3com WX3000 User Manual
2-4
this way, you cannot specify different schemes for authentication, authorization and accounting
respectively.
Follow these steps to configure a combined AAA scheme:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create an ISP domain and
enter its view, or enter the view
of an existing ISP domain
enter its view, or enter the view
of an existing ISP domain
domain isp-name
Required
Configure an AAA scheme for
the ISP domain
the ISP domain
scheme { local | none |
radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
radius-scheme
radius-scheme-name [ local ] |
hwtacacs-scheme
hwtacacs-scheme-name
[ local ] }
Required
By default, an ISP domain uses
the local AAA scheme.
the local AAA scheme.
z
You can execute the scheme radius-scheme radius-scheme-name command to adopt an already
configured RADIUS scheme to implement all the three AAA functions. If you adopt the local
scheme, only the authentication and authorization functions are implemented, the accounting
function cannot be implemented.
z
If you execute the scheme radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the
communication between the device and a RADIUS server is normal, no local authentication is
performed; otherwise, local authentication is performed.
z
If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary scheme in case no TACACS server is available. That is, if the
communication between the device and a TACACS server is normal, no local authentication is
performed; otherwise, local authentication is performed.
z
If you execute the scheme local or scheme none command to adopt local or none as the primary
scheme, the local authentication is performed or no authentication is performed. In this case you
cannot specify any RADIUS scheme or HWTACACS scheme at the same time.
z
If you execute the scheme none command, the FTP users in the domain will not pass the
authentication. So, to allow users to use the FTP service, you should not configure the none
scheme.
Configuring separate AAA schemes
You can use the authentication, authorization, and accounting commands to specify a scheme for
each of the three AAA functions (authentication, authorization and accounting) respectively. The
following gives the implementations of this separate way for the services supported by AAA.
1) For
terminal
users
z
Authentication: RADIUS, local, HWTACACS or none.
z
Authorization: none or HWTACACS.
z
Accounting: RADIUS, HWTACACS or none.