3com WX3000 Benutzerhandbuch
2-5
You can use an arbitrary combination of the above implementations for your AAA scheme configuration.
2) For FTP users
Only authentication is supported for FTP users.
Authentication: RADIUS, local, or HWTACACS.
Follow these steps to configure separate AAA schemes:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
enter its view, or enter the view
of an existing ISP domain
domain isp-name
Required
Configure an authentication
scheme for the ISP domain
scheme for the ISP domain
authentication
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
{ radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] | local | none }
Optional
By default, no separate
authentication scheme is
configured.
authentication scheme is
configured.
Configure an authorization
scheme for the ISP domain
scheme for the ISP domain
authorization { none |
hwtacacs-scheme
hwtacacs-scheme-name }
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
authorization scheme is
configured.
authorization scheme is
configured.
Configure an accounting
scheme for the ISP domain
scheme for the ISP domain
accounting { none |
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
radius-scheme
radius-scheme-name |
hwtacacs-scheme
hwtacacs-scheme-name }
Optional
By default, no separate
accounting scheme is
configured.
accounting scheme is
configured.
z
If a combined AAA scheme is configured as well as the separate authentication, authorization and
accounting schemes, the separate ones will be adopted in precedence.
z
RADIUS scheme and local scheme do not support the separation of authentication and
authorization. Therefore, pay attention when you make authentication and authorization
configuration for a domain: When the scheme radius-scheme or scheme local command is
executed and the authentication command is not executed, the authorization information returned
from the RADIUS or local scheme still takes effect even if the authorization none command is
executed.
Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a device to dynamically add the ports of successfully
authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so
as to control the network resources that different users can access.
Currently, the device supports the following two types of assigned VLAN IDs: integer and string.
z
Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the
VLAN assignment mode to integer on the device (this is also the default mode on the device). Then,