Configuring authentication methods for an ISP domain
Configuration prerequisites
Before configuring authentication methods, complete the following tasks:
Determine the access type or service type to be configured. With AAA, you can configure an authentication method for each access type and service type.
Determine whether to configure the default authentication method for all access types or service types. The default authentication method applies to all access users. However, the method has a lower priority than the authentication method that is specified for an access type or service type.
Configuration guidelines
When configuring authentication methods, follow these guidelines:
If the authentication method uses a RADIUS scheme and the authorization method does not use a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server. The Access-Accept message from the RADIUS server also includes the authorization information, but the device ignores the information.
If an HWTACACS scheme is specified, the device uses the entered username for role authentication. If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication. The variable n represents a user role level. For more information about user role authentication, see Fundamentals Configuration Guide.
Configuration procedure
To configure authentication methods for an ISP domain:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter ISP domain view. | domain isp-name | N/A |
3. Specify default authentication methods for all types of users. | authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } | By default, the default authentication method is local. The none keyword is not supported in FIPS mode. |
4. Specify authentication methods for LAN users. | authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } | By default, the default authentication method is used for LAN users. The none keyword is not supported in FIPS mode. |
5. Specify authentication methods for login users. | authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } | By default, the default authentication method is used for login users. The none keyword is not supported in FIPS mode. |
6. Specify authentication methods for portal users. | authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } | By default, the default authentication method is used for portal users. The none keyword is not supported in FIPS mode. |
7. Specify authentication methods for obtaining a temporary user role. | authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } * | By default, the default authentication method is used for obtaining a temporary user role. |