Authentication Scheme
An authentication scheme is used to define methods for user authentication and the order in which authentication methods take effect. An authentication scheme is applied to a domain. It is combined with the authorization scheme, accounting scheme, and server template in the domain for user authentication, authorization, and accounting.
Authentication Methods Supported by a Device
- RADIUS authentication: User information is configured on the RADIUS server through which user authentication is performed.
- HWTACACS authentication: User information is configured on the HWTACACS server through which user authentication is performed.
- Local authentication: The device functions as an authentication server and user information is configured on the device. This mode features fast processing and low operation costs. However, the information storage capacity is subject to the device hardware.
- Non-authentication: Users are completely trusted without validity check. This mode is rarely used.
Order in Which Authentication Methods Take Effect
An authentication scheme enables you to designate one or more
authentication methods to be used for authentication, thus ensuring
a backup system for authentication in case the initial method does
not respond. An NAS uses the first method listed in the scheme to
authenticate users; if that method does not respond, the NAS selects
the next authentication method in the authentication scheme. This
process continues until there is successful communication with a listed
authentication method or the authentication method list is exhausted,
in which case authentication fails.
The NAS attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle — meaning that the AAA server responds by denying the user access — the authentication process stops and no other authentication methods are attempted.