57
Ste
Command
Remarks
3. Enter user role VPN
instance policy view.
vpn-instance policy deny
By default, the VPN instance policy of
the user role permits access to all
VPNs.
This command denies the access of the
user role to all VPNs if the permit
vpn-instance command is not
configured.
4. (Optional.) Specify a list of
VPNs accessible to the user
role.
permit vpn-instance
vpn-instance-name&<1-10>
By default, no accessible VPNs are
configured in user role VPN instance
policy view.
Repeat this step to add more
accessible VPNs.
Assigning user roles
To control user access to the system, you must assign at least one user role. Make sure at least one user
role among the user roles assigned by the server exists on the device. User role assignment procedure
varies with remote AAA authentication users, local AAA authentication users, and non-AAA
authentication users. For more information about AAA authentication, see Security Configuration Guide.
Enabling the default user role feature
The default user role feature allows AAA authentication users to access the system if the AAA server does
not authorize any user roles to the users.
You can configure this feature to enable an AAA authentication user that has not been assigned any user
role to log in with the default user role network-operator.
To enable the default user role feature for AAA authentication users:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the default user role
feature.
role default-role enable
By default, the default user role feature
is disabled.
If the none authorization method is
used for local users, you must enable
the default user role feature.
Assigning user roles to remote AAA authentication users
For remote AAA authentication users, user roles are configured on the remote authentication server. For
information about configuring user roles for RADIUS users, see the RADIUS server documentation. For
HWTACACS users, the role configuration must use the roles="role-1 role-2 … role-n" format, where user
roles are space separated. For example, configure roles="level-0 level-1 level-2" to assign level-0, level-1,
and level-2 to an HWTACACS user.