45
• If a RADIUS scheme is used for authentication but not for authorization, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS
server also includes the authorization information, but the device ignores the information.
• If an HWTACACS scheme is specified, the device uses the entered username for role
authentication. If a RADIUS scheme is specified, the device uses the username $enabn$ on
the RADIUS server for role authentication. The variable n represents a user role level. For more
information about user role authentication, see Fundamentals Configuration Guide.
Configuration procedure
To configure authentication methods for an ISP domain:
1. Enter system view.
system-view
N/A
2. Enter ISP domain view.
domain
isp-name
N/A
3.
authentication method for
all types of users.
authentication default
{
hwtacacs-scheme
hwtacacs-scheme-name [
radius-scheme
radius-scheme-name ] [
local
] [
none
] |
ldap-scheme
ldap-scheme-name [
local
]
[
none
] |
local
[
none
] |
none
|
radius-scheme
radius-scheme-name
[
hwtacacs-scheme
hwtacacs-scheme-name ] [
] [
] }
By
authentication method is
local
.
The
none
keyword is not
supported in FIPS mode.
4. Specify the authentication
method for LAN users.
authentication lan-access
{
ldap-scheme
ldap-scheme-name [
local
] [
none
] |
local
[
none
] |
none
|
radius-scheme
radius-scheme-name [
local
] [
none
] }
By
authentication method is
used for LAN users.
The
none
keyword is not
supported in FIPS mode.
5. Specify the authentication
method for login users.
authentication login
{
hwtacacs-scheme
hwtacacs-scheme-name [
radius-scheme
radius-scheme-name ] [
local
] [
none
] |
ldap-scheme
ldap-scheme-name [
local
]
[
none
] |
local
[
none
] |
none
|
radius-scheme
radius-scheme-name
[
hwtacacs-scheme
hwtacacs-scheme-name ] [
local
] [
none
] }
By
authentication method is
used for login users.
The
none
keyword is not
supported in FIPS mode.
6. Specify the authentication
method for portal users.
authentication portal
{
ldap-scheme
ldap-scheme-name [
local
] [
none
] |
local
[
none
] |
none
|
radius-scheme
radius-scheme-name [
local
] [
none
] }
By
authentication method is
used for portal users.
The
none
keyword is not
supported in FIPS mode.
7. Specify the authentication
method
temporary user role.
authentication super
{
hwtacacs-scheme
hwtacacs-scheme-name |
radius-scheme
radius-scheme-name
} *
By
authentication method is
temporary user role.
Configuring authorization methods for an ISP domain
Configuration prerequisites
Before configuring authorization methods, complete the following tasks:
1. Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type.
To Next Page
Loading...
Need help?
General