Operation Manual – AAA-RADIUS-HWTACACS
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 AAA/RADIUS/HWTACACS
Configuration
1-18
Note:
z
The authorization scheme specified with the
authorization default
command is for
all types of users and has a priority lower than that for a specific access mode.
z
RADIUS authorization is special in that it takes effect only when the RADIUS
authorization scheme is the same as the RADIUS authentication scheme. In
addition, if a RADIUS authorization fails, the error message returned to the NAS
says that the server is not responding.
z
With the
radius-scheme radius-scheme-name local
or
hwtacacs-scheme
hwtacacs-scheme-name local
keyword and argument combination configured, the
local scheme is the backup scheme and is used only when the RADIUS server or
TACACS server is not available.
z
If the primary authentication scheme is
local
or
none
, the system performs local
authorization or does not perform any authorization, rather than uses the RADIUS
or HWTACACS scheme.
z
Authorization information of the RADIUS server is sent to the RADIUS client along
with the authorization response message; therefore, you cannot specify a separate
RADIUS server. If you use RADIUS for authorization and authentication, you must
use the same scheme setting for authorization and authentication; otherwise, the
system will prompt you with an error message.
1.3.6 Configuring an AAA Accounting Scheme for an ISP Domain
In AAA, accounting is a separate process at the same level as authentication and
authorization. Its responsibility is to send accounting start/update/end requests to the
specified accounting server. Accounting is not required, and therefore accounting
scheme configuration is optional. If you do not perform any accounting configuration,
the system-default domain uses the local accounting scheme.
Before configuring an authorization scheme, complete these three tasks:
1) For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS
scheme to be referenced first. The local and none authentication modes do not
require any scheme.
2)
Determine the access mode or service type to be configured. With AAA, you can
configure an accounting scheme specifically for each access mode and service
type, limiting the accounting protocols that can be used for access.
3) Determine whether to configure an accounting scheme for all access modes or
service types.