The default-domain command configures a domain name as a default domain name.
The undo default-domain command deletes the configured default domain name.
By default, the name of the default domain is default_admin for administrators and is default1 for access users.
| Parameter | Description | Value |
|---|---|---|
| admin default-admin-domain-name |
Specifies a domain name. The value must be the name of an existing domain. You can run the domain command to configure a domain. |
The value is a string of 1 to 64 case-insensitive characters. The *, ?, ", ', -, -- are not supported. |
| access default-access-domain-name |
Specifies a domain name. The value must be the name of an existing domain. You can run the domain command to configure a domain. |
The value is a string of 1 to 64 case-insensitive characters. The *, ?, ", ', -, -- are not supported. |
Usage Scenario
All management users who do not provide domain names when logging in to the device belong to the default global management domain. If the system administrator wants to use a manually created domain (for example, first_domain) for authentication, the user must add the domain name delimiter and domain name (for example, @first_domain) when entering the user name. This may cause inconvenience. To facilitate user authentication, run the default-domain admin command to set the domain named first_domain as the default global management domain. With this configuration, @first_domain is automatically suffixed to user names.
If local authentication is used, the authentication succeeds only when the account entered by the user is the same as the account configured using the local-user password command. Assume that the default management domain is default_admin.
Precautions
There is only one default global management domain.
Before deleting a default management domain using the undo domain command, you must run the undo default-domain command to delete the configured default domain name. Otherwise, the default domain will fail to be deleted.
Even if you run the default-domain command to configure a new default domain name, the system default domain cannot be deleted.
An HWTACACS template having the undo hwtacacs-server user-name domain-included configuration cannot be bound to the default admin domain or a domain having the adminuser-priority configuration (configuration restoration is not affected).
The default admin domain is a domain configured using the default-domain admin command. An admin domain is the default admin domain or a domain having the adminuser-priority configuration. By default, the default admin domain name is default_admin.
Scenario 1:
[~HUAWEI-aaa] default-domain admin dom1
Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.
[~HUAWEI] hwtacacs-server template tac
[~HUAWEI-hwtacacs-tac] display this
#
hwtacacs-server template tac
hwtacacs-server 192.168.0.2
hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
undo hwtacacs-server user-name domain-included
#
If the undo hwtacacs-server user-name domain-included configuration does not exist, go to Step 6. If the configuration exists, go to Step 3.
3. Create another HWTACACS server template that has the same configurations as the existing HWTACACS server template.
[~HUAWEI] hwtacacs-server template tacnew
Info: Create a new HWTACACS-server template.
Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
4. Run the hwtacas-server user-name original command to override the undo hwtacas-server user-name domain-included configuration.
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original
[*HUAWEI-hwtacacs-tacnew] commit
[~HUAWEI-hwtacacs-tacnew] display this
#
hwtacacs-server template tacnew
hwtacacs-server 192.168.0.2
hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
hwtacacs-server user-name original
#
5. Bind the new HWTACACS server template to dom1.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain dom1
[*HUAWEI-aaa-domain-dom1] hwtacacs-server tacnew
[*HUAWEI-aaa-domain-dom1] commit
6. Run the display this command to check whether the undo radius-server user-name domain-included command is run for the RADIUS server group named rad.
[*HUAWEI] radius-server group rad
[~HUAWEI-radius-rad] display this
#
radius-server template rad
radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#
radius-server authentication 192.168.0.2 1812
undo radius-server user-name domain-included
#
If the undo radius-server user-name domain-included configuration does not exist, go to Step 7. If the configuration exists, go to Step 10.
7. Create another RADIUS server group that has the same configurations as the existing RADIUS server group.
[~HUAWEI] radius-server group radnew
[~HUAWEI-radius-radnew] radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#
[*HUAWEI-radius-radnew] radius-server authentication 192.168.0.2 1812
8. Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.
[*HUAWEI-radius-radnew] radius-server user-name original
[*HUAWEI-radius-radnew] commit
9. Bind the new RADIUS server group to dom1.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain dom1
[*HUAWEI-aaa-domain-dom1] radius-server radnew
[*HUAWEI-aaa-domain-dom1] commit
10. Run the default-domain admin dom1 command.
[~HUAWEI] aaa
[~HUAWEI-aaa] default-domain admin dom1
[*HUAWEI-aaa-domain-dom1] commit
Scenario 2:
An error message is displayed when the default admin domain is restored using the undo default-domain admin command.
[~HUAWEI-aaa] undo default-domain admin
Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.
[~HUAWEI-aaa] domain default_admin
[~HUAWEI-aaa-domain-default_admin] display this
#
domain default_admin
hwtacacs-server tac
radius-server group rad
#
2. Run the display this command in the HWTACACS server template view to check whether the undo hwtacacs-server user-name domain-included command is run for the template (tac).
[~HUAWEI] hwtacacs-server template tac
[~HUAWEI-hwtacacs-tac] display this
#
hwtacacs-server template tac
hwtacacs-server 192.168.0.2
hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
undo hwtacacs-server user-name domain-included
#
If the undo hwtacacs-server user-name domain-included configuration does not exist, go to Step 6. If the configuration exists, go to Step 3.
3. Create another HWTACACS server template that has the same configurations as the existing HWTACACS server template.
[~HUAWEI] hwtacacs-server template tac
Info: Create a new HWTACACS-server template.
Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
4. Run the hwtacas-server user-name original command to override the undo hwtacas-server user-name domain-included configuration.
[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original
[*HUAWEI-hwtacacs-tacnew] commit
[~HUAWEI-hwtacacs-tacnew] display this
#
hwtacacs-server template tacnew
hwtacacs-server 192.168.0.2
hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#
hwtacacs-server user-name original
#
5. Bind the new HWTACACS server template to the default admin domain default_admin.
[~HUAWEI] aaa
[*HUAWEI-aaa] domain default_admin
[*HUAWEI-aaa-domain-default_admin] hwtacacs-server tacnew
[*HUAWEI-aaa-domain-default_admin] commit
6. Run the display this command to check whether the undo radius-server user-name domain-included command is run for the RADIUS server group named rad.
[*HUAWEI] radius-server group rad
[*HUAWEI-radius-rad] display this
#
radius-server group rad radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#
radius-server authentication 192.168.0.2 1812
undo radius-server user-name domain-included
#
If the undo radius-server user-name domain-included configuration does not exist, go to Step 7. If the configuration exists, go to Step 10.
7. Create another RADIUS server group that has the same configurations as the existing RADIUS server group.
[~HUAWEI] radius-server group radnew
Info: A new server-group is created.
Warning: Please configure the shared-key. Configuring shared-key is mandatory to communicate with RADIUS server.
[~HUAWEI-radius-radnew] radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#
[*HUAWEI-radius-radnew] radius-server authentication 192.168.0.2 1812
8. Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.
[*HUAWEI-radius-radnew] radius-server user-name original
[*HUAWEI-radius-radnew] commit
9. Bind the new RADIUS server group to the default admin domain default_admin.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain default_admin
[~HUAWEI-aaa-domain-default_admin] radius-server radnew
[~HUAWEI-aaa-domain-default_admin] commit
10. Run the undo default-domain admin command.
[~HUAWEI] aaa
[~HUAWEI-aaa] domain default_admin
[~HUAWEI-aaa-domain-default_admin] undo default-domain admin
[*HUAWEI-aaa-domain-default_admin] commit
After the configurations are changed, user names that carry domain names are not supported. A login failure occurs if a user name carrying a domain name, such as, user001@default_admin, is used for login.