3Com 4210G Series Configuration Manual page 516

response after successful authentication. You can configure local authorization or no authorization
as the backup method in case the remote server is not available.
By default, an ISP domain uses the local authorization method. If the no authorization method (none)
is configured, the users are not required to be authorized, in which case an authenticated user has the
default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who
use the console, AUX port, or Telnet to connect to the device, such as Telnet or SSH users. Each
connection of these types is called an EXEC user). The default right for FTP users is to use the root
directory of the device.
Before configuring authorization methods, complete these three tasks:
1) For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For
RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS
authentication scheme; otherwise, it does not take effect.
2) Determine the access mode or service type to be configured. With AAA, you can configure an
authorization scheme specifically for each access mode and service type, limiting the
authorization protocols that can be used for access.
3) Determine whether to configure an authorization method for all access modes or service types.
Follow these steps to configure AAA authorization methods for an ISP domain:
To do...
Enter system view
Create an ISP domain and
enter ISP domain view
Specify the default
authorization method for all
types of users
Specify the command
authorization method
Specify the authorization
method for LAN users
Specify the authorization
method for login users
Use the command...
system-view
domain isp-name
authorization default
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
authorization command
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local | none ] | local | none }
authorization lan-access
{ local | none | radius-scheme
radius-scheme-name [ local ] }
authorization login
{ hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none |
radius-scheme
radius-scheme-name [ local ] }
1-16
Remarks
—
Required
Optional
local by default
Optional
The default authorization
method is used by default.
Optional
The default authorization
method is used by default.
Optional
The default authorization
method is used by default.