Configuring an AAA Scheme

Context

If HACA authentication and authorization are used, set the authentication mode in the authentication scheme to HACA and the accounting mode in an accounting scheme to HACA.

If non-authentication is configured using the authentication-mode command, users can pass the authentication using any user name or password. To protect the device and improve network security, you are advised to enable authentication to allow only authenticated users to access the device or network.

Procedure

Configure an authentication scheme.
1. Run system-view
  The system view is displayed.
2. Run aaa
  The AAA view is displayed.
3. Run authentication-scheme scheme-name
  An authentication scheme is created and its view is displayed, or the view of an existing authentication scheme is displayed.
  
  By default, two authentication schemes named default and radius are available on the device. The two authentication schemes can be modified but not deleted.
4. Run authentication-mode haca
  The authentication method is set to HACA.
  
  By default, local authentication is used. The names of local users are case-insensitive.
  
  To use local authentication as the backup authentication mode, run the authentication-mode haca { local | local-case } command to configure local authentication.
  
  If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured. The device uses the authentication mode that was configured later only when it does not receive any response from the current authentication. The device stops the authentication if the current authentication fails.
5. (Optional) Run undo server no-response accounting
  The device is configured not to send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.
  
  By default, when the accounting function is configured, the device does not send accounting packets when the server does not respond to a user's authentication request and the user then is authenticated using the local authentication mode.
6. Run quit
  Return to the AAA view.
7. (Optional) Configure the account locking function.
  1. Run the access-user remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for access users who fail remote authentication.
    Or: run the administrator remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command to enable the account locking function for administrators who fail remote authentication.
    
    By default, the account locking function is disabled for access users who fail remote authentication, and the account locking function is enabled for administrators who fail remote authentication. The authentication retry interval is 5 minutes, the maximum number of consecutive authentication failures is 30, and the account locking period is 5 minutes.
  2. Run aaa-quiet administrator except-list { ipv4-address | ipv6-address } &<1-32>
    
    A user is configured to access the network using a specified IP address if the user account is locked.
    
    By default, a user cannot access the network if the user account is locked.
    
    You can run the display aaa-quiet administrator except-list command to query the specified IP addresses.
  3. Run remote-user authen-fail unblock { all | username username }
    
    A remote AAA authentication account that has failed authentication is unlocked.
8. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }
  The direction in which the domain name is parsed is configured.
  
  By default, the domain name is parsed from left to right.
9. (Optional) Run aaa-author session-timeout invalid-value enable
  The device will not disconnect or reauthenticate users when the RADIUS server delivers session-timeout with value 0.
  
  By default, the device disconnects or reauthenticates users when the RADIUS server delivers session-timeout with value 0.
10. Run quit
  Return to the system view.
Configuring an accounting scheme
1. Run system-view
  The system view is displayed.
2. Run aaa
  The AAA view is displayed.
3. Run accounting-scheme accounting-scheme-name
  An accounting scheme is created, and the corresponding accounting scheme view or an existing accounting scheme view is displayed.
  
  There is a default accounting scheme named default on the device. This default accounting scheme can be modified but not deleted.
4. Run accounting-mode haca
  The haca accounting mode in an accounting scheme is configured.
  
  By default, the accounting mode is none.
5. (Optional) Run accounting start-fail { offline | online }
  A policy for accounting-start failures is configured.
  
  By default, users cannot go online if accounting-start fails.
6. (Optional) Run accounting realtime interval
  Real-time accounting is enabled and the interval for real-time accounting is set.
  
  By default, the device performs accounting based on user online duration, the real-time accounting function is disabled.
7. (Optional) Run accounting interim-fail [ max-times times ] { offline | online }
  The maximum number of real-time accounting failures is set and a policy used after the number of real-time accounting failures exceeds the maximum is configured.
  
  By default, the maximum number of real-time accounting failures is 3 and the device keeps users online after the number of real-time accounting failures exceeds the maximum.