H3C Technologies H3C SecPath F1000-E User Manual
Page 221
211
•
Determine whether to configure an authentication method for all access types or service types.
Follow these guidelines when you configure AAA authentication methods for an ISP domain:
•
The authentication method specified with the authentication default command is for all types of
users and has a priority lower than that for a specific access type.
•
With an authentication method that references a RADIUS scheme, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS server
also carries the authorization information, but the authentication process ignores the information.
•
If you specify the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local option when you configure an authentication method, local
authentication is the backup method and is used only when the remote server is not available.
•
If you specify only the local or none keyword in an authentication method configuration command,
the firewall has no backup authentication method and performs only local authentication or does
not perform any authentication.
•
If the method for level switching authentication references an HWTACACS scheme, the firewall uses
the login username of a user for level switching authentication of the user by default. If the method
for level switching authentication references a RADIUS scheme, the system uses the username
configured for the corresponding privilege level on the RADIUS server for level switching
authentication, rather than the login username. A username configured on the RADIUS server is in
the format of $enablevel$, where level specifies the privilege level to which the user wants to switch.
For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses
$enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for
authentication when the domain name is not required.
To configure AAA authentication methods for an ISP domain:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter ISP domain view.
domain isp-name
N/A
3.
Specify the default
authentication method
for all types of users.
authentication default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional.
The default authentication
method is local for all types of
users.
4.
Specify the
authentication method
for DVPN users.
authentication dvpn { local | none |
radius-scheme radius-scheme-name [ local ] }
Optional.
The default authentication
method is used by default.
5.
Specify the
authentication method
for login users.
authentication login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional.
The default authentication
method is used by default.
6.
Specify the
authentication method
for portal users.
authentication portal { local | none |
radius-scheme radius-scheme-name [ local ] }
Optional.
The default authentication
method is used by default.
7.
Specify the
authentication method
for PPP users.
authentication ppp { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional.
The default authentication
method is used by default.