Authorization Advpn - H3C MSR Series Command Reference Manual

Usage guidelines
You can specify one authentication method and one backup authentication method to use in case
that the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the following rules apply:
•
If an HWTACACS scheme is specified, the device uses the entered username for role
authentication. The username must already exist on the HWTACACS server to represent the
highest user level that a user can obtain. For example, to obtain a level-3 user role of which
username is test, the device uses the string test@domain-name or test for role authentication,
depending on whether the domain name is required.
•
If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS
server for role authentication of any usernames. The variable n represents a user role level. For
example, to obtain a level-3 user role, the device uses the username string $enab3$.
For more information about user role authentication, see Fundamentals Configuration Guide.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
hwtacacs scheme
radius scheme

authorization advpn

Use authorization advpn to specify authorization methods for ADVPN users.
Use undo authorization advpn to restore the default.
Syntax
In non-FIPS mode:
authorization advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ]
[ none ] }
undo authorization advpn
In FIPS mode:
authorization advpn { local | radius-scheme radius-scheme-name [ local ] }
undo authorization advpn
Default
The default authorization methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
27