Operation Manual – AAA-RADIUS-HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA/RADIUS/HWTACACS
Configuration
1-16
Note:
z
The authentication scheme specified with the
authentication default
command is
for all types of users and has a priority lower than that for a specific access mode.
z
With a RADIUS authentication scheme configured, AAA accepts only the
authentication result from the RADIUS server. The response from the RADIUS
server does include the authorization information when the authentication is
successful, but the authentication process ignores the information.
z
With the
radius-scheme radius-scheme-name local
or
hwtacacs-scheme
hwtacacs-scheme-name local
keyword and argument combination configured, the
local scheme is the backup scheme and is used only when the RADIUS server or
TACACS server is not available.
z
If the primary authentication scheme is
local
or
none
, the system performs local
authentication or does not perform any authentication, rather than uses the RADIUS
or HWTACACS scheme.
1.3.5 Configuring an AAA Authorization Scheme for an ISP Domain
In AAA, authorization is a separate process at the same level as authentication and
accounting. Its responsibility is to send authorization requests to the specified
authorization server and to send authorization information to users authorized.
Authorization scheme configuration is optional in AAA configuration.
If you do not perform any authorization configuration, the system-default domain uses
the local authorization scheme. With the authorization scheme of
none
, the users are
not required to be authorized, in which case an authenticated user has the default right.
The default right is visiting (the lowest one) for EXEC users, that is, command line
users, such as those using Telnet or SSH. The default right for FTP users is to use the
root directory of the device.
Before configuring an authorization scheme, complete these three tasks:
1) For HWTACACS authorization, configure the HWTACACS scheme to be
referenced first. For RADIUS authorization, the RADIUS authorization scheme
must be same as the RADIUS authentication scheme; otherwise, it does not take
effect.
2)
Determine the access mode or service type to be configured. With AAA, you can
configure an authorization scheme specifically for each access mode and service
type, limiting the authorization protocols that can be used for access.
3)
Determine whether to configure an authorization scheme for all access modes or
service types.