< Home

authentication-mode (authentication scheme view)

Function

The authentication-mode command configures an authentication mode for an authentication scheme.

The undo authentication-mode command restores the default authentication mode in an authentication scheme.

By default, local authentication is used.

Format

authentication-mode { ad | hwtacacs | ldap | local | radius } *

undo authentication-mode

Parameters

Parameter Description Value

ad

Authenticates users using an AD server. To perform AD authentication, configure an AD authentication server in an AD server template.

-

hwtacacs

Authenticates users using an HWTACACS server. To perform HWTACACS authentication, configure an HWTACACS authentication server in an HWTACACS server template.

-

ldap

Authenticates users using an LDAP server. To perform LDAP authentication, configure an LDAP authentication server in an LDAP server template.

-

local

Authenticates users locally.

-

radius

Authenticates users using a RADIUS server. To perform RADIUS authentication, configure a RADIUS authentication server in a RADIUS server template.

-

Views

Authentication scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authenticate users, configure an authentication mode in an authentication scheme.

If multiple authentication modes are configured in an authentication scheme, the authentication modes are used according to the sequence in which they were configured.

  • In the sequence of local authentication followed by remote authentication:

    If a login account is not created locally but exists on the remote server, the authentication mode is changed from local authentication to remote authentication.

    If a login account is created locally and on the remote server, and local authentication fails because the password is incorrect, remote authentication will not be performed.

  • In the sequence of remote authentication followed by local authentication:

    If a login account is created locally but not on the remote server, remote authentication fails and local authentication will not be performed.

    A user is authenticated using the local authentication mode only when the remote server is Down or does not respond to the user's authentication request.

You can configure multiple authentication modes in an authentication scheme to reduce authentication failure possibilities.

  • After the authentication-mode radius local command is used, the device cannot complete RADIUS authentication if it fails to connect to the RADIUS authentication server. In this case, the device starts local authentication.

  • After the authentication-mode local radius command is used, if the entered user name exists on the device but the entered password is incorrect, the user fails the authentication; if the entered user name does not exist on the device, the user is redirected to the RADIUS authentication mode and is authenticated based on user information on the RADIUS server.

Example

# Configure the authentication scheme named scheme1 to use RADIUS authentication.

<sysname> system-view
[sysname] aaa
[sysname-aaa] authentication-scheme scheme1
[sysname-aaa-authen-scheme1] authentication-mode radius
Parent Topic: AAA Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >