Configuring Aaa Authorization Methods For An Isp Domain - HP 5500 HI Series Configuration Manual

For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system uses
$enab3@aaa$ for authentication when the domain name is required and uses $enab3$ for
authentication when the domain name is not required.
To configure AAA authentication methods for an ISP domain:
Step
1. Enter system view.
2. Enter ISP domain view.
3. Specify the default
authentication method
for all types of users.
4. Specify the
authentication method
for LAN users.
5. Specify the
authentication method
for login users.
6. Specify the
authentication method
for portal users.
7. Specify the
authentication method
for privilege level
switching.

Configuring AAA authorization methods for an ISP domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization servers and to send
authorization information to users after successful authorization. Authorization method configuration is
optional in AAA configuration.
AAA supports the following authorization methods:
No authorization (none)—The NAS performs no authorization exchange. After passing
•
authentication, non-login users can access the network, FTP users can access the root directory of
the NAS, and other login users have only the rights of Level 0 (visiting).
• Local authorization (local)—The NAS performs authorization according to the user attributes
configured for users.
Remote authorization (scheme)—The NAS cooperates with a RADIUS, or HWTACACS server to
•
authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization
can work only after RADIUS authentication is successful, and the authorization information is
carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS
authentication, and the authorization information is carried in the authorization response after
successful authentication. You can configure local authorization or no authorization as the backup
method, which is used when the remote server is not available.
Command
system-view
domain isp-name
authentication default { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
authentication lan-access { local | none |
radius-scheme radius-scheme-name [ local |
none ] }
authentication login { hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local |
none | radius-scheme radius-scheme-name
[ local ] }
authentication portal { local | none |
radius-scheme radius-scheme-name [ local ] }
authentication super { hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name }
44
Remarks
N/A
N/A
Optional.
The default authentication
method is local for all types of
users.
Optional.
The default authentication
method is used by default.
Optional.
The default authentication
method is used by default.
Optional.
The default authentication
method is used by default.
Optional.
The default authentication
method is used by default.