3Com Switch 4200G Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

181

182

183

184

185

186

187

188

189

190

176 CHAPTER 23: AAA&RADIUS CONFIGURATION

■ If you execute the scheme local command, the local scheme is adopted as the

primary scheme. In this case, only local authentication is performed, no RADIUS

authentication is performed.

■ If you execute the scheme none command, no authentication is performed.

Configuring separate AAA schemes

You can use the authentication, authorization, and accounting commands to

specify a scheme for each of the three AAA functions (authentication, authorization

and accounting) respectively. The following gives the implementations of this separate

way for the services supported by AAA.

■ For terminal users

Authentication: RADIUS, local, RADIUS-local or none.

Authorization: none.

Accounting: RADIUS or none.

You can configure combined authentication, authorization and accounting schemes

by using the above implementations.

■ For FTP users

■ Only authentication is supported for FTP users.

■ Authentication: RADIUS, local, or RADIUS-local.

Perform the following configuration in ISP domain view.

■ If a bound AAA scheme is configured as well as the separate authentication,

authorization and accounting schemes, the separate ones will be adopted in

precedence.

■ RADIUS scheme and local scheme do not support the separation of authentication

and authorization. Therefore, pay attention when you make authentication and

authorization configuration for a domain: if the scheme radius-scheme or

scheme local command is executed, the authorization none command is

executed, while the authentication command is not executed, the authorization

information returned from the RADIUS or local scheme still takes effect.

Table 138 Configure separate AAA schemes

Operation Command Description

Enter system view system-view —

Create an ISP domain or enter

the view of an existing ISP

domain

domain isp-name Required

Configure an authentication

scheme for the ISP domain

authentication { radius-scheme

radius-scheme-name [ local ] | local |

none }

Optional

By default, no separate

authentication scheme

is configured.

Allow users in current ISP

domain to access the network

services without being

authorized

authorization none Optional

By default, no separate

authorization scheme is

configured.

Configure an accounting

scheme for the ISP domain

accounting { none | radius-scheme

radius-scheme-name }

Optional

By default, no separate

accounting scheme is

configured.