Fault Symptom
Users access network devices through Telnet. RADIUS authentication and then local authentication are implemented for the users. The default domain is used. A level 3 authority is configured for both RADIUS and local users.
aaa
authentication-scheme default0
authentication-mode radius local
local-user cs password simple cs
local-user cs service-type telnet
local-user cs level 3
After the user logs in to the device, the relevant command output shows that the user has only a level 0 authority.
Login authentication
Username:cs
Password:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 4.
<HUAWEI>?
User view commands:
cluster Run cluster command
display Mfib proxy module
hwtacacs-user HWTACACS user
language-mode Specify the language environment
local-user Local user
ping Ping function
quit Exit from current command view
return Exit to user view
save Save file
super Privilege current user a specified priority level
telnet Establish a Telnet connection
trace Trace route (switch) to host on Data Link Layer
tracert Trace route to host
Fault Analysis
1. The user has a level 0 authority, which indicates that the user has passed authentication and has been authorized. The authorization level of the user, however, is not as authorized by the RADIUS server. The possible cause is that the user has not passed RADIUS authentication and authorization.
2. The login user name does not contain a domain name, which indicates that the system performs authentication and authorization based on the scheme set for the default domain. Check the authentication and authorization configurations. The RADIUS authentication and the local authentication are used in sequence in the default domain. The authorization mode is set to if-authenticated.
<HUAWEI>display current configuration aaa
#
aaa
local-user cs password simple cs
local-user cs service-type telnet
local-user cs level 3
authentication-scheme default
authentication-mode radius local
#
authorization-scheme default
authorization-mode if-authenticated
#
accounting-scheme default
accounting-scheme huawei
#
domain default
If the RADIUS server is unreachable, the user uses the local authentication. Since the configured authorization mode if-authenticated is invalid to the local authentication, the system returns the VTY default authorization (level 0) to the user who has passed the authentication.
If the local authorization is used, the system returns an authorization level that is set locally for the user.
Procedure
1. Run the authorization-scheme default command to enter the authorization scheme view.
2. Run the authorization-mode if-authenticated local command to configure the authorization mode that if-authenticated authentication and then local authentication are implemented for the users.
Otherwise, perform the following operations to change the user level to level 3.
a. Run the user-interface vty number1 number2 command to enter the VTY user interface view.
b. Run the authentication-mode aaa command to configure AAA authentication.
c. Run the user privilege level 3 command to modify the user level to level 3.
After the preceding operations, the user has a level 3 authority and the fault is rectified.
Summary
If the login name does not contain a domain name, the system performs authentication and authorization in the default domain. If the local authentication is used, the system returns an authorization level that is set locally for the user only when the local authorization is used. Otherwise, the system returns the VTY default authorization (level 0) to the user. By default, users logging in through the console interface can use the command at level 3, and users logging in through other interfaces can use the command at level 0.
