Operation Manual – AAA
H3C S3100 Series Ethernet Switches
Chapter 2 AAA Configuration
2-5
Caution:
z
You can execute the
scheme
radius-scheme
radius-scheme-name
command to
adopt an already configured RADIUS scheme to implement all the three AAA
functions. If you adopt the local scheme, only the authentication and authorization
functions are implemented, the accounting function cannot be implemented.
z
If you execute the
scheme
radius-scheme radius-scheme-name local
command,
the local scheme is used as the secondary scheme in case no RADIUS server is
available. That is, if the communication between the switch and a RADIUS server is
normal, no local authentication is performed; otherwise, local authentication is
performed.
z
If you execute the
scheme
hwtacacs-scheme hwtacacs-scheme-name local
command, the local scheme is used as the secondary scheme in case no TACACS
server is available. That is, if the communication between the switch and a TACACS
server is normal and there is no key-related problem or nas-ip related problem, no
local authentication is performed; otherwise, local authentication is performed.
z
If you execute the
scheme
local
or
scheme
none
command to adopt
local
or
none
as the primary scheme, the local authentication is performed or no authentication is
performed. In this case you cannot specify any RADIUS scheme or HWTACACS
scheme at the same time.
z
If you execute the scheme none command, the FTP users in the domain will not
pass the authentication. So, to allow users to use the FTP service, you should not
configure the none scheme.
II. Configuring separate AAA schemes
You can use the
authentication
,
authorization
, and
accounting
commands to
specify a scheme for each of the three AAA functions (authentication, authorization and
accounting) respectively. The following gives the implementations of this separate way
for the services supported by AAA.
1) For
terminal
users
z
Authentication: RADIUS, local, HWTACACS or none.
z
Authorization: none or HWTACACS.
z
Accounting: RADIUS, HWTACACS or none.
You can use an arbitrary combination of the above implementations for your AAA
scheme configuration.
2)
For FTP users
Only authentication is supported for FTP users.
Authentication: RADIUS, local, or HWTACACS.