beautypg.com

Configuring separate aaa schemes – H3C Technologies H3C S3600 Series Switches User Manual

Page 520

background image

2-4

To do…

Use the command…

Remarks

Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain

domain isp-name

Required

Configure an AAA scheme for
the ISP domain

scheme { local | none | radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }

Required

By default, an ISP
domain uses the
local AAA scheme.

z

You can execute the scheme radius-scheme radius-scheme-name command to adopt an already

configured RADIUS scheme to implement all the three AAA functions. If you adopt the local

scheme, only the authentication and authorization functions are implemented, the accounting

function cannot be implemented.

z

If you execute the scheme radius-scheme radius-scheme-name local command, the local

scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the

communication between the switch and a RADIUS server is normal, the local scheme is not used;

otherwise, the local scheme is used.

z

If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local

scheme is used as the secondary scheme in case no TACACS server is available. That is, if the

communication between the switch and a TACACS server is normal, the local scheme is not used;

if the TACACS server is not reachable or there is a key error or NAS IP error, the local scheme is

used.

z

If you execute the scheme local or scheme none command to adopt local or none as the primary

scheme, the local authentication is performed or no authentication is performed. In this case you

cannot specify any RADIUS scheme or HWTACACS scheme at the same time.

z

If you configure to use none as the primary scheme, FTP users of the domain cannot pass

authentication. Therefore, you cannot specify none as the primary scheme if you want to enable

FTP service.

Configuring separate AAA schemes

You can use the authentication, authorization, and accounting commands to specify a scheme for

each of the three AAA functions (authentication, authorization and accounting) respectively. The

following gives the implementations of this separate way for the services supported by AAA.

1) For

terminal

users

z

Authentication: RADIUS, local, HWTACACS or none.

z

Authorization: none or HWTACACS.

z

Accounting: RADIUS, HWTACACS or none.

You can use an arbitrary combination of the above implementations for your AAA scheme configuration.

2) For FTP users

Only authentication is supported for FTP users.

Authentication: RADIUS, local, or HWTACACS.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: