H3C Technologies H3C S5120 Series Switches User Manual

1-12

To do…

Use the command…

Remarks

Specify the authentication
method for LAN users

authentication lan-access
{ local | none | radius-scheme
radius-scheme-name [ local ] }

Optional

The default authentication
method is used by default.

Specify the authentication
method for login users

authentication login { local |
none | radius-scheme
radius-scheme-name [ local ] }

Optional

The default authentication
method is used by default.

z

The authentication method specified with the authentication default command is for all types of

users and has a priority lower than that for a specific access mode.

z

With an authentication method that references a RADIUS scheme, AAA accepts only the

authentication result from the RADIUS server. The Access-Accept message from the RADIUS

server does include the authorization information, but the authentication process ignores the

information.

z

With the radius-scheme radius-scheme-name local, keyword and argument combination

configured, local authentication is the backup method and is used only when the remote server is

not available.

z

If the primary authentication method is local or none, the system performs local authentication or

does not perform any authentication, and will not use any RADIUS authentication scheme.

Configuring AAA Authorization Methods for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its

responsibility is to send authorization requests to the specified authorization server and to send

authorization information to users. Authorization method configuration is optional in AAA configuration.

AAA supports the following authorization methods:

z

No authorization: No authorization exchange is performed. Every user is trusted and has the

corresponding default rights of the system.

z

Local authorization: Users are authorized by the access device according to the attributes

configured for them.

z

Remote authorization: The access device cooperates with a RADIUS server to authorize users.

RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only

after RADIUS authentication is successful, and the authorization information is carried in the

Access-Accept message. You can configure local authorization or no authorization as the backup

method to be used when the remote server is not available.

By default, an ISP domain uses the local authorization method. If the no authorization method (none) is

configured, the users are not required to be authorized, in which case an authenticated user has the

default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who use

the console, AUX, or Telnet to connect to the device, such as Telnet or SSH users. Each connection of

these types is called an EXEC user). The default right for FTP users is to use the root directory of the

device.

Before configuring authorization methods, complete these three tasks: