R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
139
3. Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do… Use the command…
Remarks
Enter system view system-view —
Enter ISP domain view domain isp-name —
Specify the default authorization
method for all types of users
authorization default { local | none
| radius-scheme
radius-scheme-name [ local ] }
Optional
local by default
Specify the command
authorization method
authorization command { local |
none }
Optional
The default authorization method is
used by default.
Specify the authorization method
for login users
authorization login { local | none |
radius-scheme
radius-scheme-name [ local ] }
Optional
The default authorization method is
used by default.
NOTE:
• The authorization method specified with the authorization default command is for all types of users and
has a priority lower than that for a specific access mode.
• RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the
same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error
message returned to the LB module says that the server is not responding.
• With the radius-scheme
radius-scheme-name
local keyword and argument combination configured,
local authorization or no authorization is the backup method and is used only when the remote server is
not available.
• If the primary authorization method is local or none, the system performs local authorization or does no
t
perform any authorization; it will never use the RADIUS authorization scheme.
• The authorization information of the RADIUS server is sent to the RADIUS client along with the
authentication response message; therefore, you cannot specify a separate RADIUS authorization
server. If you use RADIUS for authorization and authentication, you must use the same scheme settin
g
for
authorization and authentication; otherwise, the system will prompt you with an error message.
Configuring AAA accounting methods for an ISP domain
In AAA, accounting is a separate process at the same level as authentication and authorization. Its
responsibility is to send accounting start/update/end requests to the specified accounting server.
Accounting is not required, and therefore accounting method configuration is optional.
AAA supports the following accounting methods:
• No accounting (none): The system does not perform accounting for the users.
• Local accounting (local): Local accounting is implemented on the LB module. It is for collecting
statistics on the number of users and controlling the number of local user connections; it does not
provide statistics for user charge.
• Remote accounting (scheme): The LB module cooperates with a RADIUS server for accounting of
users. You can configure local or no accounting as the backup method to be used when the remote
server is not available.