< Home

authorization-mode

Function

The authorization-mode command configures an authorization mode for an authorization scheme.

The undo authorization-mode command restores the default authorization mode in an authorization scheme.

By default, local authorization is used.

Format

authorization-mode { hwtacacs | if-authenticated | local | radius | ldap | ad } *

undo authorization-mode

Parameters

Parameter

Description

Value

hwtacacs

Indicates that the user is authorized by an HWTACACS server.

-

if-authenticated

Indicates that only the user who succeeds in authentication is authorized.

NOTE:

This parameter does not take effect for SSL VPN users.

-

local

Authenticates users locally.

-

radius

Indicates that the user is authorized by a RADIUS server.

NOTE:

When RADIUS authentication and authorization are used during user login, the device does not send RADIUS authorization packets separately.

-

ldap

Indicates that the user is authorized by an LDAP server.

-

ad

Indicates that the user is authorized by an AD server.

-

Views

Authorization scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To authorize users, configure an authorization mode in an authorization scheme.

You can configure multiple authorization modes in an authorization scheme to reduce the chance of authorization failures.

After the authorization-mode hwtacacs local command is used, if it fails to connect to the HWTACACS authentication server and HWTACACS authorization cannot be performed, the device starts local authorization.

Precautions

  • If multiple authorization modes are used in an authorization scheme, the if-authenticated mode must be used as the last authorization mode.
  • If the authorization mode is set to if-authenticated, the user privilege level is inherited from the user domain or is the same as that set in the VTY user view.
  • If multiple authorization modes are configured in an authorization scheme, the authorization modes are used according to the sequence in which they were configured. The device uses another authorization mode only when it does not receive any response in the current authorization mode.

Example

# Configure the authorization scheme named scheme1 to apply HWTACACS authorization.

<sysname> system-view
[sysname] aaa
[sysname-aaa] authorization-scheme scheme1
[sysname-aaa-author-scheme1] authorization-mode hwtacacs
Parent Topic: AAA Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >