R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-G Router

Configuration guidelines

When configuring authorization methods, follow these guidelines:

• To configure RADIUS authorization, you must also configure RADIUS authentication, and reference

the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS

authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also

fails. If RADIUS authorization fails, the server sends an error message to the NAS, indicating that

the server itself is not responding.

• You can configure a default authorization method for an ISP domain. This method will be used for

all users who support the authentication method and have no specific authorization method

configured.

• You can configure local authorization (local) or no authorization (none) as the backup for remote

authorization that is used when the remote authorization server is unavailable.

• Local authorization (local) and no authorization (none) cannot have a backup method.

Configuration procedure

To configure authorization methods for an ISP domain:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter ISP domain view.

domain isp-name N/A

3. Specify the default

authorization method for

all types of users.

authorization default { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local |

none | radius-scheme radius-scheme-name

[ local ] }

Optional.

The default authorization

method is local for all types of

users.

4. Specify the command

authorization method.

authorization command { hwtacacs-scheme

hwtacacs-scheme-name [ local | none ] |

local | none }

Optional.

The default authorization

method is used by default.

5. Specify the authorization

method for DVPN users.

authorization dvpn { local | none |

radius-scheme radius-scheme-name

[ local ] }

Optional.

The default authorization

method is used by default.

6. Specify the authorization

method for LAN users.

authorization lan-access { local | none |

radius-scheme radius-scheme-name [ local |

none ] }

Optional.

The default authorization

method is used by default.

This command is supported

only on SAP interface

modules that are operating in

Layer 2 mode.

7. Specify the authorization

method for login users.

authorization login { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local |

none | radius-scheme radius-scheme-name

[ local ] }

Optional.

The default authorization

method is used by default.

8. Specify the authorization

method for portal users.

authorization portal { local | none |

radius-scheme radius-scheme-name

[ local ] }

Optional.

The default authorization

method is used by default.