authorization-mode

Function

The authorization-mode command sets the authorization mode of an authorization scheme.

The default authorization mode is local authorization.

Format

authorization-mode authorization-mode1 [ authorization-mode2 [ authorization-mode3 [ authorization-mode4 ] ] ]

Parameters

Parameter Description Value
authorization-mode1

Specifies the authorization mode of an authorization scheme.

The value is an enumerated type and can be:

  • local: Indicates the local authorization mode.
  • hwtacacs: Indicates the HWTACACS authorization mode.
  • if-authenticated: Indicates the if-authenticated mode. In this mode, if the user passes authentication in a mode, the user is allowed to pass the authorization. Otherwise, the user fails the authorization.
  • none: Indicates that the user passes authorization directly.
authorization-mode2

Specifies the authorization mode of an authorization scheme.

The value is an enumerated type and can be:

  • local:Indicates the local authorization mode.
  • hwtacacs:Indicates the HWTACACS authorization mode.
  • if-authenticated:Indicates the if-authenticated mode. In this mode, if the user passes authentication in a mode, the user is allowed to pass the authorization. Otherwise, the user fails the authorization.
  • none:Indicates that the user passes authorization directly.
authorization-mode3

Specifies the authorization mode of an authorization scheme.

The value is an enumerated type and can be:

  • local: Indicates the local authorization mode.
  • hwtacacs: Indicates the HWTACACS authorization mode.
  • if-authenticated: Indicates the if-authenticated mode. In this mode, if the user passes authentication in a mode, the user is allowed to pass the authorization. Otherwise, the user fails the authorization.
  • none: Indicates that the user passes authorization directly.
authorization-mode4

Specifies the authorization mode of an authorization scheme.

The value is an enumerated type and can be:

  • local:Indicates the local authorization mode.
  • hwtacacs:Indicates the HWTACACS authorization mode.
  • if-authenticated:Indicates the if-authenticated mode. In this mode, if the user passes authentication in a mode, the user is allowed to pass the authorization. Otherwise, the user fails the authorization.
  • none:Indicates that the user passes authorization directly.

Views

Authorization scheme view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

Usage Scenario

AAA supports four authorization modes: local authorization, non-authorization, if-authenticated authorization, and HWTACACS authorization. In addition, AAA allows combination of these modes. When a combination of authorization modes is adopted, the authorization modes included in the combination are used in sequence.

When a combination of authorization modes includes the non-authorization mode, the non-authorization mode must be used last.

An authorization mode needs to be set in the authorization scheme view. When an authorization scheme is created, by default, the local authorization mode is used.

Prerequisites

Before using this command, you must create an authorization scheme and enter the authorization scheme view.

Configuration Impact

If several authorization modes are set for an authorization scheme, they take effect in the sequence of configuration. The next authorization mode is attempted only when the current authorization mode does not respond. If the user fails the authorization in a certain mode, the authorization of the next mode is not performed. If the current authorization mode does not respond, the system goes to the next authorization mode. If the current authorization fails or succeeds, the system does not go to next authorization mode.

Precautions

If you need to use the HWTACACS authorization mode, you must configure the HWTACACS server template and apply the server template in the view of the domain to which the user belongs.

If the if-authenticated mode is used and the authentication scheme is not none, a user is authorized the VTY user permission after being authenticated. Therefore, the if-authenticated mode is not recommended.

Example

# Set the authorization mode of the authorization scheme named scheme 1 to local authorization.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme scheme1
[*HUAWEI-aaa-author-scheme1] authorization-mode local
# Set the authorization modes of the authorization scheme named scheme 2 to if-authenticated, local, and HWTACACS in sequence and allow the user to pass the authorization if none of these authorization modes gives a response.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authorization-scheme scheme2
[*HUAWEI-aaa-author-scheme2] authorization-mode if-authenticated local hwtacacs none
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >