46
You can configure AAA authentication to work alone without authorization and accounting.
By default, an ISP domain uses the local authentication method.
Configuration prerequisites
Before configuring authentication methods, complete the following tasks:
• For RADIUS or HWTACACS authentication, configure the RADIUS or HWTACACS scheme to
be referenced first. Local and none authentication methods do not require a scheme.
• Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type to limit the authentication
protocols that users can use for access.
• Determine whether to configure the default authentication method for all access types or
service types.
Configuration guidelines
When configuring authentication methods, follow these guidelines:
• If you configure an authentication method that references a RADIUS scheme and an
authorization method that does not reference a RADIUS scheme, AAA accepts only the
authentication result from the RADIUS server. The Access-Accept message from the RADIUS
server also carries the authorization information, but the device ignores the information.
• You can configure a default authentication method for an ISP domain. The default method will
be used for all users who support the authentication method and have no specific
authentication method configured.
• You can configure local authentication (local) or no authentication (none) as the backup for
remote authentication that is used when the remote authentication server is unavailable.
• Local authentication (local) and no authentication (none) cannot have a backup method.
• If the method for level switching authentication references an HWTACACS scheme, by default
the device uses the login username of the user for level switching authentication. If the method
for level switching authentication references a RADIUS scheme, the system uses the username
configured for the corresponding privilege level on the RADIUS server for level switching
authentication, rather than the login username. A username configured on the RADIUS server
is in the format $enablevel$, where level specifies the privilege level that the user wants to enter.
For example, if user user1 of domain aaa wants to switch the privilege level to 3, the system
uses $enab3@aaa$ for authentication when the domain name is required and uses
$enab3$ for authentication when the domain name is not required.
Configuration procedure
To configure authentication methods for an ISP domain:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter ISP domain view.
domain
isp-name
N/A
3. Specify the default
authentication method
for all types of users.
• In non-FIPS mode
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | none | radius-scheme
radius-scheme-name [ local ] }
• In FIPS mode:
authentication default
{ hwtacacs-scheme
hwtacacs-scheme-name [ local ] |
local | radius-scheme
radius-scheme-name [ local ] }
Optional.
The default authentication
method is
local
for all types
of users.
To Next Page
Loading...
Need help?
General
