
[
local
|
none
] }
Optional.
The default authentication
method is used by default.
5.
Specify the
authentication method
for login users.
authentication login
{
hwtacacs-scheme
hwtacacs-scheme-name
[
local
] |
local
|
none
|
radius-scheme
radius-scheme-name
[
local
] }
Optional.
The default authentication
method is used by default.
6.
Specify the
authentication method
for privilege level
switching.
authentication super
{
hwtacacs-scheme
hwtacacs-scheme-name
|
radius-scheme
radius-scheme-name
}
Optional.
The default authentication
method is used by default.
The authentication method specified with the
authentication default
command is for all types of users and
has a priority lower than that for a specific access type.
With an authentication method that references a RADIUS scheme, AAA accepts only the authentication
result from the RADIUS server. The Access-Accept message from the RADIUS server also carries the
authorization information, but the authentication process ignores the information.
If you specify the
radius-scheme
radius-scheme-name
local
,
hwtacacs-scheme
hwtacacs-scheme-name
local
option when you configure an authentication method, local authentication is the backup method
and is used only when the remote server is not available.
If you specify only the
local
or
none
keyword in an authentication method configuration command, the
switch has no backup authentication method and performs only local authentication, or it does not
perform any authentication.
If the method for level switching authentication references an HWTACACS scheme, the switch uses the
login username of a user for level switching authentication of the user by default. If the method for level
switching authentication references a RADIUS scheme, the system uses the username configured for the
corresponding privilege level on the RADIUS server for level switching authentication, rather than the
login username. A username configured on the RADIUS server is in the format of $enablevel$, where
level specifies the privilege level to which the user wants to switch. For example, if user
user1
of domain
aaa
wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the
domain name is required and uses $enab3$ for authentication when the domain name is not required.
Configuring AAA authorization methods for an ISP domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful authorization. Authorization method configuration is
optional in AAA configuration.
AAA supports the following authorization methods: