default-domain

Function

The default-domain command configures a default domain.

The default-domain pre-authentication command configures a default pre-authentication domain, to which an IP address pool is bound. The NetEngine 8000 F assigns IP addresses in this IP address pool to users through DHCP.

The default-domain authentication command configures a default authentication domain.

The undo default-domain command restores the default domain name pre-configured on the device.

By default, the pre-authentication domain is default0;the authentication domain is default1.

This command is supported only on the NetEngine 8000 F1A.

Format

default-domain { pre-authentication domain-name | authentication [ force | replace ] domain-name } *

undo default-domain [ pre-authentication | authentication ]

Parameters

Parameter Description Value
pre-authentication

Configures a pre-authentication domain, which is used when the device assigns IP addresses to users.

-
domain-name

Specifies a domain name.

The value is a string of 1 to 64 characters.
authentication

Configures a default authentication domain.

-
force

Indicates the default-domain authentication force.

A user adopts the authentication scheme that is configured in this domain, regardless of whether a domain name is contained in the input user account or what the domain name is. If a domain name is contained in the user account, the domain name remains unchanged during authentication; if no domain name is contained, the default-domain authentication force is added to the user account.

-
replace

Indicates default-domain authentication replace.

A user adopts the authentication scheme that is configured in this domain, regardless of whether a domain name is contained in the input user account or what the domain name is. If a domain name is contained in the user account, the domain name is replaced with the default-domain authentication replace during authentication; if no domain name is contained, the default-domain authentication replace is added to the user account.

-

Views

BAS interface view (GE), BAS interface view (VE), BAS interface view (trunk)

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
bras-control write

Usage Guidelines

Usage Scenario

When binding authentication or Web authentication is adopted for VLAN users on a BAS interface, the default domain on the BAS interface can be used as the user domain.

In binding authentication, the default domain name is used to generate a user name.

In Web authentication, if no domain name is entered, the policy configured in the default domain is used for authentication, authorization, and accounting.If force is configured for the default authentication domain, the policy in the default authentication domain is forcibly used for a VLAN user, irrespective of whether the user is configured with a domain name. If replace is configured, the original domain name of a user is forcibly replaced by the default authentication domain name.

Assume that a user getting online with a domain name and the user inputs a user account, namely, user@A.

  • The BAS interface that accesses the user is configured with domain B as the default-domain authentication. If domain A is configured on the , the user adopts the authentication scheme that is configured in domain A, and the user account for authentication is user@A. If domain A is not configured on the device, and the roam-domain is disabled, the user authentication fails. If the roam-domain is enabled, the user adopts the authentication scheme that is configured in the roam-domain.
  • The BAS interface that accesses the user is configured with domain E as the roam-domain configured through the roam-domain command. If domain A is not configured on the device, the user adopts the authentication scheme that is configured in domain E. If domain A is configured on the device, the user adopts the authentication scheme that is configured in domain A, and the user account for authentication is user@A.
  • The BAS interface that accesses the user is configured with domain F as the default-domain authentication force. In this case, the user adopts the authentication scheme that is configured in domain F (regardless of whether domain A is configured on the device or whether a roam-domain is configured), and the user account for authentication is still user@A.
  • The BAS interface that accesses the user is configured with domain G as the default-domain authentication replace. In this case, the user adopts the authentication scheme that is configured in domain G (regardless of whether domain A is configured on the device or whether a roam-domain is configured), and the user account for authentication is changed into user@G.

Assume that a user getting online without a domain name and the user inputs a user account, namely, user.

  • If the BAS interface that accesses the user is not configured with the default-domain authentication, the user adopts the authentication scheme that is configured in default1, and the user account for authentication is user@default1.
  • If the BAS interface that accesses the user is configured with domain B as the default-domain authentication, the user adopts the authentication scheme that is configured in domain B (domain B here is a default domain), and the user account for authentication is user@B.
  • If the BAS interface that accesses the user is configured with domain H as the default-domain authentication force, the user adopts the authentication scheme that is configured in domain H, and the user account for authentication is user@H.
  • If the BAS interface that accesses the user is configured with domain J as the default-domain authentication replace, the user adopts the authentication scheme that is configured in domain J, and the user account for authentication is user@J.

    The user account mentioned above may not the one that is sent to an AAA server. Instead, whether the user account sent to the AAA server contains a domain name depends on the device is configured the radius-server user-name command to send a domain name to the AAA server or not.

Precautions

In VS mode, this command is supported only by the admin VS.

Example

# Configure the pre-authentication domain and authentication domain of users on the BAS interface GE 0/1/9 as huawei, and the policy in the configured domain named huawei is forcibly used in authentication.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] domain huawei
[~HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] interface GigabitEthernet 0/1/9
[*HUAWEI-GigabitEthernet0/1/9] bas
[*HUAWEI-GigabitEthernet0/1/9-bas] commit
[*HUAWEI-GigabitEthernet0/1/9-bas] default-domain pre-authentication huawei authentication force huawei
Parent Topic: IPoE Access Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >