Hi, dear friend.
According to the description of your question, the answers are as follows:
Yes, the domain name must be included in the user username for logging in to the device no matter whether the user of RADIUS authentication has configured the username that excludes the domain name by running the undo radius-server user-name domain-included command.
MA5600T(V800R006C02): No matter whether the user uses the default username or configured username, the domain name must be included in the username for logging in. MA5600T (V800R007 and later versions): The username can be configured by running the terminal user authentication-mode AAA domain-name command. After the configuration, the system will add a domain name for the username automatically when the user logs in to the RADIUS server for authentication.
The display terminal user command is used to query users without domain names.
The user with domain name has limited authority on the Radius server and needs to configure the priority to 2 on the Radius to enter the config mode.
MA5600T of version V800R006C02 does not support it. The V800R007 and later versions of MA5600T can support this configuration for some accounts (excluding the root and admin account): run the terminal user authentication-mode AAA domain-name command to set the authentication mode of the terminal user to AAA. In this case:
The system can add an .@huawei to the username that has no domain name.
The AAA account can be used to log in remotely, and the account can pass the authentication. If the local account is used to log in remotely, then the account cannot pass the authentication. However, the root and admin account can pass the authentication for remote login, other local accounts cannot.
Thanks.
