H3C S7500E Series Ethernet Switches Operation Manual

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

851

852

853

854

855

856

857

858

859

860

Operation Manual – AAA RADIUS HWTACACS

H3C S7500E Series Ethernet Switches

Chapter 1 AAA/RADIUS/HWTACACS

Configuration

1-18

To do… Use the command… Remarks

Specify the authorization

scheme for LAN access

users

authorization

lan-access { local | none

| radius-scheme

radius-scheme-name

[ local ] }

Optional

The default authorization

scheme is used by

default.

Specify the authorization

scheme for login users

authorization login

{ hwtacacs-scheme

hwtacacs-scheme-name

[ local ] | local | none |

radius-scheme

radius-scheme-name

[ local ] }

Optional

The default authorization

scheme is used by

default.

Specify the authorization

scheme for Portal access

users

authorization portal

{ none | radius-scheme

radius-scheme-name }

Optional

The default authorization

scheme is used by

default.

 Note:

z The authorization scheme specified with the authorization default command is for

all types of users and has a priority lower than that for a specific access mode.

z RADIUS authorization is special in that it takes effect only when the RADIUS

authorization scheme is the same as the RADIUS authentication scheme. In

addition, if a RADIUS authorization fails, the error message returned to the NAS

says that the server is not responding.

z With the radius-scheme radius-scheme-name local or hwtacacs-scheme

hwtacacs-scheme-name local keyword and argument combination configured, the

local scheme is the backup scheme and is used only when the RADIUS server or

HWTACACS server is not available.

z If the primary authentication scheme is local or none, the system performs local

authorization or does not perform any authorization, rather than uses the RADIUS

or HWTACACS scheme.

z Authorization information of the RADIUS server is sent to the RADIUS client along

with the authorization response message; therefore, you cannot specify a separate

RADIUS server. If you use RADIUS for authorization and authentication, you must

use the same scheme setting for authorization and authentication; otherwise, the

system will prompt you with an error message.

1.3.6 Configuring an AAA Accounting Scheme for an ISP Domain

In AAA, accounting is a separate process at the same level as authentication and

authorization. Its responsibility is to send accounting start/update/end requests to the