Applying AAA Schemes to a Domain

Procedure

1. Run system-view

   The system view is displayed.

2. Run aaa

   The AAA view is displayed.

3. Run domain domain-name [ domain-index domain-index ]

   A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

   The device has two default domains:

   • default: Used by common access users
   • default_admin: Used by administrators
   

   • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
   • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

4. Apply AAA schemes to the domain.

   Procedure	Command	Description
   Apply an authentication scheme to the domain.	authentication-scheme authentication-scheme-name	By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named default is applied to other domains.
   Apply an authorization scheme to the domain.	authorization-scheme authorization-scheme-name	By default, no authorization scheme is applied to a domain.

5. Configure local authorization rules.

   Procedure	Command	Description
   (Optional) Apply a user group to the domain.	user-group group-name	By default, no user group is applied to a domain. NOTE: This command is supported only in NAC common mode.
   (Optional) Apply a service scheme to the domain.	service-scheme service-scheme-name	By default, no service scheme is applied to a domain.

6. (Optional) Specify the domain state and enable traffic statistics collection for the domain.

   Procedure	Command	Description
   Specify the domain state.	state { active | block [ time-range time-name &<1–4> ] }	When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

7. (Optional) Configure the traffic statistics collection function.
   1. Run statistic enable

      The traffic statistics collection function is enabled for domain users.

      By default, the traffic statistics collection is disabled for domain users.

   2. Run accounting dual-stack separate

      The function of collecting statistics on IPv4 and IPv6 traffic separately is enabled.

      By default, statistics on IPv4 and IPv6 traffic are collected together.

8. (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)

   Procedure		Command	Description
   AAA view	Exit from the domain view.	quit	-
   	Specify the domain name parsing direction.	domainname-parse-direction { left-to-right | right-to-left }	The domain name can be parsed from left to right, or from right to left. By default, the domain name is parsed from left to right.
   	Set the domain name delimiter.	domain-name-delimiter delimiter	A domain name delimiter can be any of the following: \ / : < > | @ ' %. The default domain name delimiter is @.
   	Specify the domain name location.	domain-location { after-delimiter | before-delimiter }	The domain name can be placed before or after the delimiter. By default, the domain name is placed after the domain name delimiter.
   	Set the security string delimiter.	security-name-delimiter delimiter	By default, the security string delimiter is * (asterisk).
   Authentication profile view	Exit from the AAA view.	quit	-
   	Create an authentication profile and enter the authentication profile view.	authentication-profile name authentication-profile-name	By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.
   	Specify the domain name parsing direction.	domainname-parse-direction { left-to-right | right-to-left }	The domain name can be parsed from left to right, or from right to left. By default, the domain name parsing direction is not specified.
   	Set the domain name delimiter.	domain-name-delimiter delimiter	A domain name delimiter can be any of the following: \ / : < > | @ ' %. By default, no domain name delimiter is set.
   	Specify the domain name location.	domain-location { after-delimiter | before-delimiter }	By default, the domain name location is not specified.
   	Set the security string delimiter.	security-name-delimiter delimiter	By default, no security string delimiter is set.

9. (Optional) Specify a permitted domain for wireless users. (This step applies only to wireless users.)

   Procedure	Command	Description
   Return to the system view.	quit	-
   Create an authentication profile and enter the authentication profile view.	authentication-profile name authentication-profile-name	By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.
   Specify a permitted domain for wireless users.	permit-domain name domain-name &<1-4>	By default, no permitted domain is specified for wireless users. After a permitted domain is specified in an authentication profile, only users in the permitted domain can be subject to authentication, authorization, and accounting.