< Home

authorization-mode

Function

The authorization-mode command configures an authorization mode for an authorization scheme.

The undo authorization-mode command restores the default authorization mode in an authorization scheme.

By default, local authorization is used. The names of local users are case-insensitive.

Format

authorization-mode { hwtacacs | if-authenticated | [ local | local-case ] } * [ none ]

authorization-mode none

undo authorization-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates that the user is authorized by an HWTACACS server.

-

if-authenticated

Indicates that only the user who succeeds in authentication is authorized.

The configuration of if-authenticated authorization does not take effect in RADIUS authentication.

-

local

Authenticates users locally and sets local user names to case-insensitive.

-

local-case

Authenticates users locally and sets local user names to case-sensitive.

-

none

Indicates non-authorization.

-

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authorize users, configure an authorization mode in an authorization scheme.

You can configure multiple authorization modes in an authorization scheme to reduce the chance of authorization failures.

After the authorization-mode hwtacacs local command is used, if it fails to connect to the HWTACACS authentication server and HWTACACS authorization cannot be performed, the device starts local authorization.

Precautions

  • If multiple authorization modes are used in an authorization scheme, the if-authenticated mode or none mode must be used as the last authorization mode.
  • If the authorization mode is set to if-authenticated or none, the local authentication administrator does not inherit the level configured using the local-user privilege level command after login. The administrator first inherits the level configured using the admin-user privilege level command in the service scheme bound to the domain. If the level is not configured in the domain, the administrator inherits the level configured using the user privilege command in the VTY view.

    By default, users who log in to a device in the VTY view of the console interface are at level 15 and users who log in to a device in other VTY views are at level 0.

  • If multiple authorization modes are configured in an authorization scheme, the authorization modes are used according to the sequence in which they were configured. The device uses another authorization mode only when it does not receive any response in the current authorization mode.

Example

# Configure the authorization scheme named scheme1 to apply HWTACACS authorization.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-scheme scheme1
[HUAWEI-aaa-author-scheme1] authorization-mode hwtacacs
Parent Topic: AAA Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >