This section describes how to configure an AAA scheme using the merge method.
Operation |
XPATH |
|---|---|
edit-config:merge |
/huawei-aaa:aaa |
Item |
Data |
Description |
|---|---|---|
Name of an authentication scheme |
authen1 |
Set the name of an authentication scheme to authen1. |
Authentication mode in an authentication scheme |
hwtacacs | Set the authentication mode in an authentication scheme to HWTACACS. |
Name of an authorization scheme |
author1 | Set the name of an authorization scheme to author1. |
| HWTACACS server-based command line authorization. | Authorization level: 15, backup authorization mode: local | Configure the HWTACACS server-based command line authorization function for the level-15 administrator and change the command line authorization mode to the local authorization mode if the HWTACACS server does not respond to the command line authorization. |
Authorization mode in an authorization scheme |
hwtacacs | Set the authorization mode in an authorization scheme to HWTACACS. |
| Name of an accounting scheme | acct1 | Set the name of an accounting scheme to acct1. |
| Accounting mode in an accounting scheme | hwtacacs | Set the accounting mode in an accounting scheme to HWTACACS. |
| Policy for accounting-start failures | online | Set the policy for accounting-start failures to online. That is, users are allowed to go online if accounting-start fails. |
| Interval for real-time accounting | 15 | Set the interval for real-time accounting to 15 minutes. |
| Maximum number of real-time accounting failures | 5 | Set the maximum number of real-time accounting failures to 5. |
| Policy for real-time accounting failures | offline | Set the policy for real-time accounting failures to offline. That is, users are disconnected if real-time accounting fails. |
| Whether to enable the bypass authentication function. | true | Enable the bypass authentication function and set the bypass authentication timeout interval to 13 minutes. |
| Bypass authentication timeout interval. | 13 |
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<hw-aaa:aaa xmlns:hw-aaa="urn:huawei:params:xml:ns:yang:huawei-aaa">
<hw-aaa:authentication-scheme>
<hw-aaa:name>authen1</hw-aaa:name>
<hw-aaa:vsys>ads</hw-aaa:vsys>
<hw-aaa:authentication-mode>hwtacacs</hw-aaa:authentication-mode>
</hw-aaa:authentication-scheme>
<hw-aaa:authorization-scheme>
<hw-aaa:name>author1</hw-aaa:name>
<hw-aaa:vsys>ads</hw-aaa:vsys>
<hw-aaa:authorization-mode>hwtacacs</hw-aaa:authorization-mode>
<hw-aaa:authorization-cmd>
<hw-aaa:authorization-cmd-item>
<hw-aaa:privilege-level>15</hw-aaa:privilege-level>
<hw-aaa:authorization-cmd-mode>local</hw-aaa:authorization-cmd-mode>
</hw-aaa:authorization-cmd-item>
</hw-aaa:authorization-cmd>
</hw-aaa:authorization-scheme>
<hw-aaa:accounting-scheme>
<hw-aaa:name>acct1</hw-aaa:name>
<hw-aaa:vsys>ads</hw-aaa:vsys>
<hw-aaa:accounting-mode>hwtacacs</hw-aaa:accounting-mode>
<hw-aaa:start-accounting-fail>
<hw-aaa:fail-policy>online</hw-aaa:fail-policy>
</hw-aaa:start-accounting-fail>
<hw-aaa:realtime-accounting>
<hw-aaa:realtime-interval>15</hw-aaa:realtime-interval>
<hw-aaa:realtime-fail>
<hw-aaa:fail-policy>offline</hw-aaa:fail-policy>
<hw-aaa:fail-max-times>5</hw-aaa:fail-max-times>
</hw-aaa:realtime-fail>
</hw-aaa:realtime-accounting>
</hw-aaa:accounting-scheme>
<hw-aaa:global>
<hw-aaa:authentication-bypass>
<hw-aaa:bypass-enable>true</hw-aaa:bypass-enable>
<hw-aaa:bypass-time>13</hw-aaa:bypass-time>
</hw-aaa:authentication-bypass>
</hw-aaa:global>
</hw-aaa:aaa>
</config>
</edit-config>
</rpc>
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> <rpc-error> <error-app-tag>-1</error-app-tag> <error-message>invalid authen scheme name</error-message> <error-info>Error on node /huawei-aaa:aaa/authentication-scheme[name="authen1authen1authen1authen1authen1",vsys="ads"]/name</error-info> </rpc-error> </rpc-reply>