Table of Contents
Advertisement
•
Domain status—By placing the ISP domain in active or blocked state, you allow or deny
network service requests from users in the domain.
•
Authorization attributes—The device assigns the authorization attributes in the ISP domain to
the authenticated users who do not receive these attributes from the server. The device
supports the following authorization attributes:
Default authorization user profile—When a user passes authentication, it typically
obtains an authorization user profile from the local or remote server. If the user does not
obtain any user profile from the server, the device authorizes the default user profile of the
ISP domain to the user. The device will restrict the user behavior based on the profile.
IPv4 address pool—The device assigns IPv4 addresses from the pool to authenticated
users in the domain.
IPv6 address pool—The device assigns IPv6 addresses from the pool to authenticated
users in the domain.
An ISP domain attribute applies to all users in the domain.
To configure ISP domain attributes:
Step
1.
Enter system view.
2.
Enter ISP domain view.
3.
Place the ISP domain in
active or blocked state.
4.
Specify authorization
attributes for authenticated
users in the ISP domain.
Configuring authentication methods for an ISP domain
Configuration prerequisites
Before configuring authentication methods, complete the following tasks:
1.
Determine the access type or service type to be configured. With AAA, you can configure an
authentication method for each access type and service type.
2.
Determine whether to configure the default authentication method for all access types or
service types. The default authentication method applies to all access users. However, the
method has a lower priority than the authentication method that is specified for an access type
or service type.
Configuration guidelines
When configuring authentication methods, follow these guidelines:
•
If a RADIUS scheme is used for authentication but not for authorization in an ISP domain, AAA
accepts only the authentication result from the RADIUS server. The Access-Accept message
from the RADIUS server also includes the authorization information, but the device ignores the
information.
•
If an HWTACACS scheme is specified for user role authentication, the device uses the entered
username to request role authentication. If a RADIUS scheme is specified, the device uses the
username $enabn$ to request role authentication. The variable n represents a user role level.
For more information about user role authentication, see Fundamentals Configuration Guide.
Command
system-view
domain isp-name
state { active | block }
authorization-attribute { ip-pool
pool-name | ipv6-pool
ipv6-pool-name | user-profile
profile-name }
44
Remarks
N/A
N/A
By default, an ISP domain is in
active state, and users in the
domain can request network
services.
By default, no authorization
attributes are specified.
Advertisement
Table of Contents
Troubleshooting
