2-5
Authentication: RADIUS, local, or HWTACACS.
Follow these steps to configure separate AAA schemes:
To do… Use the command… Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
domain isp-name
Required
Configure an authentication
scheme for the ISP domain
authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Optional
By default, no separate
authentication scheme is
configured.
Configure an authorization
scheme for the ISP domain
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
authorization scheme is
configured.
Configure an accounting
scheme for the ISP domain
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
accounting scheme is
configured.
RADIUS scheme and local scheme do not support the separation of authentication and authorization.
Therefore, pay attention when you make authentication and authorization configuration for a domain:
When the scheme radius-scheme or scheme local command is executed and the authentication
command is not executed, the authorization information returned from the RADIUS or local scheme still
takes effect even if the authorization none command is executed.
Configuration guidelines
Suppose a combined AAA scheme is available. The system selects AAA schemes according to the
following principles:
z If authentication, authorization, accounting each have a separate scheme, the separate schemes
are used.
z If you configure only a separate authentication scheme (that is, there are no separate authorization
and accounting schemes configured), the combined scheme is used for authorization and
accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never
uses the secondary scheme for authorization and accounting.
z If you configure no separate scheme, the combined scheme is used for authentication,
authorization, and accounting. In this case, if the system uses the secondary local scheme for
authentication, it also does so for authorization and accounting; if the system uses the first scheme
for authentication, it also does so for authorization and accounting, even if authorization and
accounting fail.
To Next Page
Loading...
