Configuring AAA 761
Before configuring an authorization scheme, complete these three tasks:
1 For HWTACACS authorization, configure the HWTACACS scheme to be
referenced first. For RADIUS authorization, the RADIUS authorization scheme must
be same as the RADIUS authentication scheme; otherwise, it does not take effect.
2 Determine the access mode or service type to be configured. With AAA, you can
configure an authorization scheme specifically for each access mode and service
type, limiting the authorization protocols that can be used for access.
3 Determine whether to configure an authorization scheme for all access modes or
service types.
Follow these steps to configure an AAA authorization scheme for an ISP domain:
n
■ The authorization scheme specified with the authorization default command
is for all types of users and has a priority lower than that for a specific access
mode.
■ RADIUS authorization is special in that it takes effect only when the RADIUS
authorization scheme is the same as the RADIUS authentication scheme. In
addition, if a RADIUS authorization fails, the error message returned to the
NAS says that the server is not responding.
■ With the radius-scheme radius-scheme-name local or hwtacacs-scheme
hwtacacs-scheme-name local keyword and argument combination configured,
the local scheme is the backup scheme and is used only when the RADIUS
server or TACACS server is not available.
To do… Use the command… Remarks
Enter system view system-view -
Create an ISP domain and
enter ISP domain view
domain isp-name Required
Specify the default
authorization scheme for all
types of users
authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name
[ local ]}
Optional
local by default
Specify the authorization
scheme for command line
users
authorization command
hwtacacs-scheme
hwtacacs-scheme-name
Optional
The default authorization
scheme is used by default.
Specify the authorization
scheme for LAN access users
authorization lan-access
{ local | none |
radius-scheme
radius-scheme-name
[ local ]}
Optional
The default authorization
scheme is used by default.
Specify the authorization
scheme for login users
authorization login
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name
[ local ]}
Optional
The default authorization
scheme is used by default.
To Next Page
Loading...
