H3C Technologies H3C SecPath F1000-E User Manual

212

Step Command

Remarks

8.

Specify the
authentication method

for SSL VPN users.

authentication ssl-vpn radius-scheme
radius-scheme-name

Optional.
The default authentication

method is used by default.

9.

Specify the
authentication method

for privilege level
switching.

authentication super { hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name }

Optional.
The default authentication
method is used by default.

Configuring AAA authorization methods for an ISP domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send

authorization information to users after successful authorization. Authorization method configuration is

optional in AAA configuration.
AAA supports the following authorization methods:

•

No authorization (none)—The access device performs no authorization exchange. After passing

authentication, non-login users can access the network, FTP users can access the root directory of
the access device, and other login users have only the right of Level 0 (visiting).

•

Local authorization (local)—The access device performs authorization according to the user
attributes configured for users.

•

Remote authorization (scheme)—The access device cooperates with a RADIUS or HWTACACS
server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS

authorization can work only after RADIUS authentication is successful, and the authorization

information is carried in the Access-Accept message. HWTACACS authorization is separate from
HWTACACS authentication, and the authorization information is carried in the authorization

response after successful authentication. You can configure local authorization or no authorization

as the backup method, which is used when the remote server is not available.

Before configuring authorization methods, complete the following tasks:

1.

For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For
RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS

authentication scheme. Otherwise, it does not take effect.

2.

Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type, limiting the authorization protocols

that can be used for access.

3.

Determine whether to configure an authorization method for all access types or service types.

Follow these guidelines when you configure AAA authorization methods for an ISP domain:

•

The authorization method specified with the authorization default command is for all types of users

and has a priority lower than that for a specific access type.

•

If you configure an authentication method and an authorization method that use RADIUS schemes
for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication.

If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS

authentication also fails. Whenever RADIUS authorization fails, an error message is sent to the NAS,

indicating that the server is not responding.