760 CHAPTER 53: AAA/RADIUS/HWTACACS CONFIGURATION
n
■ The authentication scheme specified with the authentication default
command is for all types of users and has a priority lower than that for a
specific access mode.
■ With a RADIUS authentication scheme configured, AAA accepts only the
authentication result from the RADIUS server. The response from the RADIUS
server does include the authorization information when the authentication is
successful, but the authentication process ignores the information.
■ With the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local keyword and argument combination configured,
the local scheme is the backup scheme and is used only when the RADIUS
server or TACACS server is not available.
■ If the primary authentication scheme is local or none, the system performs
local authentication or does not perform any authentication, rather than uses
the RADIUS or HWTACACS scheme.
Configuring an AAA
Authorization Scheme
for an ISP Domain
In AAA, authorization is a separate process at the same level as authentication and
accounting. Its responsibility is to send authorization requests to the specified
authorization server and to send authorization information to users authorized.
Authorization scheme configuration is optional in AAA configuration.
If you do not perform any authorization configuration, the system-default domain
uses the local authorization scheme. With the authorization scheme of none, the
users are not required to be authorized, in which case an authenticated user has
the default right. The default right is visiting (the lowest one) for EXEC users (that
is, console users who use the console, AUX, or Telnet or SSH to connect to the
device, such as Telnet or SSH users. Each connection of these types is called an
EXEC user). The default right for FTP users is to use the root directory of the device.
Specify the default
authentication scheme for all
types of users
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] |
Optional
local by default
Specify the authentication
scheme for LAN access users
authentication lan-access
{ local | none |
radius-scheme
radius-scheme-name
[ local ]}
Optional
The default authentication
scheme is used by default.
Specify the authentication
scheme for login users
authentication login
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name
[ local ]}
Optional
The default authentication
scheme is used by default.
To do… Use the command… Remarks
To Next Page
Loading...
