Configuring AAA authorization methods for an ISP domain
In AAA, authorization is a separate process at the same level as authentication and accounting. Its responsibility is to send authorization requests to the specified authorization servers and to send authorization information to users after successful authorization. Authorization method configuration is optional in AAA configuration.
AAA supports the following authorization methods:
No authorization (none)—The NAS performs no authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the NAS, and other login users have only the rights of Level 0 (visiting).
Local authorization (local)—The NAS performs authorization according to the user attributes configured for users.
Remote authorization (scheme)—The NAS cooperates with a RADIUS, or HWTACACS server to authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS authorization can work only after RADIUS authentication is successful, and the authorization information is carried in the Access-Accept message. HWTACACS authorization is separate from HWTACACS authentication, and the authorization information is carried in the authorization response after successful authentication. You can configure local authorization or no authorization as the backup method, which is used when the remote server is not available.
Before configuring authorization methods, complete the following tasks:
For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme. Otherwise, it does not take effect.
Determine the access type or service type to be configured. With AAA, you can configure an authorization scheme for each access type and service type, limiting the authorization protocols that can be used for access.
Determine whether to configure an authorization method for all access types or service types.
Follow these guidelines when you configure AAA authorization methods for an ISP domain:
The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access type.
If you configure an authentication method and an authorization method that use RADIUS schemes for an ISP domain, the RADIUS scheme for authorization must be the same as that for authentication. If the RADIUS authorization configuration is invalid or RADIUS authorization fails, the RADIUS authentication also fails. Whenever RADIUS authorization fails, an error message is sent to the NAS, indicating that the server is not responding.
If you specify the radius-scheme radius-scheme-name local, hwtacacs-scheme hwtacacs-scheme-name [ local | none ] option when you configure an authorization method, local authorization or no authorization is the backup method and is used only when the remote server is not available.
If you specify only the local or none keyword in an authorization method configuration command, the switch has no backup authorization method and performs only local authorization or does not perform any authorization.
To configure AAA authorization methods for an ISP domain:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter ISP domain view. | domain isp-name | N/A |
3. Specify the default authorization method for all types of users. | authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The authorization method is local for all types of users. |
4. Specify the command authorization method. | authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none } | Optional. The default authorization method is used by default. |
5. Specify the authorization method for LAN users. | authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } | Optional. The default authorization method is used by default. |
6. Specify the authorization method for login users. | authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authorization method is used by default. |
7. Specify the authorization method for portal users. | authorization portal { local | none | radius-scheme radius-scheme-name [ local ] } | Optional. The default authorization method is used by default. |