Why administrators are not allowed to use no-authentication on the AR

14

To improve security of the AR, administrators are not allowed to use no-authentication.

Other related questions:
Why non-authentication cannot be used for the administrator on an AR
To improve the security of the AR, administrators are not allowed to use no-authentication.

Can the authentication mode of an AR router administrator user be set only to No authentication on the AAA side
To improve device security, administrator users are required to be authenticated on the AAA side as well.

Why must the administrator pass AAA authentication
To ensure device security, the administrator must be authenticated by AAA authentication in local or remote authentication mode. The administrator, however, can log in to the device in non-authentication mode in the VTY interface view.

Only a part of users are allowed to access the web pages of an AR router
You can configure ACL rules on an AR router to control web access permission. The configuration can be implemented using command lines or through the web NMS. 1. Command lines: For the sake of security, configure an ACL on the router to limit clients which can log in to the device in HTTPS mode if the device is used as an HTTPS server. [Huawei] acl 2000 //Set the ACL number of an HTTPS IPv4 server to 2000. [Huawei-acl-basic-2000] rule 5 permit source 10.1.1.1 0 [Huawei-acl-basic-2000] quit [Huawei] http acl 2000 //Configure an HTTP login limit. 2. Web NMS: For details, choose Web-based Configuration > Security > ACL.

The administrator cannot pass authentication if the administrator's authentication mode is changed to RADIUS authentication on an S series switch
The administrator cannot pass authentication if the administrator's authentication mode is changed to RADIUS authentication. For S series switches (except the S1700), such an authentication failure occurs because the entered user name does not contain a domain name. You need to check whether the user name on the authentication server contains a domain name. - If the user name on the authentication server contains a domain name, run the radius-server user-name domain-included command in the RADIUS server template view or run the hwtacacs-server user-name domain-included command in the HWTACACS server template view. - If the user name on the authentication server does not contain a domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view or run the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top