Why Users Fail Authentication When the Access Device and AAA Server Configurations Are Correct?
The access device manages users based on domains. A user must belong to a domain. During user access authentication, the device sends user information to the specified AAA server for authentication according to the parameters such as authentication
mode and authentication server IP address configured in the user domain. When the domain name provided for user login is different from the actual user domain, the users cannot pass authentication even if the access device and AAA server configurations
are correct.
The domain of a user is determined by the user name provided for login. The rules are as follows:
- If the entered user name contains a domain name and the user name format is user-name@domain-name, the user domain is domain-name.
- If the entered user name does not contain a domain and the user name format is user-name, the user belongs to the default system domain. By default, the global default domain is default.
For example, the user name is
test and the user belongs to the domain
huawei. To ensure that the user can be authenticated in the domain
huawei, perform the following operations:
- The user name entered in the client is test@huawei.
- Run the domain huawei command in the system view to configure the global default domain to huawei.