Table of Contents
Advertisement
Step
7.
Specify authentication
methods for portal users.
8.
Specify authentication
methods for PPP users.
9.
Specify authentication
methods for obtaining a
temporary user role.
Configuring authorization methods for an ISP domain
Restrictions and guidelines
When configuring authorization methods, follow these guidelines:
•
The device supports HWTACACS authorization but not LDAP authorization.
•
To use a RADIUS scheme as the authorization method, specify the name of the RADIUS
scheme that is configured as the authentication method for the ISP domain. If an invalid
RADIUS scheme is specified as the authorization method, RADIUS authentication and
authorization fail.
When the primary authorization method is local, the following rules apply to the authorization of a
user:
•
The device uses the backup authorization methods in sequence only if local authorization is
invalid for one of the following reasons:
An exception occurs in the AAA process.
The user disconnects from the device.
The user account is not configured on the device or the user is not allowed to use the
access service.
•
The device does not turn to the backup authorization methods if local authorization is invalid
because of any other reason. Authorization fails for the user.
Prerequisites
Before configuring authorization methods, complete the following tasks:
1.
Determine the access type or service type to be configured. With AAA, you can configure an
authorization scheme for each access type and service type.
2.
Determine whether to configure the default authorization method for all access types or service
types. The default authorization method applies to all access users. However, the method has a
lower priority than the authorization method that is specified for an access type or service type.
Procedure
To configure authorization methods for an ISP domain:
Command
authentication portal { ldap-scheme
ldap-scheme-name [ local ] [ none ] | local
[ ldap-scheme ldap-scheme-name |
radius-scheme radius-scheme-name ]
[ none ] | none | radius-scheme
radius-scheme-name [ local ] [ none ] }
authentication ppp { hwtacacs-scheme
hwtacacs-scheme-name [ radius-scheme
radius-scheme-name ] [ local ] [ none ] | local
[ radius-scheme radius-scheme-name |
hwtacacs-scheme hwtacacs-scheme-name ]
* [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] [ none ] }
authentication super { hwtacacs-scheme
hwtacacs-scheme-name | radius-scheme
radius-scheme-name } *
60
Remarks
By default, the default
authentication method is
used for portal users.
This command takes
effect only on CSPEX
cards.
By default, the default
authentication method is
used for PPP users.
By default, the default
authentication method is
used for obtaining a
temporary user role.
Advertisement
Table of Contents
Troubleshooting
