beautypg.com

Configuration guidelines – H3C Technologies H3C S3600 Series Switches User Manual

Page 521

background image

2-5

Follow these steps to configure separate AAA schemes:

To do…

Use the command…

Remarks

Enter system view

system-view

Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain

domain isp-name

Required

Configure an authentication
scheme for the ISP domain

authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }

Optional

By default, no separate
authentication scheme is
configured.

Configure a HWTACACS
authentication scheme for user
level switching

authentication super
hwtacacs-scheme
hwtacacs-scheme-name

Optional

By default, no HWTACACS
authentication scheme is
configured.

Configure an authorization
scheme for the ISP domain

authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }

Optional

By default, no separate
authorization scheme is
configured.

Configure an accounting
scheme for the ISP domain

accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }

Optional

By default, no separate
accounting scheme is
configured.

z

RADIUS scheme and local scheme do not support the separation of authentication and

authorization. Therefore, pay attention when you make authentication and authorization

configuration for a domain: When the scheme radius-scheme or scheme local command is

executed and the authentication command is not executed, the authorization information returned

from the RADIUS or local scheme still takes effect even if the authorization none command is

executed.

z

The S3600 series switches adopt hierarchical protection for command lines so as to inhibit users at

lower levels from using higher level commands to configure the switches. For details about

configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to

Switching User Level in the Command Line Interface Operation.

Configuration guidelines

Suppose a combined AAA scheme is available. The system selects AAA schemes according to the

following principles:

z

If authentication, authorization, accounting each have a separate scheme, the separate schemes

are used.

z

If you configure only a separate authentication scheme (that is, there are no separate authorization

and accounting schemes configured), the combined scheme is used for authorization and

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: