Operation Manual – AAA RADIUS HWTACACSH3C S7500E Series Ethernet SwitchesChapter 1 AAA/RADIUS/HWTACACSConfiguration1-171.3.5 Configuring an AAA Authorization Scheme for an ISP DomainIn AAA, authorization is a separate process at the same level as authentication andaccounting. Its responsibility is to send authorization requests to the specifiedauthorization server and to send authorization information to users authorized.Authorization scheme configuration is optional in AAA configuration.If you do not perform any authorization configuration, the system-default domain usesthe local authorization scheme. With the authorization scheme of none, the users arenot required to be authorized, in which case an authenticated user has the default right.The default right is visiting (the lowest one) for EXEC users (that is, console users whouse the console, AUX, or Telnet or SSH to connect to the device, such as Telnet or SSHusers. Each connection of these types is called an EXEC user). The default right forFTP users is to use the root directory of the device.Before configuring an authorization scheme, complete these three tasks:1) For HWTACACS authorization, configure the HWTACACS scheme to bereferenced first. For RADIUS authorization, the RADIUS authorization schememust be same as the RADIUS authentication scheme; otherwise, it does not takeeffect.2) Determine the access mode or service type to be configured. With AAA, you canconfigure an authorization scheme specifically for each access mode and servicetype, limiting the authorization protocols that can be used for access.3) Determine whether to configure an authorization scheme for all access modes orservice types.Follow these steps to configure an AAA authorization scheme for an ISP domain:To do… Use the command… RemarksEnter system view system-view —Create an ISP domainand enter ISP domainviewdomain isp-name RequiredSpecify the defaultauthorization scheme forall types of usersauthorization default{ hwtacacs-schemehwtacacs-scheme-name[ local ] | local | none |radius-schemeradius-scheme-name[ local ] }Optionallocal by defaultSpecify the authorizationscheme for command lineusersauthorization commandhwtacacs-schemehwtacacs-scheme-nameOptionalThe default authorizationscheme is used bydefault.