Manualshelf

3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module
881882883884885886887888889890
Configuring AAA 893
n
The authorization scheme specified with the authorization default command
is for all types of users and has a priority lower than that for a specific access
mode.
RADIUS authorization is special in that it takes effect only when the RADIUS
authorization scheme is the same as the RADIUS authentication scheme. In
addition, if a RADIUS authorization fails, the error message returned to the
NAS says that the server is not responding.
With the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local keyword and argument combination configured,
the local scheme is the backup scheme and is used only when the RADIUS
server or HWTACACS server is not available.
If the primary authentication scheme is local or none, the system performs
local authorization or does not perform any authorization, rather than uses the
RADIUS or HWTACACS scheme.
Authorization information of the RADIUS server is sent to the RADIUS client
along with the authorization response message; therefore, you cannot specify
a separate RADIUS server. If you use RADIUS for authorization and
authentication, you must use the same scheme setting for authorization and
authentication; otherwise, the system will prompt you with an error message.
Configuring an AAA
Accounting Scheme for
an ISP Domain
In AAA, accounting is a separate process at the same level as authentication and
authorization. Its responsibility is to send accounting start/update/end requests to
the specified accounting server. Accounting is not required, and therefore
accounting scheme configuration is optional. If you do not perform any
accounting configuration, the system-default domain uses the local accounting
scheme.
To configure an authorization scheme, follow the steps below:
1 For RADIUS or HWTACACS accounting, configure the RADIUS or HWTACACS
scheme to be referenced first. The local and none authentication modes do not
require any scheme.
2 Determine the access mode or service type to be configured. With AAA, you can
configure an accounting scheme specifically for each access mode and service
type, limiting the accounting protocols that can be used for access.
3 Determine whether to configure an accounting scheme for all access modes or
service types.
Specify the authorization
scheme for login users
authorization login {
hwtacacs-scheme
hwtacacs-scheme-name [
local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
Optional
Specify the authorization
scheme for PPP users
authorization ppp {
hwtacacs-scheme
hwtacacs-scheme-name [
local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
Optional
To do... Use the command... Remarks