Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.1 access-limit
Syntax
access-limit
{ disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: Specifies
not to limit the number of access users that can be contained in current ISP
domain.
enable max-user-number: Specifies the maximum number of access users that can be contained
in current ISP domain. The max-user-number argument ranges from 1 to 2,072.
Description
Use the access-limit command to set
the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit
command to restore the default setting.
By default, there is no limit on the number
of access users in an ISP domain.
Because resource contention may occur among
access users, there is a need to limit the number of access users in an ISP
domain so as to provide reliable performance to the current users in the ISP domain.
Example
# Allow ISP domain aabbc.net to contain at
most 500 access users.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbc.net
New Domain added.
[H3C-isp-aabbcc.net] access-limit
enable 500
Syntax
accounting {
none | radius-scheme radius-scheme-name | hwtacacs-scheme
hwtacacs-scheme-name }
undo accounting
View
ISP domain view
Parameter
none:
Specifies not to perform user accounting.
radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name
is the name of a RADIUS scheme; it is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use a HWTACACS accounting scheme. Here, hwtacacs-scheme-name
is the name of a HWTACACS scheme; it is a string of up to 32 characters.
Description
Use the accounting command to
configure an accounting scheme for current ISP domain.
Use the undo accounting
command to cancel the accounting scheme configuration for current ISP domain.
By default, no separate accounting scheme
is configured for an ISP domain.
When you use the accounting command to
reference a RADIUS or HWTACACS scheme in current ISP domain, the RADIUS or HWTACACS
scheme must already exist.
The accounting command takes
precedence over the scheme command. If the accounting command is
used in ISP domain view, the system uses the scheme referenced in the accounting
command to charge the users in the domain. Otherwise, the system uses the
scheme referenced in the scheme command to charge the users.
Related command: scheme, radius
scheme, and hwtacacs scheme.
Example
# Specify "radius" as the RADIUS
accounting scheme that will be referenced by ISP domain "aabbcc.net".
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] accounting
radius-scheme radius
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional
command to open the accounting-optional switch.
Use the undo accounting optional
command to close the accounting-optional switch.
By default, the accounting-optional switch
is closed.
Note that:
If the system does not find any available
accounting server or fails to communicate with any accounting server when it
performs accounting for an online user, it will not disconnect the user as
usual as long as the accounting optional command has been executed. The accounting
optional command is commonly used in the cases where only authentication is
needed and accounting is not needed.
Example
# Open the accounting-optional switch for
the ISP domain named aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] accounting
optional
Syntax
attribute {
ip ip-address | mac mac-address | idle-cut
second | access-limit max-user-number | vlan vlan-id
| location { nas-ip ip-address port port-number
| port port-number } }*
undo attribute { ip | mac | idle-cut | access-limit |
vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user.
mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H
format.
idle-cut second:
Allows the local user to enable the idle-cut function. Here, second is
the idle time before cutting down, which ranges from 60 to 7,200 seconds.
access-limit max-user-number: Sets the maximum number
of users who can access the switch with the current user name. Here, max-user-number
ranges from 1 to 1,024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, specifies to which
VLAN the user belongs). Here, vlan-id is an integer ranging from 1 to
4094.
location:
Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of an access server, so that the user can be
bound to a port on the server. Here, ip-address is in dotted decimal
notation and is 127.0.0.1 by default (representing this device). When binding
the user to a remote port, you must use nas-ip ip-address to
specify a remote access server IP address. When binding the user to a local
port, you need not use nas-ip ip-address.
port port-number: Sets the port to which you want to bind the user. Here, port-number
is in the format of device ID/slot number/port number; the device ID ranges
from 1 to 8, the slot number ranges from 0 to 15 (if the bound port has no slot
number, just input 0 for this item) and the port number ranges from 1 to 255.
Description
Use the attribute command to set the
attributes of a user whose service type is lan-access.
Use the undo attribute command to
cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP address of user1 to 10.110.50.1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] attribute ip
10.110.50.1
Syntax
authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local | none }
undo authentication
View
ISP domain view
Parameter
radius-scheme radius-scheme-name: Specifies to use a
RADIUS authentication scheme. Here, radius-scheme-name is a string of up
to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use a
HWTACACS authentication scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.
local: Specifies
to use local authentication scheme.
none: Specifies
not to perform authentication.
Description
Use the authentication command to
configure an authentication scheme for current ISP domain.
Use the undo authentication command
to restore the default authentication scheme setting of current ISP domain.
By default, no separate authentication
scheme is configured for an ISP domain.
Before you can use the authentication
command to reference a RADIUS scheme in current ISP domain, the RADIUS scheme must
already exist.
If you execute the authentication
radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case no RADIUS server is
available. That is, if the communication between the switch and a RADIUS server
is normal, no local authentication will be performed; otherwise, local
authentication will be performed.
If you execute the authentication hwtacacs-scheme
hwtacacs-scheme-name local command, the local scheme is used
as the secondary authentication scheme in case no TACACS server is available.
That is, if the communication between the switch and a TACACS server is normal,
no local authentication will be performed; otherwise, local authentication will
be performed.
If you execute the authentication local
command, the local scheme is used as the primary scheme. In this case, only
local authentication will be performed.
If you execute the authentication none
command, no authentication will be performed.
The authentication command takes
precedence over the scheme command. If the authentication command
is configured in an ISP domain view, the system uses the authentication scheme
referenced in the command to authenticate the users in the domain; otherwise it
uses the scheme referenced in the scheme command to authenticate the
users.
Related command: scheme, radius
scheme, and hwtacacs scheme.
Example
# Reference the RADIUS scheme "radius"
as the authentication scheme of the ISP domain aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] authentication
radius-scheme radius
# Reference the RADIUS scheme "rd"
as the authentication scheme and the local scheme as the secondary
authentication scheme of the ISP domain aabbcc.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc
New Domain added.
[H3C-isp-aabbcc] authentication
radius-scheme rd local
Syntax
authorization { none | hwtacacs-scheme hwtacacs-scheme-name
}
undo authorization
View
ISP domain view
Parameter
none: Specifies
not to use any authorization scheme.
hwtacacs-scheme hwtacacs-scheme-name: Specifies to use a
HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS
scheme; it is a string of up to 32 characters.
Description
Use the authorization command to configure
an authorization scheme for current ISP domain.
Use the undo authorization command
to restore the default authorization scheme setting of the ISP domain.
By default, no separate authorization
scheme is configured for an ISP domain.
Related command: scheme, radius
scheme, and hwtacacs scheme.
Example
# Allow users in ISP domain aabbcc.net to
access network services without being authorized.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] authorization none
Syntax
cut connection { all | access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | vlan vlan-id |
ucibindex ucib-index | user-name user-name }
View
System view
Parameter
all: Cuts
down all user connections.
access-type
{ dot1x | mac-authentication }: Cuts down user connections of a
specified access type. dot1x is used to cut down all 802.1x user
connections, and mac-authentication is used to cut down all MAC
authentication user connections.
domain isp-name:
Cuts down all user connections in a specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 24 characters. You can only
specify an existing ISP domain.
interface interface-type
interface-number: Cuts down all user connections under a specified port. Here,
interface-type is a port type and interface-number is a port
number.
ip ip-address:
Cuts down all user connections with a specified IP address.
mac mac-address:
Cuts down the user connection with a specified MAC address. Here, mac-address
is in H-H-H format.
radius-scheme radius-scheme-name: Cuts down all user
connections using a specified RADIUS scheme. Here, radius-scheme-name is
a string of up to 32 characters.
vlan vlan-id:
Cuts down all user connections of a specified VLAN. Here, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Cuts down the user connection with a specified connection index. Here, ucib-index
ranges from 0 to 2071.
user-name user-name:
Cuts down the connection of a specified user. Here, user-name
is a string of up to 80 characters. The string cannot contain the following
characters: /:*?<>. It can contain no more than one @ character. The pure
user name (user ID, that is, the part before @) cannot be longer than 55
characters, and the domain name (the part behind @) cannot be longer than 24
characters.
Description
Use the cut
connection command to forcibly cut down one user
connection, one type of user connections, or all user connections.
This command cannot cut down the
connections of Telnet and FTP users.
Related command: display
connection.
Example
# Cut down all user connections under the
ISP domain aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] cut connection domain aabbcc.net
Syntax
display connection [ access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name
| vlan vlan-id | ucibindex ucib-index | user-name
user-name ]
View
Any view
Parameter
access-type {
dot1x | mac-authentication }: Displays user connections of a
specified access type. Here, dot1x is used to display all 802.1x user
connections, and mac-authentication is used to display all MAC
authentication user connections.
domain isp-name:
Displays all user connections under specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 24 characters. You can only
specify an existing ISP domain.
interface interface-type
interface-number: Displays all user connections on a specified port.
ip ip-address:
Displays all user connections with a specified IP address.
mac mac-address:
Displays the user connection with a specified MAC address. Here, mac-address
is in hexadecimal format (in the form of H-H-H).
radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS scheme. Here,
radius-scheme-name is a string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using a specified
RADIUS scheme. Here, hwtacacs-scheme-name is a string of up to 32
characters.
vlan vlan-id:
Displays all user connections of a specified VLAN. Here, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Displays the user connection with a specified connection index. Here, ucib-index
ranges from 0 to 2071.
user-name user-name:
Displays the connection of a specified user. Here, user-name is a
character string in the format of pure-username@domain-name. The pure-username
cannot be longer than 55 characters, the domain-name cannot be longer than 24
characters, and the entire user-name cannot be longer than 80 characters.
Description
Use the display connection command
to display information about specified or all user connections.
If you execute this command without
specifying any parameter, all user connections will be displayed.
This command cannot display information
about the connections of FTP users.
Related command: cut connection.
Example
# Display information about all user
connections.
<H3C> display connection
------------------unit
1------------------------
On Unit 1: Total 0 connections
matched, 0 listed.
------------------unit
2------------------------
Index=40 , Username=user1@domain1
MAC=000f-3d80-4ce5 , IP=0.0.0.0
On Unit 2: Total 1 connections
matched, 1 listed.
------------------unit
3------------------------
On Unit 3:Total 0 connections
matched, 0 listed.
Total 1 connections matched, 1
listed.
# Display information about the user
connection with index 0.
[H3C] display connection ucibindex 0
Index=0 , Username=user1@system
MAC=000f-3d80-4ce5 , IP=192.168.0.3
Access=8021X ,Auth=CHAP
,Port=Ether ,Port NO=0x10003001
Initial VLAN=1, Authorization VLAN=1
ACL Group=Disable
CAR=Disable
Priority=Disable
Start=2000-04-03 02:51:53 ,Current=2000-04-03
02:52:22 ,Online=00h00m29s
On Unit 1:Total 1 connections
matched, 1 listed.
Total 1 connections matched, 1
listed.
Here, Port NO=0x10003001 means (by the
binary bits):
Table 1-1
Description of the Port NO field
|
31 to 28 bit
|
27 to 24 bit
|
23 to 20 bit
|
19 to 12 bit
|
11 to 0 bit
|
|
UNIT ID
|
Slot number
|
Sub-slot number
|
Port number
|
VLAN ID
|
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name:
Name of an ISP domain, a string of up to 24 characters. This must be the name
of an existing ISP domain.
Description
Use the display domain command to
display configuration information about one specific or all ISP domains.
Related command: access-limit, domain,
scheme, and state.
Example
# Display configuration information about
all ISP domains.
<H3C>
display domain
0 Domain = system
State = Active
Scheme = LOCAL
Access-limit = Disable
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
Table 1-2
Description on the fields of the display domain
command
|
Field
|
Description
|
|
Domain
|
Domain name
|
|
State
|
Status of the domain
|
|
Scheme
|
AAA scheme
|
|
Access-Limit
|
Limit on the number of access users
|
|
Vlan-assignment-mode
|
VLAN assignment mode
|
|
Domain User Template
|
Domain user template
|
|
Idle-Cut
|
Status of the idle-cut function
|
|
Self-service
|
Status of self-service
|
|
Messenger Time
|
Status of messenger time service
|
Syntax
display local-user [ domain isp-name | idle-cut { disable
| enable } | vlan vlan-id | service-type { ftp
| lan-access | ssh | telnet | terminal } | state
{ active | block } | user-name user-name ]
View
Any view
Parameter
domain isp-name:
Displays all local users belonging to a specified ISP domain. Here, isp-name
is the name of an ISP domain, a string of up to 24 characters. You can only
specify an existing ISP domain.
idle-cut { disable
| enable }: Displays the local users who are inhibited from enabling the
idle-cut function, or the local users who are allowed to enable the idle-cut
function. Here, disable specifies the inhibited local users and enable
specifies the allowed local users.
vlan vlan-id:
Displays the local users belonging to a specified VLAN. Here, vlan-id
ranges from 1 to 4094.
service-type:
Displays the local users of a specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
and terminal (this type of user is a terminal user who logs into the switch
through the Console port).
state { active
| block }: Displays the local users in a specified state. Here active
represents the users allowed to request network services, and block
represents the users inhibited from requesting network services.
user-name user-name:
Displays the local user with a specified user name. Here,
user-name is a string of up to 80 characters. The string cannot contain
the following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the part before @) cannot be
longer than 55 characters, and the domain name (the part behind @) cannot be
longer than 24 characters.
Description
Use the display
local-user command to display information about specified
or all local users.
Related command: local-user.
Example
# Display information about all local
users.
<H3C> display local-user
The contents of local user user1:
State: Active ServiceType
Mask: None
Idle-cut: Disable
Access-limit: Disable
Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
Total 1 local user(s) Matched, 1
listed.
ServiceType Mask Meaning:
C--Terminal F--FTP L--LanAccess S--SSH T—Telnet
Table 1-3 describes the fields in the above display output.
Table 1-3 Description on the fields of
the display local-user command
|
Field
|
Description
|
|
State
|
Status of the local user
|
|
ServiceType Mask
|
Service type mark
|
|
Idle-Cut
|
Status of the idle-cut function
|
|
Access-Limit
|
Limit on the number of access users
|
|
Current AccessNum
|
Number of current access users
|
|
Bind location
|
Whether or not bound to a port
|
|
Vlan ID
|
VLAN of the user
|
|
IP address
|
IP address of the user
|
|
MAC address
|
MAC address of the user
|
Syntax
domain { isp-name
| default { disable | enable isp-name
} }
undo domain isp-name
View
System view
Parameter
isp-name:
Name of an ISP domain, a string of up to 24 characters. This string cannot
contain the following characters: /:*?<>.
default: Manually
configures the default ISP domain, which is "system" by default.
There is one and only one default ISP domain.
disable: Disables
the configured default ISP domain.
enable: Enables
the configured default ISP domain.
Description
Use the domain command to create an
ISP domain and enter its view, or enter the view of an existing ISP domain, or
configure the default ISP domain.
Use the undo domain command to
delete a specified ISP domain.
The ISP domain "system" is used
as the default ISP domain before you manually configure the default ISP domain,
and you can use the display domain command to check the settings of the
default ISP domain "system".
After you execute the domain
command, the system creates a new ISP domain if the specified ISP domain does
not exist. Once an ISP domain is created, it is in the active state. You
can manually specify an ISP domain as the default domain only when the
specified domain already exists.
Related command: access-limit, scheme,
state, and display domain.
Example
# Create a new ISP domain named aabbcc.net.
<H3C>
system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net]
Syntax
idle-cut { disable
| enable minute flow }
View
ISP domain view
Parameter
disable:
Inhibits users from enabling the idle-cut function.
enable:
Allows users to enable the idle-cut function.
minute:
Maximum idle time in minutes, ranging from 1 to 120.
flow: Minimum
data flow in bytes, ranging from 1 to 10,240,000.
Description
Use the idle-cut command to set the
user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain.
Example
# Enable the idle-cut function on users in
ISP domain aabbcc.net, with the maximum idle time of 50 minutes and the minimum
data flow of 500 bytes. As a result, for a user in the domain, if the total
traffic of the user within 50 minutes is less than 500 bytes, the user connection
will be cut down.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] idle-cut enable
50 500
1.1.13 level
Syntax
level level
undo level
View
Local user view
Parameter
level: Privilege
level to be set for the user. It is an integer ranging from 0 to 3.
Description
Use the level command to set the privilege
level of the user. The privilege level of the user corresponds to the command
level of the user. For detailed information, refer to the description of the command-privilege
level command in the command line interface part.
Use the undo level command to
restore the default privilege level of the user.
The default privilege level is 0.
Note that:
l
If the configured authentication method is none
or password authentication, the command level that a user can access after login
is determined by the level of the user interface.
l
If the configured authentication method requires
a user name and a password, the command level that a user can access after login
is determined by the privilege level of the user. For SSH users using RSA
shared key for authentication, the commands they can access are determined by
the levels sets on their user interfaces.
Related command: local-user.
Example
# Set the level of user1 to 3.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] level 3
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp |
lan-access | ssh | telnet | terminal } ] }
View
System view
Parameter
user-name: Local
user name, a string of up to 80 characters. This string cannot contain the
following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the part before @) cannot be
longer than 55 characters, and the domain name (the part behind @) cannot be
longer than 24 characters. A local user name is case insensitive.
all: Specifies
all local users.
service-type:
Specifies the local users of a specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
and terminal (terminal user who logs into the switch through the Console
port).
Description
Use the local-user command to add a
local user and enter local user view.
Use the undo local-user command to
delete one or more specified local users.
By default, there is no local user in the
system.
Related command: display local-user and
service-type.
Example
# Add a local user named user1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1]
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force:
Adopts the forcible cipher mode so that all local users' the passwords will be
displayed in cipher text.
auto: Adopts
the automatic mode so that each local user's password will be displayed in the
mode you have set for the user by the password command.
Description
Use the local-user password-display-mode
command to set the password display mode of all local users.
Use the undo local-user password-display-mode
command to restore the default password display mode of all local users.
By default, the password display mode of
all access users is auto.
If the cipher-force mode is adopted,
all passwords will be displayed in cipher text even though you have specified to
display some users passwords in plain text by using the password command
with the simple keyword.
Related command: display local-user
and password.
Example
# Specify to display all local user
passwords in cipher text in whatever cases.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user
password-display-mode cipher-force
Syntax
messenger time
{ enable limit interval | disable }
undo messenger time
View
ISP domain view
Parameter
limit: Time
limit in minutes, ranging from 1 to 60. The switch will send prompt messages at
regular intervals to users whose remaining online time is less than this limit.
interval:
Interval to send prompt messages (in minutes). This argument ranges from 5 to
60 and must be a multiple of 5.
Description
Use the messenger time enable
command to enable the messenger function and set the related parameters.
Use the messenger time disable
command to disable the messenger function.
Use the undo messenger time
command to restore the messenger function to its default state.
By default, the messenger function is
disabled on the switch.
The purpose of this function is to remind
online users of their remaining online time through clients by message dialog
box.
You can use messenger time enable
command to set the remaining online time limit and the interval to send prompt
messages. After that, the switch regularly sends prompt messages at the set
interval to the clients of the users whose remaining online time is less than
the set limit, and the clients inform the users of their remaining online time by
message dialog box.
Example
# Enable the switch to send prompt messages
at intervals of 5 minutes to the users in the ISP domain "system"
after their remaining online time is less than 30 minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
[H3C-isp-system] messenger time
enable 30 5
Syntax
name string
undo name
View
VLAN view
Parameter
string: Assigned
VLAN name, a string of up to 32 characters.
Description
Use the name command to set a VLAN name,
which will be used for VLAN assignment.
Use the undo name command to cancel
the VLAN name.
By default, a VLAN uses its VLAN ID (like VLAN
0001) as its assigned VLAN name.
This command is used in conjunction with the
dynamic VLAN assignment function. For details about dynamic VLAN assignment,
refer to the vlan-assignment-mode command.
Related command: vlan-assignment-mode.
Example
# Set the name of VLAN 100 to test.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 100
[H3C-vlan100] name test
Syntax
password { simple
| cipher } password
undo password
View
Local user view
Parameter
simple:
Specifies to display the password in plain text.
cipher:
Specifies to display the password in cipher text.
password:
Password to be set:
l
For simple mode, the password you input must
be a plain-text password.
l
For cipher mode, the password can be
either a cipher-text password or a plain-text password, and what it is depends
on your input.
A password in plain text can be a string
with of up to 63 consecutive characters, for example, aabbcc. A password in
cipher text can be a string with 1 to 63 characters, or 88 characters, for
example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a
password for the local user.
Use the undo password command to
cancel the password of the local user.
Note that, after the local-user
password-display-mode cipher-force command is executed, any local
user password will be displayed in cipher text even though it is configured by
the password command with the simple keyword.
Related command: display local-user.
Example
# Set the password of user1 to 20030422 and
specify to display the password in plain text.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] password simple
20030422
Syntax
radius-scheme radius-scheme-name
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.
Description
Use the radius-scheme command to configure
a RADIUS scheme for current ISP domain.
After an ISP domain is initially created,
it uses the local AAA scheme instead of any RADIUS scheme by default.
The RADIUS scheme you specified in the radius-scheme
command must already exist. This command is equivalent to the scheme radius-scheme
command.
Related command: radius scheme, scheme,
and display radius scheme.
Example
# Configure the ISP domain "h3c163.net"
to use the RADIUS scheme "h3c".
<H3C>
system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain h3c163.net
New Domain added.
[H3C-isp-h3c163.net] radius-scheme h3c
Syntax
scheme { local
| none | radius-scheme radius-scheme-name [ local ]
| hwtacacs-scheme hwtacacs-scheme-name [ local ] }
undo scheme {
none | radius-scheme | hwtacacs-scheme }
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
local:
Specifies to use local authentication.
none:
Specifies not to perform authentication.
Description
Use the scheme command to configure an
AAA scheme for current ISP domain.
Use the undo scheme command to
restore the default AAA scheme configuration for the ISP domain.
By default, the ISP domain uses the local
AAA scheme.
Note that:
l
When you execute the scheme command to reference
a RADIUS scheme in current ISP domain, the referenced RADIUS scheme must
already exist.
l
If you execute the scheme radius-scheme
radius-scheme-name local command, the local scheme is used as
the secondary scheme in case no RADIUS server is available. That is, if the
communication between the switch and a RADIUS server is normal, no local
authentication is performed; otherwise, local authentication is performed.
l
If you execute the scheme hwtacacs-scheme
hwtacacs-scheme-name local command, the local scheme is used
as the secondary scheme in case no TACACS server is available. That is, if the
communication between the switch and a TACACS server is normal, no local
authentication is performed; otherwise, local authentication is performed.
l
If you execute the scheme local or
scheme none command to adopt local or none as the
primary scheme, the local authentication is performed or no authentication is
performed. In this case you cannot specify any RADIUS scheme at the same time.
Related command: radius scheme.
Example
# Configure the ISP domain aabbcc.net to
use RADIUS scheme radius1 as the primary AAA scheme and use the local scheme as
the secondary authentication scheme.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] scheme radius-scheme
raduis1 local
Syntax
self-service-url { disable | enable url-string }
undo self-service-url
View
ISP domain view
Parameter
url-string:
URL of the web page used to modify user password on the self-service server. It
is a string of 1 to 64 characters. This string cannot contain any question mark
"?". If the actual URL of the self-service server contains a question
mark, you should change it to an elect bar "|".
Description
Use the self-service-url enable
command to enable the self-service server location function
Use the self-service-url disable command
to disable the self-service server location function
Use the undo self-service-url
command to restore the default state of this function.
By default, this function is disabled.
Note that:
l
This command must be used with the cooperation
of a self-service-supported RADIUS server (such as CAMS). Through self-service,
users can manage and control their accounts or card numbers by themselves. A
server installed with the self-service software is called a self-service
server.
l
After this command is executed on the switch, a user
can locate the self-service server through the following operation: choose [change
user password] on the 802.1x client, the client opens the default browser (for
example, IE or Netscape) and locates the URL page used to change user password
on the self-service server. Then, the user can change the password.
l
A user can choose the [change user password]
option on the client only after passing the authentication. If the user fails
the authentication, this option is in grey and is unavailable.
Example
# Under the
default ISP domain "system", set the URL of the web page used to
modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
[H3C-isp-system] self-service-url
enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
Syntax
service-type { ftp | lan-access | { telnet | ssh |
terminal }* [ level level ] }
undo service-type { ftp | lan-access | { telnet | ssh |
terminal }* }
View
Local user view
Parameter
ftp: Specifies
that this is a ftp user.
lan-access: Specifies
that this is a LAN access user (who is generally an Ethernet access user, for
example, 802.1x user).
telnet:
Authorizes the user to access the Telnet service.
ssh:
Authorizes the user to access the SSH service.
terminal:
Authorizes the user to access the terminal service (that is, allows the user to
log into the switch through the Console port).
level level: Specifies the level of the Telnet, terminal or SSH user. Here, level
is an integer ranging from 0 to 3 and defaulting to 0.
Description
Use the service-type command to authorize
the user to access specified type(s) of service.
Use the undo service-type command to
inhibit the user from accessing specified type(s) of service.
By default, the user is inhibited from
accessing any type of service.
Example
# Authorize user1 to access the Telnet
service.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] service-type telnet
1.1.23 state
Syntax
state { active
| block }
View
ISP domain view, local user view
Parameter
active:
Activates the current ISP domain (in ISP domain view) or local user (in local
user view), to allow users in current ISP domain or current local user to access
the network.
block: Blocks
the current ISP domain (in ISP domain view) or local user (in local user view),
to inhibit users in current ISP domain or current local user from accessing the
network.
Description
Use the state command to set the
status of current ISP domain (in ISP domain view) or current local user (in
local user view).
By default, an ISP domain/local user is in
the active state once it is created.
After an ISP domain is set to the block
state, except for online users, users in this domain are inhibited from accessing
the network.
After a local user is set to the block
state, the user is inhibited from accessing the network unless the user is
already online.
Related command: domain.
Example
# Set the ISP domain aabbcc.net to the
block state, so that all its offline users cannot access the network.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] state block
# Set user1 to the block state.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
[H3C-user-user1] state block
Syntax
vlan-assignment-mode { integer | string }
Vie
