Configuring separate aaa schemes – H3C Technologies H3C S3100 Series Switches User Manual

2-5

z

You can execute the scheme radius-scheme radius-scheme-name command to adopt an already

configured RADIUS scheme to implement all the three AAA functions. If you adopt the local

scheme, only the authentication and authorization functions are implemented, the accounting

function cannot be implemented.

z

If you execute the scheme radius-scheme radius-scheme-name local command, the local

scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the

communication between the switch and a RADIUS server is normal, no local authentication is

performed; otherwise, local authentication is performed.

z

If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local

scheme is used as the secondary scheme in case no TACACS server is available. That is, if the

communication between the switch and a TACACS server is normal and there is no key-related

problem or nas-ip related problem, no local authentication is performed; otherwise, local

authentication is performed.

z

If you execute the scheme local or scheme none command to adopt local or none as the primary

scheme, the local authentication is performed or no authentication is performed. In this case you

cannot specify any RADIUS scheme or HWTACACS scheme at the same time.

z

If you execute the scheme none command, the FTP users in the domain will not pass the

authentication. So, to allow users to use the FTP service, you should not configure the none

scheme.

z

If scheme switching occurs during authentication, local authorization and accounting will be

performed. If no scheme switching occurs during authentication, authorization and accounting will

use the primary scheme.

z

The AAA scheme specified with the scheme command is for all types of users and has a priority

lower than that for a specific access type (that is, the AAA scheme specified with the scheme

lan-access or scheme login command).

z

If you use the scheme lan-access radius-scheme radius-scheme-name none command, the

none scheme is used as the secondary scheme in case no RADIUS server is available. That is, if

the communication between the switch and a RADIUS server is normal, the primary scheme is

used; if the RADIUS server is not reachable, no authentication is performed. This configuration

ensures that LAN users can access the network when the primary remote server does not respond.

Another merit of specifying none instead of local as the secondary scheme is that you need not

configure local users on the switch.

Configuring separate AAA schemes

Authentication, authorization, and accounting are separate processes. Authentication refers to the

interactive authentication process of username/password/user information during access or service

request. The authentication process neither sends authorization information to a supplicant nor triggers

any accounting.

AAA supports the following authentication methods:

z

No authentication (none): All users are trusted and no authentication is performed. Generally, this

method is not recommended.