3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

881

882

883

884

885

886

887

888

889

890

892 CHAPTER 70: AAA, RADIUS AND HWTACACS CONFIGURATION

HWTACACS server is available, local authentication is not used. Otherwise,

local authentication is used.

■ If the primary authentication scheme is local or none, the system performs

local authentication or does not perform any authentication, rather than uses

the RADIUS or HWTACACS scheme.

Configuring an AAA

Authorization Scheme

for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and

accounting. Its responsibility is to send authorization requests to the specified

authorization server and to send authorization information to users authorized.

Authorization is not required. Authorization scheme configuration is optional in

AAA configuration.

If you do not perform any authorization configuration, the system-default domain

uses the local authorization scheme. With the authorization scheme of none, the

users are not required to be authorized, in which case an authenticated user has

the default right. The default right is visiting (the lowest one) for EXEC users such

as users using Telnet or SSH. The default right for FTP users is to use the root

directory of the device.

To configure an authorization scheme, follow the steps below:

1 For HWTACACS authorization, configure the HWTACACS scheme to be

referenced first. For RADIUS authorization, the RADIUS authorization scheme must

be same as the RADIUS authentication scheme; otherwise, it does not take effect.

2 Determine the access mode or service type to be configured. With AAA, you can

configure an authorization scheme specifically for each access mode and service

type, limiting the authorization protocols that can be used for access.

3 Determine whether to configure an authorization scheme for all access modes or

service types.

Follow these steps to configure an AAA authorization scheme for an ISP domain:

To do... Use the command... Remarks

Enter system view system-view -

Create an ISP domain or enter

ISP domain view

domain isp-name Required

Specify the authorization

scheme for all types of users

authorization default {

hwtacacs-scheme

hwtacacs-scheme-name [

local ] | local | none |

radius-scheme

radius-scheme-name [ local ] }

Optional

local by default

Specify the authorization

scheme for command line

users

authorization command

hwtacacs-scheme

hwtacacs-scheme-name

Optional

Specify the authorization

scheme for LAN access users

authorization lan-access {

local | none | radius-scheme

radius-scheme-name [ local ] }

Optional