If multiple authentication modes are configured, the device chooses these authentication modes according to the order in which they were configured. The device uses the authentication mode that was configured later only when that configured earlier does not respond. However, if the user fails authentication, the device does not use other authentication modes.
For example, if both RADIUS authentication and local authentication are configured in an authentication scheme using the authentication-mode radius local command and RADIUS authentication is configured first, the device performs local authentication only when the connection with the RADIUS server times out. When local authentication is used, users can log in to the device only if local authentication is correctly configured on the device. For example, the device must be configured with the correct user name and password, access type, and authentication mode. The following example is the configuration of local authentication through Telnet login.
<HUAWEI> system-view [HUAWEI] telnet server enable //Enable the Telnet service. [HUAWEI] user-interface maximum-vty 15 //Set the maximum number of VTY login users to 15. [HUAWEI] user-interface vty 0 14 //Enter the view of VTY users at levels 0-14. [HUAWEI-ui-vty0-14] authentication-mode aaa //Set the VTY authentication mode to AAA. [HUAWEI-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later versions support SSH. [HUAWEI-ui-vty0-14] quit [HUAWEI] aaa [HUAWEI-aaa] local-user user1 password irreversible-cipher Huawei@1234 //Create the local user user1 and set the password. The password is displayed in cipher text in the configuration file, so remember the password. If you forget the password, run this command again to overwrite the old configuration. [HUAWEI-aaa] local-user user1 service-type telnet //Set the access type of user1 to Telnet. This user can only log in to the device through Telnet. [HUAWEI-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15. After login, the user can run the commands at level 0-15. [HUAWEI-aaa] quit
This rule also applies to HWTACACS authentication and local authentication. That is, the device performs local authentication only when the connection with the HWTACACS server times out.