H3C Technologies H3C S3100 Series Switches User Manual

2-6

z

Local authentication (local): Authentication is performed by the NAS, which is configured with the

user information, including the usernames, passwords, and attributes. Local authentication

features high speed and low cost, but the amount of information that can be stored is limited by the

hardware.

z

Remote authentication (scheme): The access device cooperates with a RADIUS or HWTACACS

server to authenticate users. As for RADIUS, the device can use the standard RADIUS protocol or

extended RADIUS protocol in collaboration with systems like CAMS and iMC to implement user

authentication. Remote authentication features centralized information management, high capacity,

high reliability, and support for centralized authentication for multiple devices. You can configure

local or no authentication as the backup method to be used when the remote server is not

available.

The separate method allows you to configure the authentication, authorization, and accounting

schemes separately by using the authentication, authorization, and accounting commands

respectively.

Before configuring an authentication/authorization/accounting method, do the following:

1) For RADIUS or HWTACACS authentication/authorization/accounting, configure the RADIUS or

HWTACACS scheme to be referenced first. The local and none authentication methods do not

require any scheme.

2) Determine the access mode or service type to be configured. With AAA, you can configure an

authentication method specifically for each access mode and service type, limiting the

authentication protocols that can be used for access.

3) Determine whether to configure an authentication/authorization/accounting method for all access

modes or service types.

Table 2-5 Configure separate AAA schemes

Operation

Command

Remarks

Enter system view

system-view

—

Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain

domain isp-name

Required

Specify the default
authentication method for all
types of users

authentication { radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }

Optional

By default, no separate
authentication scheme is
configured.

Specify the authentication
method for LAN users

authentication lan-access { local
| none | radius-scheme
radius-scheme-name [ local |
none ] }

Optional

The default authentication
method is used by default.

Specify the authentication
method for login users

authentication login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }

Optional

The default authentication
method is used by default.

Configure an HWTACACS
authentication scheme for user
level switching

authentication super
hwtacacs-scheme
hwtacacs-scheme-name

Optional

By default, no HWTACACS
authentication scheme is
configured.