Usage guidelines
You can specify one authentication method and one backup authentication method to use in case
that the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the method applies only to
users whose user role is in the format of level-n.
•
If an HWTACACS scheme is specified, the device uses the entered username for role
authentication. The username must already exist on the HWTACACS server to represent the
highest user level that a user can obtain. For example, to obtain a level-3 user role whose
username is test, the device uses the string test@domain-name or test for role authentication,
depending on whether the domain name is required.
•
If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS
server for role authentication of any usernames. The variable n has the same value as the level
of the target user role. For example, to obtain a level-3 user role, the device uses the username
string $enab3$@domain-name or $enab3$, depending on whether the domain name is
required.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
Related commands
•
authentication default
•
hwtacacs scheme
•
radius scheme
authorization command
Use authorization command to specify the command authorization method.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local
[ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization method of the ISP domain is used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
8