How to configure multiple AAA authentication modes on a CE series switch

26

CE series switches support multiple authentication modes. If multiple authentication modes are configured in an authentication scheme, the authentication modes take effect in the sequence in which they are configured. A switch uses another authentication mode only when no response is received in the previous authentication mode. However, if authentication fails, the switch does not use another authentication mode.

For example, you can configure RADIUS authentication and local authentication in authentication scheme scheme0.


<HUAWEI> system-view
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme scheme0
[*HUAWEI-aaa-authen-scheme0] authentication-mode radius local
[*HUAWEI-aaa-authen-scheme0] commit

Other related questions:
Configure AAA authentication schemes on S series switches
Configure an AAA authentication scheme on an S series switch (except the S1700 switch) as follows: [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme scheme1 //Create an AAA authentication scheme. [HUAWEI-aaa-authen-scheme1] authentication-mode local //Set the authentication mode to local authentication.

How is the authentication mode of VTY users set to AAA on an AR
When Telnet or SSH users log in to the AR through the VTY user interface, set the authentication mode to AAA. The configuration is as follows: [Huawei] user-interface vty 0 4 //Configure the VTY user interface. [Huawei-ui-vty0-4] authentication-mode password //Set the authentication mode to AAA.

How to configure an authorization template for AAA authentication on an AR router
AAA authentication provides security functions such as authenticating, authorizing, and accounting users to prevent unauthorized users from logging in to the device and enhance system security of the device. For details about the AAA configuration procedure, choose Configuration Guide (via Command Line)> Security Configuration> AAA Configuration through the URL: Product documentation."

How to configure HWTACACS authentication on a CE series switch
Configure HWTACACS authentication on a CE series switch as follows:
<HUAWEI> system-view
[~HUAWEI] hwtacacs enable //Enable the HWTACACS protocol.
[*HUAWEI] hwtacacs server template ht //Create an HWTACACS server template and enter its view.
[*HUAWEI-hwtacacs-ht] hwtacacs server authentication 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authentication server.
[*HUAWEI-hwtacacs-ht] hwtacacs server authorization 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS authorization server.
[*HUAWEI-hwtacacs-ht] hwtacacs server accounting 10.7.66.66 49 //Configure the IP address and port number for the primary HWTACACS accounting server.
[*HUAWEI-hwtacacs-ht] commit
[~HUAWEI-hwtacacs-ht] quit
[~HUAWEI] aaa
[~HUAWEI-aaa] authentication-scheme 1-h //Create an authentication scheme and enter its view.
[*HUAWEI-aaa-authen-1-h] authentication-mode hwtacacs //Set the authentication mode to HWTACACS authentication.
[*HUAWEI-aaa-authen-1-h] commit
[~HUAWEI-aaa-authen-1-h] quit
[~HUAWEI-aaa] authorization-scheme hwtacacs //Create an authorization scheme and enter its view.
[*HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs //Set the authorization mode to HWTACACS authorization.
[*HUAWEI-aaa-author-hwtacacs] commit
[~HUAWEI-aaa-author-hwtacacs] quit
[~HUAWEI-aaa] accounting-scheme hwtacacs //Create an accounting scheme and enter its view.
[*HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs //Set the accounting mode to HWTACACS accounting.
[*HUAWEI-aaa-accounting-hwtacacs] commit
[~HUAWEI-aaa-accounting-hwtacacs] quit
[~HUAWEI-aaa] domain huawei //Create a domain and enter the domain view.
[*HUAWEI-aaa-domain-huawei] authentication-scheme l-h //Configure an authentication scheme for the domain.
[*HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs //Configure an authorization scheme for the domain.
[*HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs //Configure an accounting scheme for the domain.
[*HUAWEI-aaa-domain-huawei] hwtacacs server ht //Configure an HWTACACS server template for the domain.
[*HUAWEI-aaa-domain-huawei] commit
[~HUAWEI-aaa-domain-huawei] quit
[~HUAWEI-aaa] quit
[~HUAWEI] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top