H3C Technologies H3C S3100 Series Switches User Manual

2-7

Operation

Command

Remarks

Specify the default
authorization method for all
types of users

authorization { local | none |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }

Optional

By default, no separate
authorization scheme is
configured.

Specify the authorization
method for login users

authorization login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }

Optional

The default authorization
method is used by default.

Specify the default accounting
method for all types of users

accounting { local | none |
radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }

Optional

By default, no separate
accounting scheme is
configured.

Specify the accounting method
for LAN users

accounting lan-access { local |
none | radius-scheme
radius-scheme-name [ local |
none ] }

Optional

The default accounting
method is used by default.

Specify the accounting method
for login users

accounting login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }

Optional

The default accounting
method is used by default.

z

If a combined AAA scheme is configured as well as the separate authentication, authorization and

accounting schemes, the separate ones will be adopted in precedence.

z

If you configure separate AAA schemes, the authentication, authorization, and accounting scheme

switching processes do not affect each other. For example, if scheme switching occurs during

authentication, the primary HWTACACS authorization scheme is still used though the

authorization hwtacacs-scheme hwtacacs-scheme-name local command is configured.

Authorization scheme switching occurs only when the HWTACACS scheme is invalid.

z

The authentication scheme specified with the authentication command is for all types of users

and has a priority lower than that for a specific access mode (that is, the authentication scheme

specified with the authentication lan-access or authentication login command).

z

The authorization scheme specified with the authorization command is for all types of users.

Because LAN users do not support authorization, the authorization login command is equivalent

to the authorization command.

z

If you use the authentication lan-access radius-scheme radius-scheme-name none command,

the none scheme is used as the secondary scheme in case no RADIUS server is available. That is,

if the communication between the switch and a RADIUS server is normal, the primary scheme is

used; if the RADIUS server is not reachable, no authentication is performed.

z

The switches adopt hierarchical protection for command lines so as to inhibit users at lower levels

from using higher level commands to configure the switches. For details about configuring an

HWTACACS authentication scheme for low-to-high user level switching, refer to section Switching

User Level in the Command Line Interface Operation.