H3C S3100 Series Operation Manual page 421

Operation
Specify the default
authorization method for all
types of users
Specify the authorization
method for login users
Specify the default accounting
method for all types of users
Specify the accounting method
for LAN users
Specify the accounting method
for login users
If a combined AAA scheme is configured as well as the separate authentication, authorization and
accounting schemes, the separate ones will be adopted in precedence.
If you configure separate AAA schemes, the authentication, authorization, and accounting scheme
switching processes do not affect each other. For example, if scheme switching occurs during
authentication, the primary HWTACACS authorization scheme is still used though the
authorization hwtacacs-scheme hwtacacs-scheme-name local command is configured.
Authorization scheme switching occurs only when the HWTACACS scheme is invalid.
The authentication scheme specified with the authentication command is for all types of users
and has a priority lower than that for a specific access mode (that is, the authentication scheme
specified with the authentication lan-access or authentication login command).
The authorization scheme specified with the authorization command is for all types of users.
Because LAN users do not support authorization, the authorization login command is equivalent
to the authorization command.
If you use the authentication lan-access radius-scheme radius-scheme-name none command,
the none scheme is used as the secondary scheme in case no RADIUS server is available. That is,
if the communication between the switch and a RADIUS server is normal, the primary scheme is
used; if the RADIUS server is not reachable, no authentication is performed.
The switches adopt hierarchical protection for command lines so as to inhibit users at lower levels
from using higher level commands to configure the switches. For details about configuring an
HWTACACS authentication scheme for low-to-high user level switching, refer to section Switching
User Level in the Command Line Interface Operation.
Command
authorization { local | none |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }
authorization login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none }
accounting { local | none |
radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name [ local ] }
accounting lan-access { local |
none | radius-scheme
radius-scheme-name [ local |
none ] }
accounting login
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }
2-7
Remarks
Optional
By default, no separate
authorization scheme is
configured.
Optional
The default authorization
method is used by default.
Optional
By default, no separate
accounting scheme is
configured.
Optional
The default accounting
method is used by default.
Optional
The default accounting
method is used by default.