SupportDocumentationSwitchesCampus SwitchS1700&S2700Configuration & CommissioningConfiguration Guide

S2700 and S3700 V100R006C05 Configuration Guide - Security

Configuring AAA Schemes

Configuring AAA Schemes

Context

To use RADIUS AAA, set the authentication mode in an authentication scheme to RADIUS and the accounting mode in an accounting scheme to RADIUS.

If RADIUS authentication is configured, you can also configure local authentication or non-authentication as the backup. This allows local authentication or non-authentication to be implemented if RADIUS authentication fails.

Procedure

  • Configuring an authentication scheme
    1. Run: 

      system-view

      The system view is displayed.

    2. Run: 

      aaa

      The AAA view is displayed.

    3. Run: 

      authentication-scheme authentication-scheme-name

      Create an authentication scheme and enter its view, or directly enter the view of an existing authentication scheme.

      By default, there is an authentication scheme named default on the device. The default authentication scheme can only be modified, but cannot be deleted.

    4. Run: 

      authentication-mode radius

      RADIUS authentication is configured.

      By default, local authentication is used.

      To use local authentication as the backup authentication mode, run the authentication-mode radius local command to configure local authentication.

      If multiple authentication modes are configured in an authentication scheme, these authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response in the current authentication. The device stops the authentication if the current authentication fails.

    5. (Optional) Run: 

      authentication-super { hwtacacs | radius | super } * [ none ]

      The authentication mode used to upgrade user levels is configured.

    6. Run: 

      quit

      Return to the AAA view.

    7. (Optional) Run: 

      domainname-parse-direction { left-to-right | right-to-left }

      The direction in which the user name and domain name are parsed is configured.

  • Configuring an accounting scheme
    1. Run: 

      system-view

      The system view is displayed.

    2. Run: 

      aaa

      The AAA view is displayed.

    3. Run: 

      accounting-scheme accounting-scheme-name

      An accounting scheme is created and the accounting scheme view is displayed.

      There is a default accounting scheme named default on the device. The default accounting scheme can only be modified, but cannot be deleted.

    4. Run: 

      accounting-mode radius

      The accounting mode is configured.

      By default, the accounting mode is none.

    5. (Optional) Run: 

      accounting start-fail { online | offline }

      A policy for accounting-start failures is configured.

      By default, users cannot go online if accounting-start fails.

    6. (Optional) Run: 

      accounting realtime interval

      Real-time accounting is enabled and the interval for real-time accounting is set.

      By default, the device performs accounting based on user online duration, the real-time accounting function is disabled, and the interval for real-time accounting is not set.

    7. (Optional) Run: 

      accounting interim-fail [ max-times times ] { online | offline }

      The maximum number of real-time accounting requests is set and a policy used after a real-time accounting failure is configured.

      After real-time accounting is enabled, the maximum number of real-time accounting requests is 3 and the device keeps paid users online after a real-time accounting failure by default.