414 CHAPTER 21: 802.1X CONFIGURATION
Configuring Separate
AAA Schemes
If a bound AAA scheme (that is, the authentication, authorization and accounting are
bound in one scheme) is configured as well as the separate authentication,
authorization and accounting schemes, the separate ones will be adopted in
precedence.
RADIUS scheme and local scheme do not support the separation of authentication
and authorization. Therefore, pay attention when you perform authentication and
authorization configuration: when the scheme radius-scheme or scheme local
command is executed and the authentication command is not executed, the
authorization information returned from the RADIUS or local scheme will still take
effect even if the authorization none command is executed.
Configuration Example
for Separate AAA
Schemes
Network requirements
A RADIUS server with IP address 10.110.91.164 is connected to the switch. This
server will be used as an authentication server.
On the switch, set the shared key it uses to exchange packets with the RADIUS server
to "expert".
Configure the RADIUS scheme radius as both the authentication and accounting
schemes of the ISP domain cams, and allow users in this ISP domain to use network
services without being authorized.
Table443 Configure separate AAA schemes
Operation Command Description
Enter system view system-view
Create an ISP domain or
enter an existing ISP domain
view
domain isp-name Required
Configure an authentication
scheme for the ISP domain
authentication {
radius-scheme
radius-scheme-name [ local
] | local | none }
Optional
By default, no separate
authentication scheme is configured.
Allow users in current ISP
domain to use network
services without being
authorized
authorization none Optional
By default, no separate authorization
scheme is configured.
Configure an accounting
scheme for the ISP domain
accounting { none |
radius-scheme
radius-scheme-name }
Optional
By default, no separate accounting
scheme is configured.