adminuser-priority

Function

The adminuser-priority command configures a default user level for administrators in a specific AAA domain.

The undo adminuser-priority command deletes the default user level configured for administrators in a specific AAA domain.

By default, no default user level is configured for administrators in an AAA domain.

Format

adminuser-priority level

undo adminuser-priority

Parameters

Parameter Description Value
level

Specifies the default user value for administrators in a specific AAA domain.

The value is an integer ranging from 0 to 15.

If the command-privilege level rearrange command is not run, the available level ranges from 0 to 3. If the command-privilege level rearrange command is run, the available level ranges from 0 to 15.

If the command-privilege level rearrange command configuration is changed, the value of level changes based on the level mapping.

  • If the command-privilege level rearrange command configuration is added, the levels of level-0 and level-1 commands remain unchanged, the level of level-2 commands is upgraded to 10, and that of level-3 commands is upgraded to 15.
  • If the command-privilege level rearrange command configuration is deleted, the level of level-0 commands remains unchanged, the levels of level-1 to level-9 commands are downgraded to 1, the levels of level-10 to level-14 commands are downgraded to 2, and the level of level-15 commands is downgraded to 3.

Views

AAA domain view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
aaa write

Usage Guidelines

Usage Scenario

If a user level is not assigned by the local device (using the local-user level command) or by a remote server, administrators are not allowed to access a specific domain in management mode. To resolve this issue, run the adminuser-priority command to configure a default level for administrators in a specific AAA domain. Then, the administrators will take this user level for login.

A user level assigned by the local device or a remote server takes precedence over a user level configured using the adminuser-priority command. When the user is added to a user group, the configuration of user group takes precedence over a user level configured using the adminuser-priority command.

The configured default level of the local user cannot be higher than that of the login-in user.

An HWTACACS template having the undo hwtacacs-server user-name domain-included configuration cannot be bound to the default admin domain or a domain having the adminuser-priority <level> configuration (configuration restoration is not affected).

The default admin domain is a domain configured using the default-domain admin <domain-name> command. An admin domain is the default admin domain or a domain having the adminuser-priority <level> configuration. By default, the default admin domain name is default_admin.

An error message is displayed when a domain (dom1) is configured as the default admin domain using the default-domain admin dom1 command.

[~HUAWEI-aaa] domain dom1

[~HUAWEI-aaa-domain-dom1] adminuser-priority 2

Error: Configuring devices in a RADIUS server group or TACACS server template bound to the admin domain to send user names without domain names brings security risks. Changing the mode to using the original user name is recommended.

Solution:

  1. Run the display this command in the domain view to check the RADIUS server group and HWTACACS server template configurations of dom1.

[~HUAWEI-aaa] domain dom1

[~HUAWEI-aaa-domain-dom1] display this

#

domain dom1

hwtacacs-server tac

radius-server group rad

#

  • 2. Run the display this command in the HWTACACS server template view to check whether the undo hwtacacs-server user-name domain-included command is run for the template (tac).

[~HUAWEI] hwtacacs-server template tac

[~HUAWEI-hwtacacs-tac] display this

#

hwtacacs-server template tac

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

undo hwtacacs-server user-name domain-included

#

If the undo hwtacacs-server user-name domain-included configuration does not exist, go to Step 6. If the configuration exists, go to Step 3.

  • 3. Create another HWTACACS server template that has the same configurations as the existing HWTACACS server template.

[~HUAWEI] hwtacacs-server template tacnew

Info: Create a new HWTACACS-server template.

Warning: To improve the service security, please run the hwtacacs-server shared-key command to configure a shared key.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server 192.168.0.2

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

  • 4. Run the hwtacas-server user-name original command to override the undo hwtacas-server user-name domain-included configuration.

[*HUAWEI-hwtacacs-tacnew] hwtacacs-server user-name original

[*HUAWEI-hwtacacs-tacnew] commit

[~HUAWEI-hwtacacs-tacnew] display this

#

hwtacacs-server template tacnew

hwtacacs-server 192.168.0.2

hwtacacs-server shared-key cipher %^%#/rZ2A\A7\1/S;S7/L$eD#~Ea#I36)3T#tNS_\0-2%^%#

hwtacacs-server user-name original

#

  • 5. Bind the new HWTACACS server template to dom1.

[~HUAWEI] aaa

[*HUAWEI-aaa] domain dom1

[*HUAWEI-aaa-domain-dom1] hwtacacs-server tacnew

[*HUAWEI-aaa-domain-dom1] commit

  • 6. Add a new account in which the user name carries a domain name.

For example, add the user name user001@dom1 for an existing user name user001.

  • 7. Run the display this command to check whether the undo radius-server user-name domain-included command is run for the RADIUS server group named rad.

[~HUAWEI] radius-server group rad

[*HUAWEI-radius-rad] display this

#

radius-server group rad

radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#

radius-server authentication 192.168.0.2 1812

undo radius-server user-name domain-included

#

If the undo radius-server user-name domain-included configuration does not exist, go to Step 8. If the configuration exists, go to Step 12.

  • 8. Create another RADIUS server group that has the same configurations as the existing RADIUS server group.

[~HUAWEI] radius-server group radnew

Info: A new server-group is created.

Warning: Please configure the shared-key. Configuring shared-key is mandatory to communicate with RADIUS server.

[*HUAWEI-radius-radnew] radius-server shared-key-cipher %^%#c~`zCvqg.=Qh-fSl4;s&c<*5TaHp@Hw~th1Rj99%%^%#

[*HUAWEI-radius-radnew] radius-server authentication 192.168.0.2 1812

  • 9. Run the radius-server user-name original command to override the undo radius-server user-name domain-included configuration.

[*HUAWEI-radius-radnew] radius-server user-name original

[*HUAWEI-radius-radnew] commit

  • 10. Bind the new RADIUS server group to dom1.

[~HUAWEI] aaa

[*HUAWEI-aaa] domain dom1

[*HUAWEI-aaa-domain-dom1] radius-server radnew

[*HUAWEI-aaa-domain-dom1] commit

  • 11. Add a new account in which the user name carries a domain name.

For example, add the user name user001@dom1 for an existing user name user001.

  • 12. Run the adminuser-priority level command.

[~HUAWEI] aaa

[*HUAWEI-aaa] default-domain admin dom1

[*HUAWEI-aaa-domain-dom1] adminuser-priority 2

[*HUAWEI-aaa-domain-dom1] commit

Example

# Set the default user value to 2 for administrators in the AAA domain named abc.
<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] domain abc
[*HUAWEI-aaa-domain-abc] adminuser-priority 2
Parent Topic: AAA and User Management Configuration Commands (Administrative User)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >