Configuring An Aaa Authorization Scheme For An Isp Domain - 3Com MSR 50 Series Configuration Manual

1764 C 93: AAA/RADIUS/HWTACACS C
HAPTER
n
Configuring an AAA
Authorization Scheme
for an ISP Domain
ONFIGURATION
The authentication scheme specified with the authentication default
■
command is for all types of users and has a priority lower than that for a
specific access mode.
With a RADIUS authentication scheme configured, AAA accepts only the
■
authentication result from the RADIUS server. The response from the RADIUS
server does include the authorization information when the authentication is
successful, but the authentication process ignores the information.
With the radius-scheme radius-scheme-name local or hwtacacs-scheme
■
hwtacacs-scheme-name local keyword and argument combination configured,
the local scheme is the backup scheme and is used only when the RADIUS
server or TACACS server is not available.
If the primary authentication scheme is local or none, the system performs
■
local authentication or does not perform any authentication, rather than uses
the RADIUS or HWTACACS scheme.
In AAA, authorization is a separate process at the same level as authentication and
accounting. Its responsibility is to send authorization requests to the specified
authorization server and to send authorization information to users authorized.
Authorization scheme configuration is optional in AAA configuration.
If you do not perform any authorization configuration, the system-default domain
uses the local authorization scheme. With the authorization scheme of none, the
users are not required to be authorized, in which case an authenticated user has
the default right. The default right is visiting (the lowest one) for EXEC users (that
is, console users who use the console, AUX, or asynchronous serial ports or Telnet
or SSH to connect to the device, such as Telnet or SSH users. Each connection of
these types is called an EXEC user). The default right for FTP users is to use the root
directory of the device.
Before configuring an authorization scheme, complete these three tasks:
1 For HWTACACS authorization, configure the HWTACACS scheme to be
referenced first. For RADIUS authorization, the RADIUS authorization scheme must
be same as the RADIUS authentication scheme; otherwise, it does not take effect.
2 Determine the access mode or service type to be configured. With AAA, you can
configure an authorization scheme specifically for each access mode and service
type, limiting the authorization protocols that can be used for access.
3 Determine whether to configure an authorization scheme for all access modes or
service types.
Follow these steps to configure an AAA authorization scheme for an ISP domain:
To do...
Enter system view
Create an ISP domain and
enter ISP domain view
Use the command...
system-view
domain isp-name
Remarks
-
Required