Table of Contents
Advertisement
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization
radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme
radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization
radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme
hwtacacs-scheme-name ] [ local ] }
undo authorization login
Default
The default authorization method of the ISP domain is used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after
users pass authentication:
•
Login users are assigned the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP,
and terminal users. Terminal users can access the device through the console port. For more
information about the level-0 user role feature, see RBAC configuration in Fundamentals
Configuration Guide.
•
The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS.
However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive
string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup
authorization methods in sequence. For example, the authorization login radius-scheme
radius-scheme-name local none command specifies the default RADIUS authorization method and
two backup methods (local authorization and no authorization). The device performs RADIUS
authorization by default and performs local authorization when the RADIUS server is invalid. The
device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
login
{
hwtacacs-scheme
login
{
hwtacacs-scheme
hwtacacs-scheme-name
hwtacacs-scheme-name
21
[
radius-scheme
[
radius-scheme
Advertisement
Chapters
Table of Contents
