H3C Technologies H3C SecPath F1000-E User Manual

113

execute only basic commands like ping and tracert and use a few display commands. The switching

operation is effective for the current login. After the user relogs in, the user privilege restores to the
original level.
To avoid problems, H3C recommends that administrators log in with a lower privilege level to view

switch operating parameters, and switch to a higher level temporarily only when they must maintain the

device.
When an administrator must leave for a while or ask someone else to manage the device temporarily,

they can switch to a lower privilege level before they leave to restrict the operation by others.

Configuring the authentication parameters for user privilege level switching

A user can switch to a privilege level equal to or lower than the current one unconditionally and is not

required to enter a password (if any).
For security, a user is required to enter a password (if any) to switch to a higher privilege level. The

authentication falls into one of the following categories:

Keywords

Authentication

mode

Description

local

Local password
authentication
only (local-only)

The device authenticates a user by using the privilege level
switching password entered by the user.
To use this mode, you must set the password for privilege level
switching by using the super password command.

scheme

Remote AAA
authentication

through

HWTACACS or
RADIUS

The device sends the username and password for privilege level
switching to the HWTACACS or RADIUS server for remote

authentication.
To use this mode, you must perform the following configuration
tasks:

•

Configure the required HWTACACS or RADIUS schemes and

configure the ISP domain to use the schemes for users. For more

information, see System Management and Maintenance

Configuration Guide.

•

Add user accounts and specify the user passwords on the

HWTACACS or RADIUS server.

local scheme

Local password
authentication first

and then remote
AAA

authentication

The device authenticates a user by using the local password first,
and if no password for privilege level switching is set, for the user

logged in to the console user interface, the privilege level is

switched directly; for VTY users, AAA authentication is performed.

scheme local

Remote AAA
authentication first

and then local
password

authentication

AAA authentication is performed first, and if the remote
HWTACACS or RADIUS server does not respond or AAA

configuration on the device is invalid, the local password

authentication is performed.

To configure the authentication parameters for a user privilege level:

Step Command

Remarks

1.

Enter system view.

system-view

N/A