1-16
response after successful authentication. You can configure local authorization or no authorization
as the backup method in case the remote server is not available.
By default, an ISP domain uses the local authorization method. If the no authorization method (none)
is configured, the users are not required to be authorized, in which case an authenticated user has the
default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who
use the console, AUX port, or Telnet to connect to the device, such as Telnet or SSH users. Each
connection of these types is called an EXEC user). The default right for FTP users is to use the root
directory of the device.
Before configuring authorization methods, complete these three tasks:
1) For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For
RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS
authentication scheme; otherwise, it does not take effect.
2) Determine the access mode or service type to be configured. With AAA, you can configure an
authorization scheme specifically for each access mode and service type, limiting the
authorization protocols that can be used for access.
3) Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do… Use the command… Remarks
Enter system view system-view —
Create an ISP domain and
enter ISP domain view
domain isp-name Required
Specify the default
authorization method for all
types of users
authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
Optional
local by default
Specify the command
authorization method
authorization command
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local | none ] | local | none }
Optional
The default authorization
method is used by default.
Specify the authorization
method for LAN users
authorization lan-access
{ local | none | radius-scheme
radius-scheme-name [ local ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for login users
authorization login
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
Optional
The default authorization
method is used by default.
To Next Page
Loading...
