1764 CHAPTER 93: AAA/RADIUS/HWTACACS C ONFIGURATIONn ■ The authentication scheme specified with the authentication defaultcommand is for all types of users and has a priority lower than that for aspecific access mode.■ With a RADIUS authentication scheme configured, AAA accepts only theauthentication result from the RADIUS server. The response from the RADIUSserver does include the authorization information when the authentication issuccessful, but the authentication process ignores the information.■ With the radius-scheme radius-scheme-name local or hwtacacs-schemehwtacacs-scheme-name local keyword and argument combination configured,the local scheme is the backup scheme and is used only when the RADIUSserver or TACACS server is not available.■ If the primary authentication scheme is local or none, the system performslocal authentication or does not perform any authentication, rather than usesthe RADIUS or HWTACACS scheme.Configuring an AAAAuthorization Schemefor an ISP DomainIn AAA, authorization is a separate process at the same level as authentication andaccounting. Its responsibility is to send authorization requests to the specifiedauthorization server and to send authorization information to users authorized.Authorization scheme configuration is optional in AAA configuration.If you do not perform any authorization configuration, the system-default domainuses the local authorization scheme. With the authorization scheme of none, theusers are not required to be authorized, in which case an authenticated user hasthe default right. The default right is visiting (the lowest one) for EXEC users (thatis, console users who use the console, AUX, or asynchronous serial ports or Telnetor SSH to connect to the device, such as Telnet or SSH users. Each connection ofthese types is called an EXEC user). The default right for FTP users is to use the rootdirectory of the device.Before configuring an authorization scheme, complete these three tasks:1 For HWTACACS authorization, configure the HWTACACS scheme to bereferenced first. For RADIUS authorization, the RADIUS authorization scheme mustbe same as the RADIUS authentication scheme; otherwise, it does not take effect.2 Determine the access mode or service type to be configured. With AAA, you canconfigure an authorization scheme specifically for each access mode and servicetype, limiting the authorization protocols that can be used for access.3 Determine whether to configure an authorization scheme for all access modes orservice types.Follow these steps to configure an AAA authorization scheme for an ISP domain:To do... Use the command... RemarksEnter system view system-view -Create an ISP domain andenter ISP domain viewdomain isp-name Required