H3C Technologies H3C S5120 Series Switches User Manual
Page 419
1-13
1) Determine the access mode or service type to be configured. With AAA, you can configure an
authorization scheme specifically for each access mode and service type, limiting the authorization
protocols that can be used for access.
2) Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter ISP domain view
domain isp-name
—
Specify the default
authorization method for all
types of users
authorization default { local |
none | radius-scheme
radius-scheme-name [ local ] }
Optional
local by default
Specify the authorization
method for command line users
authorization command
{ local | none }
Optional
The default authorization
method is used by default.
Specify the authorization
method for LAN users
authorization lan-access
{ local | none | radius-scheme
radius-scheme-name [ local ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for login users
authorization login { local |
none | radius-scheme
radius-scheme-name [ local ] }
Optional
The default authorization
method is used by default.
z
The authorization method specified with the authorization default command is for all types of
users and has a priority lower than that for a specific access mode.
z
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme
is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the
error message returned to the NAS says that the server is not responding.
z
With the radius-scheme radius-scheme-name local keyword and argument combination
configured, local authorization or no authorization is the backup method and is used only when the
remote server is not available.
z
If the primary authorization method is local or none, the system performs local authorization or
does not perform any authorization; it will never use the RADIUS authorization scheme.
z
The authorization information of the RADIUS server is sent to the RADIUS client along with the
authentication response message; therefore, you cannot specify a separate RADIUS authorization
server. If you use RADIUS for authorization and authentication, you must use the same scheme
setting for authorization and authentication; otherwise, the system will prompt you with an error
message.
Configuring AAA Accounting Methods for an ISP Domain
In AAA, accounting is a separate process at the same level as authentication and authorization. Its
responsibility is to send accounting start/update/end requests to the specified accounting server.
Accounting is not required, and therefore accounting method configuration is optional.