H3C Technologies H3C S5120 Series Switches User Manual
Page 418
1-12
To do…
Use the command…
Remarks
Specify the authentication
method for LAN users
authentication lan-access
{ local | none | radius-scheme
radius-scheme-name [ local ] }
Optional
The default authentication
method is used by default.
Specify the authentication
method for login users
authentication login { local |
none | radius-scheme
radius-scheme-name [ local ] }
Optional
The default authentication
method is used by default.
z
The authentication method specified with the authentication default command is for all types of
users and has a priority lower than that for a specific access mode.
z
With an authentication method that references a RADIUS scheme, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS
server does include the authorization information, but the authentication process ignores the
information.
z
With the radius-scheme radius-scheme-name local, keyword and argument combination
configured, local authentication is the backup method and is used only when the remote server is
not available.
z
If the primary authentication method is local or none, the system performs local authentication or
does not perform any authentication, and will not use any RADIUS authentication scheme.
Configuring AAA Authorization Methods for an ISP Domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its
responsibility is to send authorization requests to the specified authorization server and to send
authorization information to users. Authorization method configuration is optional in AAA configuration.
AAA supports the following authorization methods:
z
No authorization: No authorization exchange is performed. Every user is trusted and has the
corresponding default rights of the system.
z
Local authorization: Users are authorized by the access device according to the attributes
configured for them.
z
Remote authorization: The access device cooperates with a RADIUS server to authorize users.
RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only
after RADIUS authentication is successful, and the authorization information is carried in the
Access-Accept message. You can configure local authorization or no authorization as the backup
method to be used when the remote server is not available.
By default, an ISP domain uses the local authorization method. If the no authorization method (none) is
configured, the users are not required to be authorized, in which case an authenticated user has the
default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who use
the console, AUX, or Telnet to connect to the device, such as Telnet or SSH users. Each connection of
these types is called an EXEC user). The default right for FTP users is to use the root directory of the
device.
Before configuring authorization methods, complete these three tasks: