authentication-mode(Authentication scheme view)

Function

The authentication-mode command sets the authentication mode of an authentication scheme.

The default authentication mode is radius authentication.

Format

authentication-mode { local | hwtacacs | radius } * [ none ]

authentication-mode radius-proxy

authentication-mode none

undo authentication-mode { local | hwtacacs | radius } * [ none ]

undo authentication-mode radius-proxy

undo authentication-mode none

Parameters

Parameter Description Value
local

Authenticates users locally.

If local is involved in the authentication method, you should configure a local user.

-
hwtacacs

Authenticates users through an HWTACACS server.

-
radius

Authenticates users through a RADIUS server.

In VS mode, this parameter is supported only by the admin VS.

-
none

Allows users' access without authentication.

If none authentication is configured for the administrator, the administrator cannot log in to the device.

-
radius-proxy

Authenticates users through a RADIUS proxy server.

In VS mode, this parameter is supported only by the admin VS.

-

Views

Authentication scheme view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

In the process of upgrading user levels, if several authentication modes are used in an authentication scheme, these authentication modes take effect in the sequence of their configurations.

  • In the sequence of local authentication and then remote authentication:

If a login account is locally unavailable, the authentication mode is changed from local authentication to remote authentication.

If a login account is available both locally and on the remote server, the authentication mode is not changed to remote authentication when local authentication fails because of an incorrect password.

  • In the sequence of remote authentication and then local authentication:

If a login account is available locally but unavailable on the remote server, the authentication mode is not changed from remote authentication to local authentication. Instead, it is considered that this account fails the authentication.

The authentication mode is changed from remote authentication to local authentication only when the remote server goes down.

If the current authentication mode does not respond, the system goes to the next authentication mode. If the current authentication fails or succeeds, the system does not go to next authentication mode.

Example

# Configure the authentication scheme named scheme1 to adopt the local authentication.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme scheme1
[*HUAWEI-aaa-authen-scheme1] authentication-mode local
# Configure multiple authentication modes to the authentication scheme named scheme2. The authentication modes are in the sequence of RADIUS authentication, local authentication, and HWTACACS authentication.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme scheme2
[*HUAWEI-aaa-authen-scheme2] authentication-mode radius local hwtacacs
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >