Configuring AAA authentication methods for an ISP domain

In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during an access or service request. The authentication process does not send authorization information to a supplicant or trigger accounting.

AAA supports the following authentication methods:

You can configure AAA authentication to work alone without authorization and accounting. By default, an ISP domain uses the local authentication method.

Before configuring authentication methods, complete the following tasks:

  • For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to be referenced first. The local and none authentication methods do not require a scheme.

  • Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type, limiting the authentication protocols that can be used for access.

  • Determine whether to configure an authentication method for all access types or service types.

  • Follow these guidelines when you configure AAA authentication methods for an ISP domain:

    To configure AAA authentication methods for an ISP domain:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Enter ISP domain view.

    domain isp-name

    N/A

    3. Specify the default authentication method for all types of users.

    authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

    Optional.

    The default authentication method is local for all types of users.

    4. Specify the authentication method for LAN users.

    authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

    Optional.

    The default authentication method is used by default.

    5. Specify the authentication method for login users.

    authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

    Optional.

    The default authentication method is used by default.

    6. Specify the authentication method for portal users.

    authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }

    Optional.

    The default authentication method is used by default.

    7. Specify the authentication method for privilege level switching.

    authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }

    Optional.

    The default authentication method is used by default.