H3C Technologies H3C WX3000E Series Wireless Switches User Manual

51

NOTE:
•

The authentication method specified with the authentication default command is for all types of users
and has a priority lower than that for a specific access type.

•

With an authentication method that references a RADIUS scheme, AAA accepts only the authentication
result from the RADIUS server. The Access-Accept message from the RADIUS server does include the

authorization information, but the authentication process ignores the information.

•

If you specify the radius-scheme

radius-scheme-name local, hwtacacs-scheme

hwtacacs-scheme-name local, or ldap-scheme ldap-scheme-name local option when configuring an

authentication method, local authentication is the backup method and is used only when the remote

server is not available.

•

If you specify only the local or none keyword in an authentication method configuration command, the
device has no backup authentication method and performs only local authentication or does not
perform any authentication.

•

If the method for level switching authentication references an HWTACACS scheme, the device uses the
login username of a user for level switching authentication of the user by default. If the method for level

switching authentication references a RADIUS scheme, the system uses the username configured for the
corresponding privilege level on the RADIUS server for level switching authentication, rather than the

login username. A username configured on the RADIUS server is in the format of $enab

level$, where

level specifies the privilege level to which the user wants to switch. For example, if user user1 of domain

aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for authentication when the

domain name is required and uses $enab3$ for authentication when the domain name is not required.

Configuring AAA authorization methods for an ISP domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its

responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful authorization. Authorization method configuration is

optional in AAA configuration.
AAA supports the following authorization methods:

•

No authorization (none)—The access device performs no authorization exchange. After passing
authentication, non-login users can access the network, FTP users can access the root directory of
the device, and other login users have only the right of Level 0 (visiting).

•

Local authorization (local)—The access device performs authorization according to the user
attributes configured for users.

•

Remote authorization (scheme)—The access device cooperates with a RADIUS, HWTACACS, or
LDAP server to authorize users. RADIUS authorization is bound with RADIUS authentication.

RADIUS authorization can work only after RADIUS authentication is successful, and the

authorization information is carried in the Access-Accept message. HWTACACS/LDAP
authorization is separate from HWTACACS/LDAP authentication, and the authorization

information is carried in the authorization response after successful authentication. You can

configure local authorization or no authorization as the backup method to be used when the remote

server is not available.

Before configuring authorization methods, complete the following tasks:

1.

For HWTACACS or LDAP authorization, configure the HWTACACS or LDAP scheme to be
referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as

the RADIUS authentication scheme. Otherwise, it does not take effect.