The match access-context-profile action access-domain command configures the access user's authentication domain based on the user context profile.
The undo match access-context-profile action access-domain command deletes the access user's authentication domain based on the user context profile.
By default, no access user's authentication domain is configured based on the user context profile.
match access-context-profile profile-name action access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]
undo match access-context-profile profile-name action access-domain [ dot1x | mac-authen | portal ] * [ force ]
| Parameter | Description | Value |
|---|---|---|
| profile-name | Specifies the name of the matching user context profile. |
The value must be the name of an existing user context profile. |
domain-name |
Specifies the domain name. |
The value must be the name of an existing domain on the device. |
| dot1x | Specifies a default or forcible domain for 802.1X authentication users. |
- |
| mac-authen | Specifies a default or forcible domain for MAC address authentication users. |
- |
| portal | Specifies a default or forcible domain for Portal authentication users. |
- |
| force | Specifies the configured domain as a forcible domain. If this parameter is not specified, the configured domain is a default domain. |
- |
Usage Scenario
In some enterprise networks, VLAN is divided into multiple areas with different security levels. The administrator assigns different network access rights to access users in different areas. The device uses the domain to manage users, so the access user's authentication domain can be configured based on the user context profile. Based on different context profiles matching with access VLANs, users in different areas have different authentication domains and are assigned different network access rights.
Prerequisites
A domain has been configured using the domain command in the AAA view.
A user context profile has been configured using the access-context profile name profile-name command in the system view.
Precautions
The priorities of the forcible domain, domain carried in the user name, and default domain in different views are as follows in descending order: forcible domain with a specified authentication mode in an authentication profile > forcible domain in an authentication profile > forcible domain with a specified authentication mode based on a user context profile > forcible domain based on a user context profile > domain carried in the user name > default domain with a specified authentication mode in an authentication profile > default domain in an authentication profile > default domain with a specified authentication mode based on a user context profile > default domain based on a user context profile > global default domain.
In the user authentication event authorization policy view, configure the user's forcible domain huawei based on the user context profile p1.
<HUAWEI> system-view [HUAWEI] aaa [HUAWEI-aaa] domain huawei [HUAWEI-aaa-domain-huawei] quit [HUAWEI-aaa] quit [HUAWEI] access-context profile name p1 [HUAWEI-access-context-p1] quit [HUAWEI] access-author policy name a1 [HUAWEI-access-author-a1] match access-context-profile p1 action access-domain huawei force