Configuration prerequisites, Configuration guidelines, Configuration procedure – H3C Technologies H3C SecBlade LB Cards User Manual

74

By default, an ISP domain uses the local authentication method.

Configuration prerequisites

Before configuring authentication methods, complete the following tasks:

•

For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be
referenced first. Local and none authentication methods do not require a scheme.

•

Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type to limit the authentication protocols

that users can use for access.

•

Determine whether to configure the default authentication method for all access types or service
types.

Configuration guidelines

When configuring authentication methods, follow these guidelines:

•

If you configure an authentication method that references a RADIUS scheme and an authorization
method that does not reference a RADIUS scheme, AAA accepts only the authentication result from

the RADIUS server. The Access-Accept message from the RADIUS server also carries the

authorization information, but the device ignores the information.

•

You can configure a default authentication method for an ISP domain. The default method will be
used for all users who support the authentication method and have no specific authentication

method configured.

•

You can configure local authentication (local) or no authentication (none) as the backup for remote
authentication that is used when the remote authentication server is unavailable.

•

Local authentication (local) and no authentication (none) cannot have a backup method.

•

If the method for level switching authentication references an HWTACACS scheme, by default the
device uses the login username of the user for level switching authentication. If the method for level

switching authentication references a RADIUS scheme, the system uses the username configured for

the corresponding privilege level on the RADIUS server for level switching authentication, rather

than the login username. A username configured on the RADIUS server is in the format $enablevel$,
where level specifies the privilege level that the user wants to enter. For example, if user user1 of

domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa$ for

authentication when the domain name is required and uses $enab3$ for authentication when the

domain name is not required.

Configuration procedure

To configure authentication methods for an ISP domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter ISP domain view.

domain isp-name

N/A

3.

Specify the default
authentication method

for all types of users.

authentication default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |

none | radius-scheme radius-scheme-name

[ local ] }

Optional.
The default authentication

method is local for all types of
users.