H3C S5600 SERIES Operation Manual page 527
Hide thumbs
Also See for S5600 SERIES:
- Operation manual (1278 pages) ,
- Configuration (313 pages) ,
- Operation manual (1218 pages)
Table of Contents
Advertisement
Authentication: RADIUS, local, or HWTACACS.
Follow these steps to configure separate AAA schemes:
To do...
Enter system view
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
Configure an authentication
scheme for the ISP domain
Configure a HWTACACS
authentication scheme for user
level switching
Configure an authorization
scheme for the ISP domain
Configure an accounting
scheme for the ISP domain
RADIUS scheme and local scheme do not support the separation of authentication and
authorization. Therefore, pay attention when you make authentication and authorization
configuration for a domain: When the scheme radius-scheme or scheme local command is
executed and the authentication command is not executed, the authorization information returned
from the RADIUS or local scheme still takes effect even if the authorization none command is
executed.
The S5600 series switches adopt hierarchical protection for command lines so as to inhibit users at
lower levels from using higher level commands to configure the switches. For details about
configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to
Switching User Level in the Command Line Interface Operation.
Configuration guidelines
Suppose a combined AAA scheme is available. The system selects AAA schemes according to the
following principles:
If authentication, authorization, accounting each have a separate scheme, the separate schemes
are used.
Use the command...
system-view
domain isp-name
authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
authentication super
hwtacacs-scheme
hwtacacs-scheme-name
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
2-5
Remarks
—
Required
Optional
By default, no separate
authentication scheme is
configured.
Optional
By default, no HWTACACS
authentication scheme is
configured.
Optional
By default, no separate
authorization scheme is
configured.
Optional
By default, no separate
accounting scheme is
configured.
Advertisement
Chapters
Table of Contents
Troubleshooting
