< Home

Applying an AAA Scheme, a RADIUS Server Template, and Authorization Information to a Domain

Context

AAA schemes, server templates, and authorization information are managed in a domain. A user uses only AAA configuration information in the domain to which the user belongs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    By default, the default and default_admin domains are available on the device. The default domain is used by common access users and the default_admin domain is used by administrators.

  4. Run authentication-scheme scheme-name

    An authentication scheme is applied to the domain.

    By default, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named radius is applied to the default domain and other domains.

  5. Run accounting-scheme accounting-scheme-name

    An accounting scheme is applied to the domain.

    By default, the default accounting scheme is applied to a domain. In the default accounting scheme, non-accounting is used and the real-time accounting function is disabled.

  6. Run radius-server template-name

    A RADIUS server template is applied to the domain.

    By default, no RADIUS server template is applied to the default_admin domain, and the RADIUS server template named default is applied to the default domain and other domains.

  7. (Optional) Run accounting-copy radius-server template-name

    The RADIUS accounting packet copy function is enabled, and a RADIUS server template for level-2 accounting is configured.

    By default, the RADIUS accounting packet copy function is disabled.

    • Ensure that the IP address of the configured level-2 RADIUS accounting server is different from that of the level-1 RADIUS accounting server (including the active/standby RADIUS accounting server).

    • Ensure that the level-2 RADIUS accounting server template configured in the domain is different from the RADIUS server template for authentication and accounting in the domain. If they are the same, the accounting-copy radius-server command cannot be configured and the system displays an error message during the command configuration.

  8. (Optional) Configure authorization information in the domain.

    Only the NAC common mode supports authorization by a user group.

    • Run user-group group-name

      A user group is applied to the domain. That is, the device will deliver authorization information of the user group to users in the domain.

      By default, no user group is applied to a domain.

    • Run service-scheme service-scheme-name

      A service scheme is applied to the domain. That is, the device will deliver authorization information in the service scheme to users in the domain.

      By default, no service scheme is applied to a domain.

Verifying the Configuration

Run the display domain [ name domain-name ] command to check the domain configuration.

Parent Topic: Using RADIUS to Perform Authentication, Authorization, and Accounting
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >