beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 67

background image

53

NOTE:

The authorization method specified with the authorization default command is for all types of users and
has a priority lower than that for a specific access type.

If you configure an authentication method and an authorization method that use RADIUS schemes for
an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication. If the

RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication

also fails. Whenever RADIUS authorization fails, an error message is sent to the NAS, indicating that
the server is not responding.

If you specify the radius-scheme

radius-scheme-name local, hwtacacs-scheme

hwtacacs-scheme-name [ local | none ], or ldap-scheme ldap-scheme-name local option when

configuring an authorization method, local authorization or no authorization is the backup method and
is used only when the remote server is not available.

If you specify only the local or none keyword in an authorization method configuration command, the
device has no backup authorization method and performs only local authorization or does not perform

any authorization.

Configuring AAA accounting methods for an ISP domain

In AAA, accounting is a separate process at the same level as authentication and authorization. It sends

accounting start/update/end requests to the specified accounting server. Accounting is not required,

and therefore accounting method configuration is optional.
AAA supports the following accounting methods:

No accounting (none)—The system does not perform accounting for the users.

Local accounting (local)—Local accounting is implemented on the access device. It is for counting
and controlling the number of concurrent users who use the same local user account, and it does not
provide statistics for charging. The maximum number of concurrent users using the same local user

account is set by the access-limit command in local user view.

Remote accounting (scheme)—The access device cooperates with a RADIUS server or HWTACACS
server for accounting of users. You can configure local or no accounting as the backup method to

be used when the remote server is not available.

By default, an ISP domain uses the local accounting method.
Before configuring accounting methods, complete the following tasks:

1.

For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require any scheme.

2.

Determine the access type or service type to be configured. With AAA, you can configure an
accounting method for each access type and service type, limiting the accounting protocols that

can be used for access.

3.

Determine whether to configure an accounting method for all access types or service types.

To configure AAA accounting methods for an ISP domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter ISP domain view.

domain isp-name

N/A