41
2. Determine the access mode or service type to be configured. With AAA, you can configure an
authorization scheme for each access mode and service type, limiting the authorization protocols
that can be used for access.
3. Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do… Use the command…
Remarks
Enter system view system-view —
Enter ISP domain view domain isp-name —
Specify the default
authorization method for all
types of users
authorization default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional
local by default
Specify the command
authorization method
authorization command { hwtacacs-scheme
hwtacacs-scheme-name [ local | none ] |
local | none }
Optional
The default authorization
method is used by default.
Specify the authorization
method for LAN users
authorization lan-access { local | none |
radius-scheme radius-scheme-name [ local |
none ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for login users
authorization login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
Optional
The default authorization
method is used by default.
Specify the authorization
method for portal users
authorization portal { local | none |
radius-scheme radius-scheme-name
[ local ] }
Optional
The default authorization
method is used by default.
NOTE:
• The authorization method specified with the authorization default command is for all types of users and
has a priority lower than that for a specific access mode.
• RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the
same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error
message returned to the NAS says that the server is not responding.
• With the radius-scheme
radius-scheme-name
local, or hwtacacs-scheme
hwtacacs-scheme-name
[ local | none ] keyword and ar
ument combination confi
ured, local authorization or no authorization
is the backup method and is used only when the remote server is not available.
• If you specify only the local or none keyword in an authorization method confi
uration command, the
device has no backup authorization method and performs only local authorization or does not perform
any authorization.
• The authorization information of the RADIUS server is sent to the RADIUS client along with the
authentication response message; you cannot specify a separate RADIUS authorization server. If you
use RADIUS for authorization and authentication, you must use the same scheme setting for
authorization and authentication; otherwise, the system will prompt you with an error message.
To Next Page
Loading...
