No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring a User Authentication Domain

(Optional) Configuring a User Authentication Domain

Context

The device manages users in domains. For example, AAA schemes and authorization information are bound to domains. During user authentication, the device assigns users to specified domains based on the domain names contained in user names. However, user names entered by many users on actual networks do not contain domain names. In this case, you can configure a default domain in an authentication profile. If users using this profile enter user names that do not contain domain names, the device manages the users in the default domain.

On actual networks, user names entered by some users contain domain names and those entered by other users do not. The device uses different domains to manage the users. Because authentication, authorization and accounting (AAA) information in the domains are different, users use different AAA information. To ensure that users using the same authentication profile use the same AAA information, you can configure a forcible domain in the authentication profile for the users. The device then manages the users in the forcible domain regardless of whether entered user names contain domain names or not.

Prerequisites

A domain has been configured using the domain (AAA view) command in the AAA view.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run authentication-profile name authentication-profile-name

    The authentication profile view is displayed.

  3. Run access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

    A default or forcible domain is configured for users.

    By default, no default or forcible domain is configured in an authentication profile, and the global default domain default is used.

    NOTE:
    • If force is not specified, a default domain is configured. If force is specified, a forcible domain is configured. If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

    • If dot1x, mac-authen, or portal is not specified, the configured domain takes effect for all access authentication users using the authentication profile. If dot1x, mac-authen, or portal is specified, the configured domain takes effect only for specified users using the authentication profile.

  4. Run quit

    Return to the system view.

  5. Run domain domain-name mac-authen force mac-address mac-address mask mask

    A forcible domain is configured for MAC address authentication users.

    NOTE:

    You can configure a forcible domain for MAC address authentication users within a specified MAC address range in the system view.

    The priorities of the forcible domain, domain carried in the user name, and default domain in different views are as follows in descending order: forcible domain with a specified authentication mode in an authentication profile > forcible domain in an authentication profile > authentication domain carried in the user name > default domain with a specified authentication mode in an authentication profile > default domain in an authentication profile > global default domain. Note that a forcible domain specified for MAC address authentication users within a MAC address range has the highest priority and takes precedence over that configured in an authentication profile.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58484

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next