Usage guidelines
The default authorization method is used for all users who support this method and do not have a specific
authorization method are configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
You can specify one authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization
methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local
none command specifies the default RADIUS authorization method and two backup authorization
methods, local authorization and no authorization. The device performs RADIUS authorization by default,
performs local authorization when the RADIUS server is invalid, and does not perform authorization
when both of the previous methods are invalid.
Examples
# Configure the default authorization method for ISP domain test to use RADIUS scheme rd for user
authorization and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
•
hwtacacs scheme
local-user
•
radius scheme
•
authorization login
Use authorization login to configure the authorization method for login users.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]
[ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]
[ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ]
[ local ] }
undo authorization login
Default
The default authorization method of the ISP domain is used for login users.
11