beautypg.com

H3C Technologies H3C S12500 Series Switches User Manual

Page 30

background image

18

Keywords

Authentication

mode

Description

scheme

Remote AAA
authentication

through
HWTACACS or

RADIUS

The switch sends the username and password for privilege level
switching to the HWTACACS or RADIUS server for remote
authentication.
To use this mode, you must perform the following configuration
tasks:

Configure the required HWTACACS or RADIUS schemes and

configure the ISP domain to use the schemes for users. For more

information, see Security Configuration Guide.

Add user accounts and specify the user passwords on the

HWTACACS or RADIUS server.

local scheme

Local password
authentication first

and then remote

AAA
authentication

The switch authenticates a user by using the local password first,
and if no password for privilege level switching is set, for the user

logged in from the console port, the privilege level is switched

directly; for the user logged in from any of the AUX or VTY user
interfaces, the AAA authentication is performed.

scheme local

Remote AAA
authentication first

and then local

password

authentication

AAA authentication is performed first, and if the remote
HWTACACS or RADIUS server does not respond or AAA
configuration on the switch is invalid, the local password

authentication is performed.

To configure the authentication parameters for a user privilege level:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the authentication mode

for user privilege level
switching.

super authentication-mode { local
| scheme } *

Optional.
By default, local-only
authentication is used.

3.

Configure the password for
user privilege level switching.

super password [ level user-level ]
[ hash ] { simple | cipher }

password

This step is required when local
authentication is involved.
By default, a privilege level has no
password.
The hash keyword is not supported

in FIPS mode.
Executing this command without

specifying the user privilege level,
configures a password for user

privilege level 3.
You cannot configure the super

password [ level user-level ] hash
cipher password command when

the password-control enable

command is configured.

If local-only authentication is used, a console user interface user can switch to a higher privilege level,

even if the privilege level has not been assigned a password. Console user interface users include users

logged in through the console port and users logged in through the AUX port used as the console port.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: