Configuring aaa authorization methods for an isp, Domain – H3C Technologies H3C S7500E Series Switches User Manual

2-29

z

The authentication method specified with the authentication default command is for all types of

users and has a priority lower than that for a specific access mode.

z

With an authentication method that references a RADIUS scheme, AAA accepts only the

authentication result from the RADIUS server. The Access-Accept message from the RADIUS

server does include the authorization information, but the authentication process ignores the

information.

z

With the radius-scheme

radius-scheme-name

local,

hwtacacs-scheme

hwtacacs-scheme-name local keyword and argument combination configured, local

authentication is the backup method and is used only when the remote server is not available.

z

If you specify only the local or none keyword in an authentication method configuration command,

the device has no backup authentication method and performs only local authentication or does

not perform any authentication.

z

If the method for level switching authentication references an HWTACACS scheme, the device

uses the login username of a user for level switching authentication of the user by default. If the

method for level switching authentication references a RADIUS scheme, the system uses the

username configured for the corresponding privilege level on the RADIUS server for level

switching authentication, rather than the original username, namely the login username or the

username entered by the user. A username configured on the RADIUS server is in the format of

$enablevel$, where level specifies the privilege level to which the user wants to switch. For

example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses

$enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for

authentication when the domain name is not required.

Configuring AAA Authorization Methods for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its

responsibility is to send authorization requests to the specified authorization servers and to send

authorization information to users after successful authorization. Authorization method configuration is

optional in AAA configuration.

AAA supports the following authorization methods:

z

No authorization (none): The access device performs no authorization exchange. In this case,

after passing authentication, non-login users can access the network, FTP users can access the

default root directory of the device, and other login users have only the right of Level 0 (visiting).

z

Local authorization (local): The access device performs authorization according to the user

attributes configured for users.

z

Remote authorization (scheme): The access device cooperates with a RADIUS, or HWTACACS

server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS

authorization can work only after RADIUS authentication is successful, and the authorization

information is carried in the Access-Accept message. HWTACACS authorization is separate from

HWTACACS authentication, and the authorization information is carried in the authorization