Validation Rules for Domain Names

A domain name can be obtained in any of the following modes:

The domain name delivered by an AAA server takes precedence. In other scenarios, the validation rules for domain names are as follows.

Figure 1 Validation rules for domain names

Users Going Online Using User Names with Domain Names

This example uses the user name user@A.

  • If the authentication default domain B has been configured on the BAS interface to which the user logs in, the following situations are available:

  • If domain A has been configured on the BRAS, the user uses the authentication and accounting schemes configured in domain A, with the user name user@A.

  • If domain A is not configured on the BRAS and roaming is disabled, authentication fails. If roaming is enabled, the user uses the authentication and accounting schemes configured in the roaming domain.

  • If the roaming domain E has been configured on the BAS interface to which the user logs in, the following situations are available:

  • If domain A has been configured on the BRAS, the user uses the authentication and accounting schemes configured in domain A, with the user name user@A.

  • If domain A is not configured on the BRAS, the user uses the authentication and accounting schemes configured in domain E, with the user name user@A.

  • If the mandatory authentication default domain F has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in domain F, irrespective of whether domain A or a roaming domain has been configured. The user name used in authentication remains user@A.

  • If the mandatory substitute authentication domain G has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in domain G, irrespective of whether domain A or a roaming domain has been configured. The user name used in authentication is changed to user@G.

Users Going Online Using User Names Without Domain Names

This example uses the user name user.

  • If no authentication default domain has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in default1, with the user name user@default1.

  • If the authentication default domain B has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in domain B, with the user name user@B.

  • If the mandatory authentication default domain H has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in domain H, with the user name user@H.

  • If the mandatory substitute authentication domain J has been configured on the BAS interface to which the user logs in, the user uses the authentication and accounting schemes configured in domain J, with the user name user@J.

If permit domains have been configured on the BAS interface to which a user logs in, the BRAS determines the authentication domain of the user and checks whether the authentication domain is permitted, irrespective of whether the user goes online using the user name containing a domain name or not.

The user name used in authentication is not necessarily the user name eventually sent to an AAA server. The BRAS can be configured whether the user names sent to the AAA server carry domain names or not.

Parent Topic: Understanding AAA and User Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic