Configuring AAA Schemes

Procedure

• Configure an authentication scheme.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run authentication-scheme authentication-scheme-name

     An authentication scheme is created and the authentication scheme view is displayed, or the view of an existing authentication scheme is displayed.

     A default authentication scheme named default is available on the device. This authentication scheme can be modified but not deleted.

  4. Run authentication-mode local

     The authentication mode is set to local authentication.

     By default, local authentication is used.

  5. Run commit

     The configuration is committed.

• Configure an authorization scheme.
  1. Run system-view

     The system view is displayed.

  2. Run aaa

     The AAA view is displayed.

  3. Run authorization-scheme authorization-scheme-name

     An authorization scheme is created and the authorization scheme view is displayed, or the view of an existing authorization scheme is displayed.

     A default authorization scheme named default is available on the device. This authorization scheme can be modified but not deleted.

  4. Run authorization-mode local [ none ]

     The authorization mode is configured.

     By default, local authorization is used.

  5. Run quit

     The AAA view is displayed.

  6. (Optional) Run task-group task-group-name

     A task group is created and the task group view is displayed.

     By default, no task group is configured.

  7. Run one of the following commands to set task permissions.
     • Run the task task-name { read | write | execute | debug } ^* command to set permissions for a specific task.
     • Run the batch-task { read | write | execute | debug } ^* task-name-list { task-name &<1-20> } command to set permissions for tasks in batches.
     • Run the task-all { read | write | execute | debug } ^* command to set permissions for all tasks in batches.

  8. (Optional) Run include task-group task-group-name

     The rights of a specified task group are added to the current task group.

     By default, the right inclusion relationship with other task groups is not added to a task group.

     If the rights of the current task group need to include all rights of another task group or the current task group needs to inherit the rights of existing task groups, you can run the include task-group command to configure the inclusion relationship between task groups and add rights of a specified task group to the current task group.

     The rights of the current task group depend on the rights of the included task group. When the rights of the included task group are changed, the rights of the current task group are changed accordingly.

  9. (Optional) Run rule command rule-name permit view view-name expression command-string

     A right rule in the current task group for configuring command-line execution rights is created.

     By default, no command-line right rule is configured in a task group.

     This command has a more refined execution result than the task command. It can authorize or forbid a command line or a batch of command lines with the same prefix in the task group.

     In the same task group, the priority of the command is higher than that of the task command. When the right configuration of the rule command command conflicts with that of the task command, the right configuration of the rule command command takes effect.

  10. (Optional) Run quit

      The AAA view is displayed.

  11. (Optional) Run user-group user-group-name

      A user group is created and the user group view is displayed.

      By default, no user group is created.

  12. (Optional) Run task-group task-group-name

      The task group is bound to the user group.

      By default, no task group is bound to a user group.

  13. (Optional) Run include user-group user-group-name

      The rights of a specified user group are added to the current user group.

      By default, the right inclusion relationship with other user groups is not added to a user group.

      If the rights of the current user group need to include all rights of another user group or the current user group needs to inherit the rights of existing user groups, you can run the include user-group command to configure the inclusion relationship between user groups and add rights of a specified user group to the current user group.

      The rights of the current user group depend on the right of the included user group. When the rights of the included user group are changed, the rights of the current user group are changed accordingly.

  14. (Optional) Run rule command rule-name { permit | deny } view view-name expression command-string

      A right rule is configured in the current user group for configuring command-line execution rights.

      By default, no command-line right rule is configured in a user group.

      When task authentication is performed, the matching sequence of the right rule (the rule command (user group view) command) in the user group, the right rule (the rule command (task group view) command) in the task group, and the task (the task command) in the task group is as follows: the right rule in the user group (including the configured and inherited right rules using the include user-group command) > the right rule in the task group > the task in the task group.

      When the right configuration of the user group conflicts with the right rules inherited from other user groups using the include user-group command, the right configuration of the user group takes effect.

  15. Run commit

      The configuration is committed.