No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying AAA Schemes to a Domain

Applying AAA Schemes to a Domain

Context

The created authentication and authorization schemes take effect only after being applied to a domain. When local authentication and authorization are used, the default accounting scheme non-accounting is used.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run aaa

    The AAA view is displayed.

  3. Run domain domain-name [ domain-index domain-index ]

    A domain is created and the domain view is displayed, or the view of an existing domain is displayed.

    The device has two default domains:
    • default: Used by common access users
    • default_admin: Used by administrators
    NOTE:
    • If a user enters a user name that does not contain a domain name, the user is authenticated in the default domain. In this case, you need to run the domain domain-name [ admin ] command and set domain-name to configure a global default domain on the device.
    • If a user enters a user name that contains a domain name during authentication, the user must enter the correct value of domain-name.

  4. Apply AAA schemes to the domain.

    Procedure

    Command

    Description

    Apply an authentication scheme to the domain.

    authentication-scheme authentication-scheme-name

    By default, the authentication scheme named radius is applied to the default domain, the authentication scheme named default is applied to the default_admin domain, and the authentication scheme named default is applied to other domains.

    Apply an authorization scheme to the domain.

    authorization-scheme authorization-scheme-name

    By default, no authorization scheme is applied to a domain.

  5. Configure local authorization rules.

    Procedure

    Command

    Description

    (Optional) Apply a user group to the domain.

    user-group group-name

    By default, no user group is applied to a domain.

    NOTE:

    This command is supported only in the NAC common mode.

    (Optional) Apply a service scheme to the domain.

    service-scheme service-scheme-name

    By default, no service scheme is applied to a domain.

  6. (Optional) Specify the domain state and enable traffic statistics collection for the domain.

    Procedure

    Command

    Description

    Specify the domain state.

    state { active | block [ time-range time-name &<1–4> ] }

    When a domain is in the blocking state, users in this domain cannot log in. By default, a created domain is in the active state.

  7. (Optional) Configure a domain name parsing scheme. (If domain name parsing is configured in both the AAA view and authentication profile view, the device preferentially uses the configuration in the authentication profile. The configuration in the authentication profile applies only to wireless users.)

    Procedure

    Command

    Description

    AAA view

    Exit from the domain view. quit

    -

    Specify the domain name parsing direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be parsed from left to right, or from right to left.

    By default, the domain name is parsed from left to right.

    Set the domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    The default domain name delimiter is @.

    Specify the domain name location.

    domain-location { after-delimiter | before-delimiter }

    The domain name can be placed before or after the delimiter.

    By default, the domain name is placed after the domain name delimiter.

    Set the security string delimiter.

    security-name-delimiter delimiter

    By default, the security string delimiter is * (asterisk).

    Authentication profile view

    Exit from the AAA view.

    quit

    -

    Create an authentication profile and enter the authentication profile view.

    authentication-profile name authentication-profile-name

    By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

    Specify the domain name parsing direction.

    domainname-parse-direction { left-to-right | right-to-left }

    The domain name can be parsed from left to right, or from right to left.

    By default, the domain name parsing direction is not specified.

    Set the domain name delimiter.

    domain-name-delimiter delimiter

    A domain name delimiter can be any of the following: \ / : < > | @ ' %.

    By default, no domain name delimiter is set.

    Specify the domain name location.

    domain-location { after-delimiter | before-delimiter }

    By default, the domain name location is not specified.

    Set the security string delimiter.

    security-name-delimiter delimiter

    By default, no security string delimiter is set.

  8. (Optional) Specify a permitted domain for wireless users. (This step applies only to wireless users.)

    Procedure

    Command

    Description

    Return to the system view.

    quit

    -

    Create an authentication profile and enter the authentication profile view.

    authentication-profile name authentication-profile-name

    By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

    Specify a permitted domain for wireless users.

    permit-domain name domain-name &<1-4>

    By default, no permitted domain is specified for wireless users.

    After a permitted domain is specified in an authentication profile, only users in the permitted domain can be subject to authentication, authorization, and accounting.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119225

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next