H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 67

53
NOTE:
•
The authorization method specified with the authorization default command is for all types of users and
has a priority lower than that for a specific access type.
•
If you configure an authentication method and an authorization method that use RADIUS schemes for
an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication. If the
RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication
also fails. Whenever RADIUS authorization fails, an error message is sent to the NAS, indicating that
the server is not responding.
•
If you specify the radius-scheme
radius-scheme-name local, hwtacacs-scheme
hwtacacs-scheme-name [ local | none ], or ldap-scheme ldap-scheme-name local option when
configuring an authorization method, local authorization or no authorization is the backup method and
is used only when the remote server is not available.
•
If you specify only the local or none keyword in an authorization method configuration command, the
device has no backup authorization method and performs only local authorization or does not perform
any authorization.
Configuring AAA accounting methods for an ISP domain
In AAA, accounting is a separate process at the same level as authentication and authorization. It sends
accounting start/update/end requests to the specified accounting server. Accounting is not required,
and therefore accounting method configuration is optional.
AAA supports the following accounting methods:
•
No accounting (none)—The system does not perform accounting for the users.
•
Local accounting (local)—Local accounting is implemented on the access device. It is for counting
and controlling the number of concurrent users who use the same local user account, and it does not
provide statistics for charging. The maximum number of concurrent users using the same local user
account is set by the access-limit command in local user view.
•
Remote accounting (scheme)—The access device cooperates with a RADIUS server or HWTACACS
server for accounting of users. You can configure local or no accounting as the backup method to
be used when the remote server is not available.
By default, an ISP domain uses the local accounting method.
Before configuring accounting methods, complete the following tasks:
1.
For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require any scheme.
2.
Determine the access type or service type to be configured. With AAA, you can configure an
accounting method for each access type and service type, limiting the accounting protocols that
can be used for access.
3.
Determine whether to configure an accounting method for all access types or service types.
To configure AAA accounting methods for an ISP domain:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter ISP domain view.
domain isp-name
N/A
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000