Configuring Aaa Authorization Methods For An Isp Domain - 3Com S7906E Configuration Manual

The authentication method specified with the authentication default command is for all types of
users and has a priority lower than that for a specific access mode.
With an authentication method that references a RADIUS scheme, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS
server does include the authorization information, but the authentication process ignores the
information.
With the
hwtacacs-scheme-name
authentication is the backup method and is used only when the remote server is not available.
If the primary authentication method is local or none, the system performs local authentication or
does not perform any authentication, and will not use any RADIUS, or HWTACACS authentication
scheme.
If the method for level switching authentication references an HWTACACS scheme, the system
uses the login username of a user for level switching authentication of the user by default. If the
method for level switching authentication references a RADIUS scheme, the system uses the
username configured for the corresponding privilege level on the RADIUS server for level switching
authentication, rather than the original username, namely the login username or the username
entered by the user. A username configured on the RADIUS server is in the format of $enab+level,
where level specifies the privilege level to which the user wants to switch. For example, if user
user1 of domain aaa wants to switch the privilege level to 3, the system uses $enab3@aaa for
authentication when the domain name is required and uses $enab3 for authentication when the
domain name is not required.

Configuring AAA Authorization Methods for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization server and to send
authorization information to users. Authorization method configuration is optional in AAA configuration.
AAA supports the following authorization methods:
No authorization (none): No authorization exchange is performed. Every user is trusted and has
the corresponding default rights of the system.
Local authorization (local): Users are authorized by the access device according to the attributes
configured for them.
Remote authorization (scheme): The access device cooperates with a RADIUS or HWTACACS
server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS
authorization can work only after RADIUS authentication is successful, and the authorization
information is carried in the Access-Accept message. HWTACACS authorization is separate from
HWTACACS authentication, and the authorization information is carried in the authorization
response after successful authentication. You can configure local authorization or no authorization
as the backup method to be used when the remote server is not available.
By default, an ISP domain uses the local authorization method. If the no authorization method (none) is
configured, the users are not required to be authorized, in which case an authenticated user has the
default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who use
radius-scheme radius-scheme-name
local keyword
1-17
local,
and argument combination
hwtacacs-scheme
configured, local