Configuring aaa accounting methods for an isp, Domain – H3C Technologies H3C S7500E Series Switches User Manual

2-31

z

The authorization method specified with the authorization default command is for all types of

users and has a priority lower than that for a specific access mode.

z

RADIUS authorization is special in that it takes effect only when the RADIUS authorization

scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS

authorization fails, the error message returned to the NAS says that the server is not responding.

z

With the radius-scheme

radius-scheme-name

local,

hwtacacs-scheme

hwtacacs-scheme-name [ local | none ] keyword and argument combination configured, local

authorization or no authorization is the backup method and is used only when the remote server

is not available.

z

If you specify only the local or none keyword in an authorization method configuration command,

the device has no backup authorization method and performs only local authorization or does not

perform any authorization.

z

The authorization information of the RADIUS server is sent to the RADIUS client along with the

authentication response message; therefore, you cannot specify a separate RADIUS

authorization server. If you use RADIUS for authorization and authentication, you must use the

same scheme setting for authorization and authentication; otherwise, the system will prompt you

with an error message.

Configuring AAA Accounting Methods for an ISP Domain

In AAA, accounting is a separate process at the same level as authentication and authorization. Its

responsibility is to send accounting start/update/end requests to the specified accounting server.

Accounting is not required, and therefore accounting method configuration is optional.

AAA supports the following accounting methods:

z

No accounting (none): The system does not perform accounting for the users.

z

Local accounting (local): Local accounting is implemented on the access device. It is for counting

and controlling the number of local user connections; it does not provide statistics for charging.

z

Remote accounting (scheme): The access device cooperates with a RADIUS server or

HWTACACS server for accounting of users. You can configure local accounting as the backup

method to be used when the remote server is not available.

By default, an ISP domain uses the local accounting method.

Before configuring accounting methods, complete these three tasks:

1) For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be

referenced first. The local and none authentication methods do not require any scheme.

2) Determine the access mode or service type to be configured. With AAA, you can configure an

accounting method specifically for each access mode and service type, limiting the accounting

protocols that can be used for access.

3) Determine whether to configure an accounting method for all access modes or service types.

Follow these steps to configure AAA accounting methods for an ISP domain: