H3C S7500E Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

851

852

853

854

855

856

857

858

859

860

Operation Manual – AAA RADIUS HWTACACS

H3C S7500E Series Ethernet Switches

Chapter 1 AAA/RADIUS/HWTACACS

Configuration

1-17

1.3.5 Configuring an AAA Authorization Scheme for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and

accounting. Its responsibility is to send authorization requests to the specified

authorization server and to send authorization information to users authorized.

Authorization scheme configuration is optional in AAA configuration.

If you do not perform any authorization configuration, the system-default domain uses

the local authorization scheme. With the authorization scheme of none, the users are

not required to be authorized, in which case an authenticated user has the default right.

The default right is visiting (the lowest one) for EXEC users (that is, console users who

use the console, AUX, or Telnet or SSH to connect to the device, such as Telnet or SSH

users. Each connection of these types is called an EXEC user). The default right for

FTP users is to use the root directory of the device.

Before configuring an authorization scheme, complete these three tasks:

1) For HWTACACS authorization, configure the HWTACACS scheme to be

referenced first. For RADIUS authorization, the RADIUS authorization scheme

must be same as the RADIUS authentication scheme; otherwise, it does not take

effect.

2) Determine the access mode or service type to be configured. With AAA, you can

configure an authorization scheme specifically for each access mode and service

type, limiting the authorization protocols that can be used for access.

3) Determine whether to configure an authorization scheme for all access modes or

service types.

Follow these steps to configure an AAA authorization scheme for an ISP domain:

To do… Use the command… Remarks

Enter system view

system-view

—

Create an ISP domain

and enter ISP domain

view

domain isp-name

Required

Specify the default

authorization scheme for

all types of users

authorization default

{ hwtacacs-scheme

hwtacacs-scheme-name

[ local ] | local | none |

radius-scheme

radius-scheme-name

[ local ] }

Optional

local by default

Specify the authorization

scheme for command line

users

authorization command

hwtacacs-scheme

hwtacacs-scheme-name

Optional

The default authorization

scheme is used by

default.