Configuring authorization methods for an ISP domain

Configuration prerequisites

Before configuring authorization methods, complete the following tasks:

  1. Determine the access type or service type to be configured. With AAA, you can configure an authorization scheme for each access type and service type.

  2. Determine whether to configure the default authorization method for all access types or service types. The default authorization method applies to all access users. However, the method has a lower priority than the authorization method that is specified for an access type or service type.

Configuration guidelines

When configuring authorization methods, follow these guidelines:

Configuration procedure

To configure authorization methods for an ISP domain:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter ISP domain view.

domain isp-name

N/A

3. Specify default authorization methods for all types of users.

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

By default, the authorization method is local.

The none keyword is not supported in FIPS mode.

4. Specify command authorization methods.

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

By default, the default authorization method is used for command authorization.

The none keyword is not supported in FIPS mode.

5. Specify authorization methods for LAN users.

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

By default, the default authorization method is used for LAN users.

The none keyword is not supported in FIPS mode.

6. Specify authorization methods for login users.

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

By default, the default authorization method is used for login users.

The none keyword is not supported in FIPS mode.

7. Specify authorization methods for portal users.

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

By default, the default authorization method is used for portal users.

The none keyword is not supported in FIPS mode.