Configuring an Authentication Scheme

Configure an authentication scheme and set authentication-related parameters on the authentication server, such as the authentication mode, for the scheme. If authentication-related parameters are not set, users fail to pass the authentication under the authentication scheme.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run authentication-scheme scheme-name

    An authentication scheme is created.

    By default, three authentication schemes named default, default0, and default1 are configured on the NetEngine 8000 F. They can be modified but cannot be deleted.

  4. Run either of the following commands:

    An authentication mode is set.

    • If RADIUS authentication is used, you need to configure a RADIUS authentication server. For configuration details, see Configuring RADIUS Authentication and Accounting Servers.
    • If local authentication is used, you need to create a local user account using the local-user user-name password { cipher cipher-password | irreversible-cipher irreversible-password command.
    • If RADIUS proxy authentication is used, you need to configure RADIUS authentication proxy. For configuration details, see Configuring RADIUS Proxy Authentication.

  5. (Optional) Run authening authen-fail { offline | online authen-domain domain-name }

    The policy for handling authentication failures is configured.

    The policy determines how the NetEngine 8000 F handles users who fail to be authenticated.

  6. (Optional) Run authening quota-out-redirect-enable

    The device is enabled to redirect a user to a specified domain when the user's quota becomes zero.

  7. (Optional) Run authening authen-redirect online authen-domain domain-name

    A redirection domain is configured.

    After a redirection domain is configured, the users who fail the authentication go online from the redirection domain, different from that for the users who pass the authentication.

    In real-world applications, you can configure a private IP address pool, UCL-based access control, and security domain in the redirection domain to differentiate the functions of address allocation (private addresses and public addresses) and access control from those for other user domains, thus effectively saving public IP addresses and preventing unauthorized users from consuming public IP addresses.

  8. (Optional) Run mac-authentication enable (AAA domain view)

    MAC address-based authentication is enabled.

    MAC address-based authentication simplifies web authentication. If this authentication mode is enabled, a user only needs to enter the user name and password at the first web authentication, during which the RADIUS server records the user's MAC address. In subsequent web authentication attempts, the RADIUS server authenticates the user based on the user's MAC address, without requiring the user to enter the user name and password again.

    In most cases, this command is used together with the authening authen-fail online authen-domain domain-name command. With both of the commands configured, if MAC address-based authentication fails, the device redirects a web user to the specified domain and allows the user to access the authentication domain and network services after the user enters the correct user name and password in the redirection domain.

  9. Run commit

    The configuration is committed.

Parent Topic: Configuring AAA Schemes
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >