H3C S3100 Series Operation Manual page 420

Local authentication (local): Authentication is performed by the NAS, which is configured with the
user information, including the usernames, passwords, and attributes. Local authentication
features high speed and low cost, but the amount of information that can be stored is limited by the
hardware.
Remote authentication (scheme): The access device cooperates with a RADIUS or HWTACACS
server to authenticate users. As for RADIUS, the device can use the standard RADIUS protocol or
extended RADIUS protocol in collaboration with systems like CAMS and iMC to implement user
authentication. Remote authentication features centralized information management, high capacity,
high reliability, and support for centralized authentication for multiple devices. You can configure
local or no authentication as the backup method to be used when the remote server is not
available.
The separate method allows you to configure the authentication, authorization, and accounting
schemes separately by using the authentication, authorization, and accounting commands
respectively.
Before configuring an authentication/authorization/accounting method, do the following:
1) For RADIUS or HWTACACS authentication/authorization/accounting, configure the RADIUS or
HWTACACS scheme to be referenced first. The local and none authentication methods do not
require any scheme.
2) Determine the access mode or service type to be configured. With AAA, you can configure an
authentication method specifically for each access mode and service type, limiting the
authentication protocols that can be used for access.
3) Determine whether to configure an authentication/authorization/accounting method for all access
modes or service types.
Table 2-5 Configure separate AAA schemes
Operation
Enter system view
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
Specify the default
authentication method for all
types of users
Specify the authentication
method for LAN users
Specify the authentication
method for login users
Configure an HWTACACS
authentication scheme for user
level switching
Command
system-view
domain isp-name
authentication { radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
authentication lan-access { local
| none | radius-scheme
radius-scheme-name [ local |
none ] }
authentication login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }
authentication super
hwtacacs-scheme
hwtacacs-scheme-name
2-6
Remarks
—
Required
Optional
By default, no separate
authentication scheme is
configured.
Optional
The default authentication
method is used by default.
Optional
The default authentication
method is used by default.
Optional
By default, no HWTACACS
authentication scheme is
configured.