[NE Router-Troubleshooting] A User Cannot Obtain the Associated Authority Because the AAA Authorization Mode and AAA Authentication Mode Are Inconsist

Fault Symptom

On the router, AAA local authentication is configured for a Telnet user and the level-15 authority is assigned to the user.

After a VTY user logs in, run the display user-interface command to view the authority of the VTY user. You can find that the VTY user can obtain only the level-0 authority, not the level-15 authority.

<HUAWEI> display user-interface

  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int

  0    CON 0    9600        -     3       -             N     -

  33   AUX 0    9600        -     0       -             N     -

+ 34   VTY 0                -      0       0             A      -

The VTY user can obtain the level-15 authority only after the super command is run.

Fault Analysis

1.     Run the display current-configuration command to check the authentication mode configured on the VTY user interface.

<HUAWEI> display current-configuration

user-interface vty 0 4

 authentication-mode aaa

protocol inbound all

The command output shows that the VTY user interface is correctly configured with the AAA authentication mode.

2.     Run the display current-configuration command to check the AAA configuration.

<HUAWEI> display current-configuration

#

aaa

 local-user ipops password cipher .J]K3BK;Q!!

 local-user ipops service-type telnet ssh

 local-user ipops level 15

authentication-scheme default

  authentication-mode  local

  authentication-super  super

 #

 authorization-scheme default

  authorization-mode  if-authenticated

 #

 accounting-scheme default

  accounting start-fail online

 #

 domain default

#

The command output shows that the authorization mode used in the authentication scheme is if-authenticated. In if-authenticated mode, a user can obtain the related authority only after the user passes the authentication that is not in none mode.

When a VTY user logs in, the router authorizes the VTY user in if-authenticated mode. Although the local user is configured with the level-15 authority, the VTY user cannot obtain the level-15 authority, because the authorization mode is not local authorization. Instead, the default authority is assigned to the VTY user. The default authority of a VTY user is the level-0 authority, and therefore the VTY user is assigned the level-0 authority.

Procedure

1.     Run the system-view command to enter the system view.

2.     Run the aaa command to enter the AAA view.

3.     Run the authorization-scheme default command to enter the default authentication scheme view.

4.     Run the authentication-mode local command to configure the local authentication mode.

After the configuration, when the VTY user logs in, run the display user-interface command to view the authority of the VTY user.

<HUAWEI> display user-interface

  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int

  0    CON 0    9600        -     3       -             N     -

  33   AUX 0    9600        -     0       -             N     -

+ 34   VTY 0                -      0       15           A      -

The command output shows that the VTY user can obtain the level 15 authority. Thus, the fault is rectified.

Summary

When configuring the AAA authentication mode, ensure that the authentication mode and the authorization mode are consistent.