local authorization, and local accounting. If you do not configure any AAA methods for an ISP domain,
the device uses the system-predefined AAA methods for users in the domain.
Configuration prerequisites
To use local authentication for users in an ISP domain, configure local user accounts on the device (see
"Configuring local user
To use remote authentication, authorization, and accounting, create the required RADIUS and
HWTACACS schemes as described in
schemes."
Creating an ISP domain
In a networking scenario with multiple ISPs, the device can connect users of different ISPs. Different ISP
users may have different user attributes (username and password structures), different service types, and
different rights. To manage users of different ISPs, configure ISP domains and their AAA methods and
domain attributes.
The device can accommodate up to 16 ISP domains, including the system-predefined ISP domain system.
You can specify one ISP domain as the default domain.
On the device, each user belongs to an ISP domain. If a user provides no ISP domain name at login, the
device considers that the user belongs to the default ISP domain.
The device chooses an authentication domain for each user in the following order:
The authentication domain specified for the access module
•
The ISP domain in the username
•
The default ISP domain of the device
•
•
The ISP domain specified for users with unknown domain names
If all domains are unavailable, user authentication fails.
Support for the authentication domain configuration depends on the access module. You can specify an
authentication domain for 802.1X, portal, or MAC address authentication.
To create an ISP domain:
Step
1.
Enter system view.
2.
Create an ISP domain and
enter ISP domain view.
3.
Return to system view.
4.
Specify the default ISP
domain.
5.
Specify an ISP domain for
users with unknown domain
names.
To delete the ISP domain that is functioning as the default ISP domain, you must change it to a non-default
ISP domain by using the undo domain default enable command.
attributes").
"Configuring RADIUS
Command
system-view
domain isp-name
quit
domain default enable
isp-name
domain if-unknown
isp-name
39
schemes" and
"Configuring HWTACACS
Remarks
N/A
N/A
N/A
Optional.
By default, the default ISP domain is the
system-predefined ISP domain system.
Optional.
By default, no ISP domain is specified for
users with unknown domain names.