R21xx-HP FlexFabric 11900 Security Configuration Guide
41
Configuring authorization methods for an ISP domain
Configuration prerequisites
Before configuring authorization methods, complete the following tasks:
1. For HWTACACS authorization, configure the HWTACACS scheme to be referenced.
2. Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type.
3. Determine whether to configure the default authorization method for all access types or service
types. The default authorization method applies to all access users, but has a lower priority than
the specific authorization method configured for an access type or service type.
Configuration guidelines
When configuring authorization methods, follow these guidelines:
• The device supports HWTACACS authorization but not LDAP authorization.
• To configure RADIUS authorization, also configure RADIUS authentication, and reference the same
RADIUS scheme for RADIUS authentication and authorization. If the RADIUS authorization
configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails. If
RADIUS authorization fails, the server sends an error message to the NAS, indicating that the server
itself is not responding.
Configuration procedure
To configure authorization methods for an ISP domain:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authorization method for
all types of users.
authorization default { hwtacacs-scheme
hwtacacs-scheme-name [ radius-scheme
radius-scheme-name ] [ local ] [ none ] |
local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the authorization
method is local.
The none keyword is not
supported in FIPS mode.
4. Specify the command
authorization method.
authorization command { hwtacacs-scheme
hwtacacs-scheme-name [ local [ none ] |
local [ none ] | none }
By default, the default
authorization method is used
for command authorization.
The none keyword is not
supported in FIPS mode.
5. Specify the authorization
method for login users.
authorization login { hwtacacs-scheme
hwtacacs-scheme-name [ radius-scheme
radius-scheme-name ] [ local ] [ none ] |
local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
By default, the default
authorization method is used
for login users.
The none keyword is not
supported in FIPS mode.