In AAA implementations, users belong to respective domains. The domain to which a user belongs depends on the character string following "@" in the user name. For example, the user named "user@hua" belongs to the domain named "hua". If there is no "@" in a user name, the user belongs to the system default domain.
Name |
Description |
Default Attributes |
|---|---|---|
default0 |
It is a domain to which a user belongs before authentication. When a user access the NetEngine 8000 F and is not authenticated, the NetEngine 8000 F does not know the domain of the user, and therefore by default considers that the user belongs to default0. |
Local authentication Non-accounting |
default1 |
It is a domain to which a user belongs during authentication. During authentication, if a user inputs a user account that does not contain a domain name, the NetEngine 8000 F by default considers that the user belongs to default1. |
RADIUS authentication RADIUS accounting |
default_admin |
It is a domain to which an operation user belongs. In the case that an operation user logs in to the NetEngine 8000 F through Telnet or SSH, if the operation user inputs a user account that does not contain a domain name during authentication, the NetEngine 8000 F by default considers that the operation user belongs to default_admin. |
First local authentication and later RADIUS authentication Non-accounting |
A router can manage users based on their domains. For each domain, users can configure the default authorization, RADIUS or HWTACACS server template, and authentication and accounting schemes.
To implement AAA for access users, an admin user needs to configure authentication, authorization, and accounting schemes in the AAA view of the router and then apply the configurations in the domain view.
The default AAA scheme adopts local authentication, local authorization, and non-accounting. If no AAA scheme is applied to a new domain, the default AAA scheme applies. In addition, to use the RADIUS or HWTACACS scheme for a user, an admin user must pre-configure the RADIUS or HWTACACS server template in the system view and then apply it in the view of the domain to which the user belongs.
When a domain and the users in the domain are configured with the same attribute, the user-based configurations take precedence over domain-based configurations.
The authorization configured in the domain view has a lower priority than the authorization applied by an AAA server. When the AAA server does not support the authorization type, the authorization configured in the domain view takes effect. Users can increase service authorization flexibly through domain, regardless of the AAA server authorization.
To facilitate management of user access devices, you can specify a limit for online users in a domain or for each local user.