authentication-mode (authentication scheme view)
Function
The authentication-mode command configures an authentication mode for an authentication scheme.
The undo authentication-mode command restores the default authentication mode in an authentication scheme.
By default, local authentication is used. The names of local users are case-insensitive.
Format
authentication-mode { hwtacacs | [ local | local-case ] | radius | haca } * [ none ]
authentication-mode none
undo authentication-mode
Parameters
| Parameter | Description | Value |
|---|---|---|
hwtacacs |
Authenticates users using an HWTACACS server. To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template. |
- |
local |
Authenticates users locally and sets local user names to case-insensitive. |
- |
local-case |
Authenticates users locally and sets local user names to case-sensitive. |
- |
radius |
Authenticates users using a RADIUS server. To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template. |
- |
haca |
Authenticates users using a Huawei Agile Cloud Authentication (HACA) server. |
- |
none |
Indicates non-authentication. That is, users access the network without being authenticated. |
- |
Usage Guidelines
Usage Scenario
To authenticate users, configure an authentication mode in an authentication scheme.
In the sequence of local authentication followed by remote authentication:
If a login account is not created locally but exists on the remote server, the authentication mode is changed from local authentication to remote authentication.
If a login account is created locally and on the remote server, and local authentication fails because the password is incorrect, remote authentication will not be performed.
In the sequence of remote authentication followed by local authentication:
If a login account is created locally but not on the remote server, remote authentication fails and local authentication will not be performed.
A user is authenticated using the local authentication mode only when the remote server is Down or does not respond to the user's authentication request.
After the authentication-mode radius local command is used, the device cannot complete RADIUS authentication if it fails to connect to the RADIUS authentication server. In this case, the device starts local authentication.
After the authentication-mode local radius command is used, if the entered user name exists on the device but the entered password is incorrect, the user fails the authentication; if the entered user name does not exist on the device, the user is redirected to the RADIUS authentication mode and is authenticated based on user information on the RADIUS server.
- When both RADIUS authentication and non-authentication are configured, if the user fails the RADIUS authentication, non-authentication cannot be used. As a result, a user fails to log in.
- If you run the authentication-mode command to configure non-authentication and run the authentication-mode (user interface view) command to configure AAA authentication, the device does not allow administrators to log in from the user interface view.
- If none authentication is configured or none authentication is configured as the backup authentication mode, you need to run the accounting start-fail online or accounting-mode none command in the accounting scheme view to prevent users from going offline due to accounting failures.
Precautions
If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. Therefore, to protect the device and improve network security, you are advised to enable authentication, allowing only authenticated users to access the device or network.