Displaying and maintaining ldap, Configuring aaa methods for isp domains, Configuration prerequisites – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

47

Step Command

Remarks

7.

Specify the group name
attribute for group search.

group-parameters group-name-attribute
{ name-attribute | cn | uid }

Optional.
The default setting is cn.

NOTE:
•

There may be many levels of directories on the LDAP server. A user group search starting from the root
directory might take a long time. You can change the start point by specifying the search base DN to
improve search efficiency.

•

Support for the group object class default and member name attribute default depends on the LDAP
server manufacturers. IBM and Sun support the default group object class and member name attribute,

but Microsoft does not have the defaults for them.

Displaying and maintaining LDAP

Task Command

Remarks

Display the configuration of LDAP
schemes.

display ldap scheme [ scheme-name ] [ |
{ begin | exclude | include }
regular-expression ]

Available in any view

Configuring AAA methods for ISP domains

You configure AAA methods for an ISP domain by referencing configured AAA schemes in ISP domain

view. Each ISP domain has a set of default AAA methods, which are local authentication, local
authorization, and local accounting by default and can be customized. If you do not configure any AAA

methods for an ISP domain, the device uses the system default AAA methods for authentication,

authorization, and accounting of the users in the domain.

Configuration prerequisites

To use local authentication for users in an ISP domain, configure local user accounts (see "

Configuring

local user attributes

") on the access device.

To use remote authentication, authorization, and accounting, create the required RADIUS, HWTACACS,
and LDAP schemes as described in "

Configuring RADIUS schemes

," "

Configuring HWTACACS

schemes

," and "

Configuring LDAP schemes

."

Creating an ISP domain

In a networking scenario with multiple ISPs, an access device may connect users of different ISPs, and

users of different ISPs may have different user attributes, such as different username and password

structures, different service types, and different rights. To distinguish the users of different ISPs, configure

ISP domains, and configure different AAA methods and domain attributes for the ISP domains.
On a NAS, each user belongs to an ISP domain. A NAS can accommodate up to 16 ISP domains,

including the system predefined ISP domain system. You can specify one of the ISP domains as the

system default domain.
The device chooses an authentication domain for each user in the following order:

•

The authentication domain specified for the access module