Configuring separate aaa schemes – H3C Technologies H3C WX3000 Series Unified Switches User Manual

25-4

z

If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary scheme in case no TACACS server is available. That is, if the
communication between the device and a TACACS server is normal, no local authentication is
performed; otherwise, local authentication is performed.

z

If you execute the scheme local or scheme none command to adopt local or none as the primary
scheme, the local authentication is performed or no authentication is performed. In this case you
cannot specify any RADIUS scheme or HWTACACS scheme at the same time.

z

If you execute the scheme none command, the FTP users in the domain will not pass the
authentication. So, to allow users to use the FTP service, you should not configure the none
scheme.

Configuring separate AAA schemes

You can use the authentication, authorization, and accounting commands to specify a scheme for
each of the three AAA functions (authentication, authorization and accounting) respectively. The
following gives the implementations of this separate way for the services supported by AAA.

1) For

terminal

users

z

Authentication: RADIUS, local, HWTACACS or none.

z

Authorization: none or HWTACACS.

z

Accounting: RADIUS, HWTACACS or none.

You can use an arbitrary combination of the above implementations for your AAA scheme configuration.

2) For FTP users

Only authentication is supported for FTP users.

Authentication: RADIUS, local, or HWTACACS.

Follow these steps to configure separate AAA schemes:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create an ISP domain and enter its
view, or enter the view of an
existing ISP domain

domain

isp-name

Required

Configure an authentication
scheme for the ISP domain

authentication

{ radius-scheme

radius-scheme-name

[ local ] |

hwtacacs-scheme
hwtacacs-scheme-name

[ local ] |

local

| none }

Optional
By default, no separate
authentication scheme is
configured.

Configure an authorization scheme
for the ISP domain

authorization

{ none |

hwtacacs-scheme

hwtacacs-scheme-name

}

Optional
By default, no separate
authorization scheme is
configured.

Configure an accounting scheme
for the ISP domain

accounting

{ none |

radius-scheme

radius-scheme-name

|

hwtacacs-scheme

hwtacacs-scheme-name

}

Optional
By default, no separate accounting
scheme is configured.