authorization-modify mode

Function

The authorization-modify mode command configures the update mode for user authorization information delivered by the authorization server.

The undo authorization-modify mode command restores the default update mode for user authorization information delivered by the authorization server.

By default, the update mode of user authorization information delivered by the authorization server is overlay. That is, the new user authorization information overwrites all existing user authorization information.

Format

authorization-modify mode { modify | overlay }

undo authorization-modify mode

Parameters

Parameter	Description	Value
modify	Indicates the modify mode.	-
overlay	Indicates the overlay mode.	-

Views

AAA view

Default Level

3: Management level

Usage Guidelines

The authorization server can deliver all or part of user authorization information, such as the ACL rule and dynamic VLAN.

You can run the authorization-modify mode command to configure one of the following update modes for user authorization information delivered by the authorization server:

modify: modification mode indicating that new user authorization information overwrites only existing user authorization information of the same type.
overlay: overwriting mode indicating that new user authorization information overwrites all existing user authorization information.

If the authorization server has delivered ACL 3001 to a user, and the administrator needs to deliver new authorization information:

In the modify mode, if the new authorization information is ACL 3002, the authorization information of the user is ACL 3002. If the new authorization information is VLAN 100, the authorization information of the user is ACL 3001 and VLAN 100.
In the overlay mode, no matter whether the new authorization information is ACL 3002 or VLAN 100, the authorization information of the user is the new ACL or VLAN.

This command takes effect for only the authorization information delivered by the RADIUS server.

After a user group or service scheme is authorized to a user on the device and a certain attribute configured in the user group or service scheme is modified on the server, if other configured attributes need to be modified, the authorization information on the server must contain the previously modified attribute. Otherwise, the original attribute value in the user group or service scheme will be restored. For example, to modify an attribute in a user group:

The device authorizes the user group configured with the VLAN and ACL attributes to a user.
To modify the VLAN attribute, authorize the new VLAN attribute to the user through the RADIUS server.
To modify the ACL attribute after the VLAN attribute is modified, you must authorize the modified VLAN attribute and new ACL attribute through the RADIUS server. Otherwise, the original VLAN attribute in the user group will be restored.

For user re-authentication:

If the Session-Timeout attribute is delivered during RADIUS CoA authorization, the original re-authentication timer is deleted and the timer carried by the Session-Timeout attribute is started.
If the Session-Timeout attribute is not delivered during RADIUS CoA authorization:
- When the modify mode is used, the original re-authentication timer is not deleted; instead, the timer is suspended during user authorization and continues to take effect after the authorization completes.
- When the overlay mode is used:
  
  If the original re-authentication timer is locally configured, the original re-authentication timer is not deleted; instead, the timer is suspended during user authorization and continues to take effect after the authorization completes.
  
  If the original timer is delivered by the server, the original timer is not deleted and re-authentication is performed depending on whether the local re-authentication timer is configured on the device.

Example

# Set the update mode of user authorization information delivered by the authorization server to modify.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] authorization-modify mode modify