Configuring AAA Schemes for the Domain

Associate the remote authentication, authorization, and accounting schemes of the domain user with the server template by configuring a domain. Then, corresponding authentication, authorization, and accounting will be implemented for the users accessing the domain.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. (Optional) Run service-type terminal force-domain domain-name

    A forced domain is configured for a console interface.

    When users logging in through the console interface and users logging in using other login methods must be distinguished, run the service-type terminal force-domain command to specify a forced domain for the console interface. After the configuration becomes effective, users logging in through the console interface automatically enter the forced domain and are not allocated any other domain based on the user names. In this manner, users logging in through the console interface and users logging using other methods are distinguished and allocated different rights.

    In VS mode, this command is supported only by the admin VS.

  4. (Optional) Run default-domain { admin | access } domain-name

    The domain name created in the preceding step is configured as the default domain name.

    After you manually create a domain name, for example, first_domain, you must suffix @first_domain to the user name during authentication, which is inconvenient. To facilitate user authentication, run the default-domain command to set the domain name first_domain as the default domain name. With this configuration, @first_domain is automatically suffixed to user names.

  5. (Optional) Run domain-name-delimiter delimiter

    The domain name delimiter is configured.

  6. (Optional) Run domain-location { after-delimiter | before-delimiter }

    The domain name location is configured so that the system can correctly parse the user name and domain name.

    By default, a user uses user name@domain name to log in to a device. To configure a user to use domain name@user name to log in, run the domain-location command to configure the domain name to be located before the delimiter.

  7. (Optional) Run domainname-parse-direction { left-to-right | right-to-left }

    The direction in which the domain name is parsed is configured so that the system can correctly parse the user name and domain name.

    When a user name contains multiple domain name delimiters, run the domainname-parse-direction command to configure the direction in which the domain name is parsed.Use user1@abcd@domain1 as an example. When the domain name is parsed from left to right, the first delimiter @ from the left is considered the domain name delimiter. When the domain name is parsed from right to left, the first delimiter @ from the right is considered the domain name delimiter. The other delimiters are considered part of the user name or domain name.

  8. Run domain domain-name

    A domain is created and the AAA domain view is displayed.

  9. Run authentication-scheme scheme-name

    The authentication scheme is configured for the domain.

  10. Run authorization-scheme authorization-scheme-name

    The authorization scheme is configured for the domain.

  11. Run accounting-scheme accounting-scheme-name

    The accounting scheme is configured for the domain.

  12. Select the server template according to the configured authentication, authorization, and accounting modes.

    • Run the radius-server group (AAA domain view) group-name command to configure the RADIUS server group for the domain.

      In VS mode, this command is supported only by the admin VS.

    • Run the hwtacacs-server template-name command to configure the HWTACACS server template for the domain.

  13. Run block

    The status of the domain is configured.

    When a domain is in block state, users of the domain cannot access the network.

  14. (Optional) Run access-limit access-limit-number

    The maximum number of access users for the domain is set.

  15. (Optional) Run adminuser-priority level

    The default user level for administrators in a specific AAA domain is configured.

    If a user level is not assigned by the local device (using the local-user level command) or by a remote server, administrators are not allowed to access a specific domain in management mode. To resolve this issue, run the adminuser-priority command to configure a default level for administrators in a specific AAA domain. Then, the administrators will take this user level for login.

    A user level assigned by the local device or a remote server takes precedence over a user level configured using the adminuser-priority command. When the user is added to a user group, the configuration of user group takes precedence over a user level configured using the adminuser-priority command.

    The configured default level of the local user cannot be higher than that of the login-in user.

  16. Run commit

    The configuration is committed.

Parent Topic: Configuring AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >