Filter
Top Products
2-5
To do… Use the command… Remarks
Configure an authentication
scheme for the ISP domain
authentication
{ radius-scheme
radius-scheme-name [ local ] |
local | none }
Optional
By default, no separate
authentication scheme is
configured.
Configure an authorization
scheme for the ISP domain
authorization { none }
Optional
By default, no separate
authorization scheme is
configured.
Configure an accounting
scheme for the ISP domain
accounting { none |
radius-scheme
radius-scheme-name }
Optional
By default, no separate
accounting scheme is
configured.
z If a combined AAA scheme is configured as well as the separate authentication, authorization and
accounting schemes, the separate ones will be adopted in precedence.
z RADIUS scheme and local scheme do not support the separation of authentication and
authorization. Therefore, pay attention when you make authentication and authorization
configuration for a domain: When the scheme radius-scheme or scheme local command is
executed and the authentication command is not executed, the authorization information returned
from the RADIUS or local scheme still takes effect even if the authorization none command is
executed.
Configuration guidelines
Suppose a combined AAA scheme is available. The system selects AAA schemes according to the
following principles:
z If authentication, authorization, accounting each have a separate scheme, the separate schemes
are used.
z If you configure only a separate authentication scheme (that is, there are no separate authorization
and accounting schemes configured), the combined scheme is used for authorization and
accounting. In this case, if the combined scheme uses RADIUS , the system never uses the
secondary scheme for authorization and accounting.
z If you configure no separate scheme, the combined scheme is used for authentication,
authorization, and accounting. In this case, if the system uses the secondary local scheme for
authentication, it also does so for authorization and accounting; if the system uses the first scheme
for authentication, it also does so for authorization and accounting, even if authorization and
accounting fail.
Configuring Dynamic VLAN Assignment
The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of
successfully authenticated users to different VLANs according to the attributes assigned by the
RADIUS server, so as to control the network resources that different users can access.