this way, you cannot specify different schemes for authentication, authorization and accounting respectively.

Follow these steps to configure a combined AAA scheme:

 

To do…

Use the command…

Remarks

 

 

Enter system view

system-view

 

 

 

 

 

 

 

Create an ISP domain and

 

 

 

 

enter its view, or enter the view

domain isp-name

Required

 

 

of an existing ISP domain

 

 

 

 

 

 

 

 

 

 

scheme { local none

 

 

 

Configure an AAA scheme for

radius-scheme

Required

 

 

radius-scheme-name [ local ]

By default, an ISP domain uses

 

 

the ISP domain

hwtacacs-scheme

 

 

the local AAA scheme.

 

 

 

hwtacacs-scheme-name

 

 

 

[ local ] }

 

 

 

 

 

 

 

zYou can execute the scheme radius-schemeradius-scheme-namecommand to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented.

zIf you execute the scheme radius-schemeradius-scheme-namelocal command, the local scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the communication between the device and a RADIUS server is normal, no local authentication is performed; otherwise, local authentication is performed.

zIf you execute the scheme hwtacacs-schemehwtacacs-scheme-namelocal command, the local scheme is used as the secondary scheme in case no TACACS server is available. That is, if the communication between the device and a TACACS server is normal, no local authentication is performed; otherwise, local authentication is performed.

zIf you execute the scheme local or scheme none command to adopt local or none as the primary scheme, the local authentication is performed or no authentication is performed. In this case you cannot specify any RADIUS scheme or HWTACACS scheme at the same time.

zIf you execute the scheme none command, the FTP users in the domain will not pass the authentication. So, to allow users to use the FTP service, you should not configure the none scheme.

Configuring separate AAA schemes

You can use the authentication, authorization, and accounting commands to specify a scheme for each of the three AAA functions (authentication, authorization and accounting) respectively. The following gives the implementations of this separate way for the services supported by AAA.

1)For terminal users

zAuthentication: RADIUS, local, HWTACACS or none.

zAuthorization: none or HWTACACS.

zAccounting: RADIUS, HWTACACS or none.

2-4

Page 263
Image 263
3Com WX3000 operation manual Configuring separate AAA schemes, Domain isp-name, Radius-scheme-name local, Hwtacacs-scheme