R2511-HP MSR Router Series Security Configuration Guide(V5)
51
2. Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type to limit the authorization protocols that
can be used for access.
3. Determine whether to configure an authorization method for all access types or service types.
Configuration guidelines
When configuring authorization methods, follow these guidelines:
• To configure RADIUS authorization, you must also configure RADIUS authentication, and reference
the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS
authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also
fails. If RADIUS authorization fails, the server sends an error message to the NAS, indicating that
the server itself is not responding.
• You can configure a default authorization method for an ISP domain. This method will be used for
all users who support the authentication method and have no specific authorization method
configured.
• You can configure local authorization (local) or no authorization (none) as the backup for remote
authorization that is used when the remote authorization server is unavailable.
• Local authorization (local) and no authorization (none) cannot have a backup method.
Configuration procedure
To configure authorization methods for an ISP domain:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter ISP domain view.
domain isp-name N/A
3. Specify the default
authorization method for
all types of users.
• In non-FIPS mode:
authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme
radius-scheme-name [ local ] }
• In FIPS mode:
authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
radius-scheme radius-scheme-name
[ local ] }
Optional.
The default authorization
method is local for all types of
users.
4. Specify the command
authorization method.
• In non-FIPS mode:
authorization command
{ hwtacacs-scheme
hwtacacs-scheme-name [ local | none ]
| local | none }
• In FIPS mode:
authorization command
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local }
Optional.
The default authorization
method is used by default.