Fault Symptom
Users access the Internet through the router in RADIUS authentication mode. After the RADIUS server becomes unreachable, although users are configured as level-3 users, the login users can operate only as level-1 users.
Fault Analysis
1. Users log in to the router as level-1 users, indicating that they have been authenticated and authorized successfully. Nevertheless, the users are authenticated and authorized not by RADIUS and therefore they are level-1 users but not level-3 users.
2. Check user names used by them to log in to the router. As the user names do not contain domain names, the system uses the default domain name to authenticate and authorize the users.
3. Run the display this command in the AAA view to check the configuration on the router. The command output is as follows:
aaa
authentication-scheme default0
authentication-mode RADIUS local
authentication-scheme huawei
authentication-mode RADIUS
#
authorization-scheme default0
authorization-mode if-authenticated
authorization-scheme huawei
authorization-mode if-authenticated
#
domain default0
RADIUS-server group isp
domain huawei
authentication-scheme huawei
RADIUS-server group isp
The command output shows that the default domain-based authentication scheme is RADIUS authentication followed by local re-authentication. In addition, the authorization scheme is if-authenticated authentication.
If the RADIUS server is unreachable, RADIUS authentication is unavailable. In this case, local re-authentication is adopted. After passing local re-authentication, the users will be authorized in if-authenticated authorization mode. If-authenticated authorization is invalid for users that are authorized in local mode. Therefore, the authorization level provided by the system to the authenticated users is the VTY default level (level 1). If local authorization is adopted, the system provides a locally-set authorization level for users.
Procedure
1. Run the system-view command to enter the system view.
2. Run the aaa command to enter the AAA view.
3. Run the authorization-scheme default command to enter the default authentication scheme view.
4. Run the authorization-mode if-authenticated local command to authenticate users in if-authenticated mode and then in local mode.
After the preceding operations, users log in to the router as level-3 users. The fault is then rectified.
Summary
When users log in without domain names, the system uses the default domain name to perform authentication and authorization. If local authentication is adopted, the system provides locally-set level for users only after the local authorization mode is adopted; if the local authorization mode is not adopted, the system provides the default VTY level (level 1) for users.
