Configuring aaa authentication methods for, An isp domain – H3C Technologies H3C SecPath F1000-E User Manual

210

Step Command

Remarks

6.

Enable the self-service server
location function and specify

the URL of the self-service
server.

self-service-url enable url-string

Optional.
Disabled by default.

7.

Define an IP address pool for
allocating addresses to PPP

users.

ip pool pool-number
low-ip-address
[ high-ip-address ]

Optional.
By default, no IP address pool is
configured for PPP users.

8.

Specify the default

authorization user profile.

authorization-attribute
user-profile profile-name

Optional.
By default, an ISP domain has no
default authorization user profile.

NOTE:
•

If a user passes authentication but is authorized with no user profile, the firewall authorizes the default
user profile of the ISP domain to the user and restricts the user's behavior based on the profile.

•

A self-service RADIUS server, such as Comprehensive Access Management System (CAMS) or
Intelligent Management Center (IMC), is required for the self-service server location function to work.

Configuring AAA authentication methods for an ISP domain

In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to

the interactive authentication process of username/password/user information during an access or

service request. The authentication process neither sends authorization information to a supplicant nor

triggers any accounting.
AAA supports the following authentication methods:

•

No authentication (none)—All users are trusted and no authentication is performed. Generally, do
not use this method.

•

Local authentication (local)—Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication allows

high speed and low cost, but the amount of information that can be stored is limited by the

hardware.

•

Remote authentication (scheme)—The access device cooperates with a RADIUS or HWTACACS
server to authenticate users. Remote authentication provides centralized information management,

high capacity, high reliability, and support for centralized authentication service for multiple access

devices. You can configure local or no authentication as the backup method, which is used when

the remote server is not available. No authentication can only be configured for LAN users as the

backup method of remote authentication.

You can configure AAA authentication to work alone without authorization and accounting. By default,

an ISP domain uses the local authentication method.
Before configuring authentication methods, complete the following tasks:

•

For RADIUS or HWTACACS authentication, configure the RADIUS, or HWTACACS scheme to be
referenced first. The local and none authentication methods do not require a scheme.

•

Determine the access type or service type to be configured. With AAA, you can configure an

authentication method for each access type and service type, limiting the authentication protocols
that can be used for access.