H3C S3100 Series Operation Manual page 419
H3c s3100 series ethernet switches operation manual
Hide thumbs
Also See for S3100 Series:
- Command manual (1244 pages) ,
- Installation manual (94 pages) ,
- Operation manual (32 pages)
Table of Contents
Advertisement
You can execute the scheme radius-scheme radius-scheme-name command to adopt an already
configured RADIUS scheme to implement all the three AAA functions. If you adopt the local
scheme, only the authentication and authorization functions are implemented, the accounting
function cannot be implemented.
If you execute the scheme radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the
communication between the switch and a RADIUS server is normal, no local authentication is
performed; otherwise, local authentication is performed.
If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary scheme in case no TACACS server is available. That is, if the
communication between the switch and a TACACS server is normal and there is no key-related
problem or nas-ip related problem, no local authentication is performed; otherwise, local
authentication is performed.
If you execute the scheme local or scheme none command to adopt local or none as the primary
scheme, the local authentication is performed or no authentication is performed. In this case you
cannot specify any RADIUS scheme or HWTACACS scheme at the same time.
If you execute the scheme none command, the FTP users in the domain will not pass the
authentication. So, to allow users to use the FTP service, you should not configure the none
scheme.
If scheme switching occurs during authentication, local authorization and accounting will be
performed. If no scheme switching occurs during authentication, authorization and accounting will
use the primary scheme.
The AAA scheme specified with the scheme command is for all types of users and has a priority
lower than that for a specific access type (that is, the AAA scheme specified with the scheme
lan-access or scheme login command).
If you use the scheme lan-access radius-scheme radius-scheme-name none command, the
none scheme is used as the secondary scheme in case no RADIUS server is available. That is, if
the communication between the switch and a RADIUS server is normal, the primary scheme is
used; if the RADIUS server is not reachable, no authentication is performed. This configuration
ensures that LAN users can access the network when the primary remote server does not respond.
Another merit of specifying none instead of local as the secondary scheme is that you need not
configure local users on the switch.
Configuring separate AAA schemes
Authentication, authorization, and accounting are separate processes. Authentication refers to the
interactive authentication process of username/password/user information during access or service
request. The authentication process neither sends authorization information to a supplicant nor triggers
any accounting.
AAA supports the following authentication methods:
No authentication (none): All users are trusted and no authentication is performed. Generally, this
method is not recommended.
2-5
Advertisement
Chapters
Table of Contents
Troubleshooting
