HP 10500 Series Configuration Manual page 53

Remote authorization (scheme)—The NAS cooperates with a RADIUS or HWTACACS server to
•
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS
authentication, and the authorization information is carried in the authorization response after
successful authentication. You can configure local authorization or no authorization as the backup
method, which is used when the remote server is not available.
Configuration prerequisites
Before configuring authorization methods, complete the following tasks:
1. For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For
RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS
authentication scheme. Otherwise, it does not take effect.
2. Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type to limit the authorization protocols that
can be used for access.
3. Determine whether to configure an authorization method for all access types or service types.
Configuration guidelines
When configuring authorization methods, follow these guidelines:
To configure RADIUS authorization, you must also configure RADIUS authentication, and reference
•
the same RADIUS scheme for RADIUS authentication and authorization. If the RADIUS
authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also
fails. If RADIUS authorization fails, the server sends an error message to the NAS, indicating that
the server itself is not responding.
You can configure a default authorization method for an ISP domain. This method is used for all
•
users who support the authorization method and have no specific authorization method configured.
You can configure local authorization (local) or no authorization (none) as the backup for remote
•
authorization that is used when the remote authorization server is unavailable.
Local authorization (local) and no authorization (none) cannot have a backup method.
•
Configuration procedure
To configure authorization methods for an ISP domain:
Step
1. Enter system view.
2. Enter ISP domain view.
3. Specify the default
authorization method for
all types of users.
4. Specify the command
authorization method.
5. Specify the authorization
method for LAN users.
Command
system-view
domain isp-name
authorization default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
authorization command { hwtacacs-scheme
hwtacacs-scheme-name [ local | none ] |
local | none }
authorization lan-access { local | none |
radius-scheme radius-scheme-name [ local |
none ] }
43
Remarks
N/A
N/A
Optional.
The default authorization
method is local for all types of
users.
Optional.
The default authorization
method is used by default.
Optional.
The default authorization
method is used by default.