R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
138
NOTE:
• The authentication method specified with the authentication default command is for all types of users
and has a priority lower than that for a specific access mode.
• With an authentication method that references a RADIUS scheme, AAA accepts only the authentication
result from the RADIUS server. The Access-Accept message from the RADIUS server does include the
authorization information, but the authentication process ignores the information.
• With the radius-scheme
radius-scheme-name
local keyword and argument combination configured,
local authentication is the backup method and is used only when the remote server is not available.
• If the primary authentication method is local or none, the system performs local authentication or does
not perform any authentication, and will not use any RADIUS authentication scheme.
• If the method for level switching authentication references a RADIUS scheme, the system uses the
username configured for the corresponding privilege level on the RADIUS server for level switching
authentication, rather than the ori
g
inal username, namely the lo
g
in username or the username entered
by the user. A username configured on the RADIUS server is in the format of $enab+
level,
where
leve
l
specifies the privilege level to which the user wants to switch. For example, if user user1 of domain aaa
wants to switch the privilege level to 3, the system uses $enab3@aaa for authentication when the
domain name is required and uses $enab3 for authentication when the domain name is not required.
Configuring AAA authorization methods for an ISP domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful authorization. Authorization method configuration is
optional in AAA configuration.
AAA supports the following authorization methods:
• No authorization (none): The LB module performs no authorization exchange. Every user is trusted
and has the corresponding default rights of the system.
• Local authorization (local)—The LB module performs authorization according to the user attributes
configured for users.
• Remote authorization (scheme): The LB module cooperates with a RADIUS server to authorize users.
RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only
after RADIUS authentication is successful, and the authorization information is carried in the
Access-Accept message. You can configure local authorization or no authorization as the backup
method to be used when the remote server is not available.
By default, an ISP domain uses the local authorization method. If the no authorization method (none) is
configured, the users are not required to be authorized, in which case an authenticated user has the
default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who use the
console, AUX, asynchronous serial port, or Telnet to connect to the LB module, such as Telnet or SSH users.
Each connection of these types is called an EXEC user). The default right for FTP users is to use the root
directory of the LB module.
Before configuring authorization methods, complete these three tasks:
1. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS
authentication scheme; otherwise, it does not take effect.
2. Determine the access mode or service type to be configured. With AAA, you can configure an
authorization scheme specifically for each access mode and service type, limiting the
authorization protocols that can be used for access.