Creating an Authentication Domain

When the default authentication domain cannot be used, you need to create a new one.

Context

In most cases, the default authentication domain is enough. In the following scenarios, you need to plan more authentication domains:

Users adopt different authentication modes or use different authentication servers. You must add the users to corresponding authentication domains.
AD and LDAP servers have domains. Therefore, you are advised to create an authentication domain on the FW with the same name as the domain name of the user on the server.

If a new authentication domain is configured, users will need to suffix their user names with the authentication domain (format: Login Name@Authentication Domain) during login. If the default authentication domain is used, users need to enter only their login names.

Procedure

Access the AAA view from the system view.
aaa
Create an authentication domain.
domain domain-name
Optional: Configure the description of the authentication domain.
description description
Optional: Specify the user group associated with the authentication domain.
reference user { default-domain | current-domain }

By default, the users of the current authentication domain are referenced. When an authentication domain is created, a root group with the authentication domain name is automatically generated. You can plan users and user groups in the root group. That is to say, each authentication domain has independent user accounts by default.

If the reference user default-domain command is used, no corresponding root group is generated when an authentication domain is created. Instead, the authentication domain uses the organizational structure of the default group. You can plan users and user groups in the default group.

When the user group associated with the authentication domain is changed to the default group, the FW deletes the original group (whose name is the same as the authentication domain) and its subgroups. Exercise caution when you perform the operation.