Usage guidelines
You can specify one authentication method and one backup authentication method to use in case that
the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the method applies only to
users whose user role is in the format of level-n.
If an HWTACACS scheme is specified, the device uses the entered username for role authentication.
•
The username must already exist on the HWTACACS server to represent the highest user level that
a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses
test@domain-name or test for role authentication, depending on whether the domain name is
required.
If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for
•
role authentication, where n is the same as that in the target user role. For example, to obtain a
level-3 user role whose username is test, the device uses $enab3$@domain-name or $enab3$ for
any users who request authentication for obtaining the level-3 user role, depending on whether the
domain name is required.
Examples
# Configure ISP domain test to use HWTACACS scheme tac for user role authentication.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
Related commands
•
authentication default
hwtacacs scheme
•
radius scheme
•
authorization command
Use authorization command to specify the command authorization method.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] |
none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization method of the ISP domain is used for command authorization.
Views
ISP domain view
10