Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.1 access-limit
Syntax
access-limit
{ disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: Specifies
not to limit the number of access users that can be contained in current ISP
domain.
enable max-user-number: Specifies the maximum number of access users that can be contained
in current ISP domain. Where, max-user-number ranges from 1 to 2072.
Description
Use the access-limit command to set
the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit
command to restore the default maximum number.
By default, the number of access users that
can be contained in current ISP domain is unlimited.
Because resource contention may occur
between access users, there is a need to properly limit the number of access
users in an ISP domain to provide reliable performance to the users in the ISP domain.
Example
# Allow ISP domain aabbc.net to contain at
most 500 access users.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbc.net
New Domain added.
[H3C-isp-aabbcc.net] access-limit
enable 500
Syntax
attribute {
ip ip-address | mac mac-address | idle-cut
second | access-limit max-user-number | vlan vlan-id
| location { nas-ip ip-address port port-number
| port port-number } }*
undo attribute { ip | mac | idle-cut | access-limit |
vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user.
mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H
format.
idle-cut second:
Allows the local user to enable the idle-cut function. Where, second is
the idle time before cutting down, which ranges from 60 seconds to 7200
seconds.
access-limit max-user-number: Sets the maximum number
of users who can access the switch with current user name. Where, max-user-number
ranges from 1 to 1024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, which VLAN the user
belongs to). Where, vlan-id is an integer ranging from 1 to 4094.
location:
Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of the access server to which the user is
bound to. Where, ip-address is in dotted decimal notation and is
127.0.0.1 (representing this device) by default. If the user is bound to a
remote port, you must specify the nas-ip parameter. If the user is bound
to a local port, you need not specify the nas-ip parameter.
port port-number: Sets the port bound with the user. Where, port-number is in
the following format: device ID/slot number/port number; the device ID ranges
from 1 to 8, the slot number ranges from 0 to 15 (if the bound port has no slot
number, just input 0 for this item) and the port number ranges from 1 to 255.
Description
Use the attribute command to set the
attributes of a user whose service type is lan-access.
Use the undo attribute command to
cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP
address of user1 to 10.110.50.1.
<H3C>
system-view
System
View: return to User View with Ctrl+Z.
[H3C]
local-user user1
New
local user added.
[H3C-luser-user1]
attribute ip 10.110.50.1
Syntax
accounting {
none | radius-scheme radius-scheme-name | hwtacacs-scheme
hwtacacs-scheme-name }
undo accounting
View
ISP domain view
Parameter
none: Specifies
not to perform user accounting.
radius-scheme radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32
characters.
hwtacacs-scheme hwtacacs-scheme-name: Name of a
HWTACACS scheme, a string of up to 32 characters.
Description
Use the accounting command to
configure the accounting scheme that will be used by current ISP domain.
Use the undo accounting
command to remove the accounting scheme used by current ISP domain.
By default, no accounting scheme is
configured for the ISP domain.
When you use the accounting command
to reference a RADIUS scheme or HWTACACS scheme for current ISP domain, the
RADIUS scheme or HWTACACS scheme must have already been configured.
If the accounting command is used in
ISP domain view, the system uses the scheme referenced in this command to
charge the users. Or else, the system uses the scheme referenced in the scheme
command to charge the users.
Related command: scheme and radius
scheme, hwtacacs scheme.
Example
# Specify "radius" as the RADIUS
accounting scheme that will be referenced by current ISP domain.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] accounting
radius-scheme radius
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional
command to open the accounting-optional switch.
Use the undo accounting optional
command to close the accounting-optional switch.
By default, the accounting-optional switch
is closed.
Note that:
When the system charges an online user but
it does not find any available RADIUS accounting server or fails to communicate
with any RADIUS accounting server, the user can continue the access to network
resources if the accounting optional command has been used; otherwise,
the user is disconnected from the system. The accounting optional
command is often used in the cases where only authentication is needed and no
accounting is needed.
Example
# Open the accounting-optional switch for
the ISP domain named aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] accounting
optional
Syntax
authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme
hwtacacs-scheme-name [ local ] | local | none }
View
ISP domain view
Parameter
radius-scheme radius-scheme-name: Specifies to use a
RADIUS authentication scheme.
hwtacacs-scheme hwtacacs-scheme-name: Name of a HWTACACS
scheme, a string of up to 32 characters.
local: Specifies
to use local authentication scheme.
none: Specifies
not to perform authentication.
Description
Use the authentication command to
configure an authentication scheme for current ISP domain.
Use the undo authentication command
to restore the default authentication scheme of current domain.
By default, no separate authentication
scheme is configured.
Before you use the authentication
command to specify a RADIUS scheme to be referenced by current ISP domain, the
RADIUS scheme must has already been configured.
If you execute the authentication
radius-scheme radius-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case the RADIUS server
does not respond normally. That is, if the communication between the switch and
the RADIUS server is normal, no local authentication is performed; otherwise,
local authentication is performed.
If you execute the authentication
hwtacacs-scheme hwtacacs-scheme-name local command, the local
scheme is used as the secondary authentication scheme in case the TACACS server
does not respond normally. That is, if the communication between the switch and
the TACACS server is normal, no local authentication is performed; otherwise,
local authentication is performed.
If you execute the authentication local
command, the local scheme is used as the primary scheme. In this case, only
local authentication is performed. If you execute the authentication none
command, no authentication is performed.
With the authentication command configured
in an ISP domain view, the system adopts the authentication scheme referenced
in the command to authenticate the users in the domain, or else it adopts the
scheme referenced in the scheme command.
Related command: scheme and radius
scheme, hwtacacs scheme.
Example
# Specify "radius" as the RADIUS
authentication scheme to be referenced by the ISP domain aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] authentication
radius-scheme radius
# Specify "rd" as the RADIUS
authentication scheme to be referenced by the ISP domain aabbcc, and the local
scheme as the secondary authentication scheme.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc
New Domain added.
[H3C-isp-aabbcc] authentication
radius-scheme rd local
Syntax
authorization { none | hwtacacs-scheme hwtacacs-scheme-name
}
undo authorization
View
ISP domain view
Parameter
none: No
authentication scheme is adopted.
hwtacacs-scheme hwtacacs-scheme-name: Name of a
HWTACACS scheme, a string of up to 32 characters.
Description
Use the authorization command to configure
the authorization scheme of the current ISP domain.
Use the undo authorization command
to restore the default authorization scheme of the ISP domain.
By default, no separate authorization
scheme is configured.
Related command: scheme and radius
scheme, hwtacacs scheme.
Example
# Allow users in current ISP domain to
access the network services without being authorized.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] authorization
none
Syntax
cut connection { all | access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | vlan vlan-id |
ucibindex ucib-index | user-name user-name }
View
System view
Parameter
all: Cuts
down all user connections.
access-type
{ dot1x | mac-authentication }: Cuts down user connections using
the specified access method. dot1x is used to cut down all 802.1x user
connections, and mac-authentication is used to cut down all MAC authentication
user connections.
domain isp-name:
Cuts down all user connections in the specified ISP domain. Where, isp-name
is the name of an ISP domain. It is a character string of up to 24 characters.
You can only specify an existing ISP domain.
interface interface-type
interface-number: Cuts down all user connections under the specified port.
Where interface-type is the port type and interface-number is the
port number.
ip ip-address:
Cuts down the connection of the user with the specified IP address.
mac mac-address:
Cuts down the user connection with the specified MAC address. Where, mac-address
is in the H-H-H format.
radius-scheme radius-scheme-name: Cuts down all user
connections using the specified RADIUS scheme. Where, radius-scheme-name
is a character string of up to 32 characters.
vlan vlan-id:
Cuts down all user connections of the specified VLAN. Where, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Cuts down the user connection with the specified connection index. Where, ucib-index
ranges from 0 to 1047.
user-name user-name:
Cuts down the user connection of the specified user.
Where, user-name is a character string of up to 80 characters. The
string cannot contain the following characters: /:*?<>. It can contain no
more than one @ character. The pure user name (user ID, that is, the part
before @) cannot contain more than 55 characters, and the domain name (the part
behind @) cannot contain more than 24 characters.
Description
Use the cut
connection command to cut down one user connection
or one type of user connections forcibly.
This command cannot cut down the
connections of Telnet and FTP users.
Related command: display
connection.
Example
# Cut down all user connections in the ISP
domain named aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] cut connection domain
aabbcc.net
Syntax
display connection [ access-type { dot1x | mac-authentication
} | domain isp-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name
| vlan vlan-id | ucibindex ucib-index | user-name
user-name ]
View
Any view
Parameter
access-type
{ dot1x | mac-authentication }: Displays the user connections in
specified access mode. Where, dot1x is used to display all 802.1x user
connections, and mac-authentication is used to display all MAC
authentication user connections.
domain isp-name:
Displays all user connections under the specified ISP domain. Where, isp-name
is the name of an ISP domain, a character string of up to 24 characters. You
can only specify an existing ISP domain.
interface interface-type
interface-number: Displays all user connections on the specified port.
ip ip-address:
Displays all user connections with the specified IP address.
mac mac-address:
Displays the connection of the user with the specified MAC address. Where, mac-address
is in dotted hexadecimal notation (in the form of H.H.H).
radius-scheme radius-scheme-name: Displays all user connections using the specified RADIUS scheme.
Where, radius-scheme-name is a character string of up to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using
the specified RADIUS scheme. Where, hwtacacs-scheme-name is a character
string of up to 32 characters.
vlan vlan-id:
Displays all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
ucibindex ucib-index:
Displays the user connection with the specified connection index. Where, ucib-index
ranges from 0 to 1047.
user-name user-name:
Displays the user connection with the specified user name. Where, user-name
is a character string in the format of pure-username@domain-name. The
pure-username cannot be longer than 55 characters, the domain-name cannot contain
more than 24 characters, and the whole string cannot be longer than 80 characters.
Description
Use the display connection command
to display information about specified or all user connections.
If you execute this command without
specifying any parameter, all user connections will be displayed.
This command cannot display information
about the connections of the FTP users.
Related command: cut connection.
Example
# Display information about all user
connections.
<H3C> display connection
Total 0 connections matched ,0 listed.
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name:
Name of an ISP domain, a character string of up to 24 characters. This must be
the name of an existing ISP domain.
Description
Use the display domain command to
display the configuration information about one specific or all ISP domains.
By default , display all the configuration
information about all ISP domains.
Related command: access-limit, domain,
scheme and state.
Example
# Display the configuration information about
all ISP domains.
<H3C> display domain
0 Domain = system
State = Active
Scheme = LOCAL
Access-limit = Disable
Vlan-assignment-mode = Integer
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
Table 1-1 Description on the fields of
the display domain command
|
Field
|
Description
|
|
Domain
|
Domain name
|
|
State
|
State
|
|
Scheme
|
AAA scheme
|
|
Access-Limit
|
Limit on the number of access users
|
|
Vlan-assignment-mode
|
VLAN assignment mode
|
|
Domain User Template
|
Domain user template
|
|
Idle-Cut
|
State of the idle-cut function
|
|
Self-service
|
State of the self service
|
|
Messenger Time
|
State of the messenger time service
|
Syntax
display local-user [ domain isp-name | idle-cut { disable
| enable } | vlan vlan-id | service-type { ftp
| lan-access | ssh | telnet | terminal } | state
{ active | block } | user-name user-name ]
View
Any view
Parameter
domain isp-name:
Displays all local users belonging to the specified ISP domain. Where, isp-name
is the name of an ISP domain, a character string of up to 24 characters. You
can only specify an existing ISP domain.
idle-cut { disable
| enable }: Displays the local users who are inhibited from enabling the
idle-cut function, or the local users who are allowed to enable the idle-cut
function. Where, disable specifies the inhibited local users and enable
specifies the allowed local users.
vlan vlan-id:
Displays the local users belonging to the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
service-type:
Displays the local users of the specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
terminal (this type of users are terminal users who log into the switch
through the Console port).
state { active
| block }: Displays the local users in the specified state. Where active
represents the users allowed to request network services, and block represents
the users inhibited to request network services.
user-name user-name:
Displays the local user who has the specified user
name. Where, user-name is a character string of up to 80 characters. The
string cannot contain the following characters: /:*?<>. It can contain no
more than one @ character. The pure user name (user ID, that is, the part
before @) cannot be longer than 55 characters, and the domain name (the part
behind @) cannot be longer than 24 characters.
Description
Use the display
local-user command to display information
about specified or all local users.
Related command: local-user.
Example
# Display information about all local
users.
<H3C> display local-user
The contents of local user user1:
State: Active
ServiceType Mask: None
Idle-cut: Disable
Access-limit: Disable
Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
Total 1 local user(s) Matched, 1
listed.
ServiceType Mask Meaning:
C--Terminal F--FTP L--LanAccess S--SSH T—Telnet
Table 1-2describes the fields in the above display output.
Table 1-2 Description
on the fields of the display local-user command
|
Field
|
Description
|
|
State
|
State of the local user
|
|
ServiceType Mask
|
Service type mark
|
|
Idle-Cut
|
State of the idle-cut function
|
|
Access-Limit
|
Limit on the number of access users
|
|
Current AccessNum
|
Number of current access users
|
|
Bind location
|
Whether or not bound to a port
|
|
Vlan ID
|
VLAN of the user
|
|
IP address
|
IP address of the user
|
|
MAC address
|
MAC address of the user
|
Syntax
domain { isp-name
| default { disable | enable isp-name
} }
undo domain isp-name
View
System view
Parameter
isp-name:
Name of a ISP domain, a character string of up to than 24 characters. This
string cannot contain the following characters: /:*?<>.
default: Manually
configures the default ISP domain, which is "system" by default.
There is one and only one default ISP domain.
disable: Disables
the configured default ISP domain.
enable: Enables
the configured default ISP domain.
Description
Use the domain command to create an
ISP domain and enter its view, or enter the view of an existing ISP domain, or
configure the default ISP domain.
Use the undo domain command to delete
a specified ISP domain.
By default, an ISP domain
"system" has already existed in the system, and you can use the display
domain command to check the settings of this default ISP domain.
After you execute the domain
command, the system creates a new ISP domain if the specified ISP domain does
not exist. Once an ISP domain is created, it is in the active state. You
can manually configure the default domain only when it has already existed.
Related command: access-limit, scheme,
state and display domain.
Example
# Create a new ISP domain aabbcc.net.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net]
Syntax
idle-cut { disable
| enable minute flow }
View
ISP domain view
Parameter
disable:
Inhibits users from enabling the idle-cut function.
enable:
Allows users to enable the idle-cut function.
minute:
Maximum idle time, ranging from 1 minute to 120 minutes.
flow: Minimum
data flow, ranging from 1 byte to 10,240,000 bytes.
Description
Use the idle-cut command to set the
user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain.
Example
# Allow users in ISP domain aabbcc.net to
enable the idle-cut attribute in user template (that is, allow the user to use the
idle-cut function), with the maximum idle time of 50 minutes and the minimum
data flow of 500 bytes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] idle-cut enable
50 500
1.1.13 level
Syntax
level level
undo level
View
Local user view
Parameter
level:
Priority level of the user. It is an integer ranging from 0 to 3 and defaulting
to 0.
Description
Use the level command to set the
priority level of the user. The priority level of the user corresponds to the
command level of the user. Refer to the description of the command-privilege
level command in the command line interface module.
Use the undo level command to
restore the default priority level of the user.
By default,the priority level of the user
is 0
Note that:
l
If the configured authentication method is none
or requires a password, the command level that a user can access after login is
determined by the level of the user interface.
l
If the configured authentication method requires
a user name and a password, the command level that a user can access after login
is determined by the priority level of the user. For SSH users, when they use
RSA shared keys for authentication, the commands they can access are determined
by the levels sets on the user interfaces.
Related command: local-user.
Example
# Set the level of user1 to 3.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] level 3
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp |
lan-access | ssh | telnet | terminal } ] }
View
System view
Parameter
user-name: Name
of the local user, a character string of up to 80 characters. This string
cannot contain the following characters: /:*?<>. It can contain no more
than one @ character. The pure user name (user ID, that is, the part before @)
cannot be longer than 55 characters, and the domain name (the part behind @)
cannot be longer than 24 characters. The local user name is case insensitive.
all: Specifies
all local users.
service-type:
Specifies the local users of the specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
and terminal (this type of users are terminal users who log into the
switch through the Console port).
Description
Use the local-user command to add a
local user and enter local user view.
Use the undo local-user command to
delete one or more specified local users.
By default, there is no local user in the
system.
Related command: display local-user
and service-type.
Example
# Add a local user named user1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1]
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force:
Adopts the forcible cipher mode so that the passwords of all local users must
be displayed in cipher text.
auto: Adopts
the automatic mode so that the passwords of local users are displayed in the
modes set with the password command.
Description
Use the local-user password-display-mode
command to set the password display mode of all local users
Use the undo local-user
password-display-mode command to restore the default password display mode
of all local users.
By default, the password display mode of
all access users is auto.
When the cipher-force mode is
adopted, all passwords will be displayed in cipher text even through some users
have specified to display their passwords in plain text by using the password
command with the simple keyword.
Related command: display local-user
and password.
Example
# Specify to display all local user
passwords in cipher text forcibly.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user
password-display-mode cipher-force
Syntax
messenger time
{ enable limit interval | disable }
undo messenger time
View
ISP domain view
Parameter
limit: Time
limit in minutes, ranging from 1 to 60. The switch will send prompt messages at
regular intervals to users whose remaining online time is less than this limit.
interval:
Interval to send prompt messages (in minutes). This argument ranges from 5 to
60 and must be a multiple of 5.
Description
Use the messenger time enable
command to enable the messenger function and set the related parameters.
Use the messenger time disable
command to disable the messenger function.
Use the undo messenger time
command to restore the messenger function to its default state.
By default, the messenger function is
disabled on the switch.
The purpose of this function is to remind
online users of their remaining online time through clients in the form of
message dialog.
You can use messenger time enable
command to set a remaining online time limit and the interval to send prompt
messages. After that, the switch regularly sends prompt messages at the set
interval to the clients of the users whose remaining online time is less than
the set limit, and the clients inform the users of their remaining online time
in the form of message dialog.
Example
# Enable the switch to send prompt messages
at intervals of 5 minutes to the users in the ISP domain "system"
after their remaining online time is less than 30 minutes.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
[H3C-isp-system] messenger time
enable 30 5
Syntax
name string
undo name
View
VLAN view
Parameter
string: VLAN
Name for VLAN assignment, a character string of up to 32 characters.
Description
Use the name command to set a VLAN name,
which will be used for VLAN assignment.
Use the undo name command to cancel
the VLAN name.
By default, an VLAN uses its VLAN ID (like
VLAN 0001) as its name.
This command is used for the dynamic VLAN
assignment function. For details about this function, refer to the vlan-assignment-mode
command.
Related command: vlan-assignment-mode.
Example
# Set the name of VLAN 100 to test.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 100
[H3C-vlan100] name test
Syntax
password { simple
| cipher } password
undo password
View
Local user view
Parameter
simple:
Specifies to display the password in plain text.
cipher:
Specifies to display the password in cipher text.
password:
Password you want to set, a character string.
l
For simple mode, the password must be in
plain text.
l
For cipher mode, the password can be
either in cipher text or in plain text, which it is depends on your input.
A password in plain text can be a string
with of up to 63 consecutive characters, for example, aabbcc. A password in
cipher text can be a string with 1 to 63 characters, or 88 characters, for
example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a
password for the local user.
Use the undo password command to
cancel the password of the local user.
Note that, after the local-user
password-display-mode cipher-force command is executed, the password
will be displayed in cipher text even though you use the password
command to set the display mode of the password to simple.
Related command: display local-user.
Example
# Set the password of user1 to 20030422 and
specify to display the password in plain text.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] password simple
20030422
Syntax
radius-scheme radius-scheme-name
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32
characters.
Description
Use the radius-scheme command to
specify the RADIUS scheme to be used by current ISP domain.
Once an ISP domain is created, it uses the
local AAA scheme instead of any RADIUS scheme by default.
The RADIUS scheme you specified in the radius-scheme
command must be an existing scheme. This command is equivalent to the scheme
radius-scheme command.
Related command: radius scheme, scheme,
and display radius scheme.
Example
# Specify the scheme "extended"
as the RADIUS scheme to be used by current ISP domain "H3C163.net".
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain H3C163.net
New Domain added.
[H3C-isp-H3C163.net] radius-scheme extended
Syntax
scheme { local
| none | radius-scheme radius-scheme-name [ local ]
| hwtacacs-scheme hwtacacs-scheme-name [ local ] }
undo scheme {
none | radius-scheme | hwtacacs-scheme }
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32
characters.
hwtacacs-scheme-name: Name of a HWTACACS scheme, a character string of up to 32
characters.
local:
Specifies to use local authentication.
none:
Specifies not to perform authentication.
Description
Use the scheme command to configure
the AAA scheme used by current ISP domain.
Use the undo scheme command to
restore the default AAA scheme used by the ISP domain.
By default, the ISP domain uses the local
AAA scheme.
Note that:
l
When the scheme command is used to
specify the RADIUS scheme to be referenced by current ISP domain, the specified
RADIUS scheme must has already been configured.
l
If you execute the scheme radius-scheme
radius-scheme-name local command, the local scheme becomes
the secondary scheme in case the RADIUS server does not response normally. That
is, if the communication between the switch and the RADIUS server is normal, no
local authentication is performed; otherwise, local authentication is
performed.
l
If you execute the scheme hwtacacs-scheme
hwtacacs-scheme-name local command, the local scheme becomes
the secondary scheme in case the TACACS server does not response normally. That
is, if the communication between the switch and the TACACS server is normal, no
local authentication is performed; otherwise, local authentication is
performed.
l
If you execute the scheme local command,
the local scheme is adopted as the primary scheme. In this case, only local
authentication is performed, no RADIUS authentication is performed. If you
execute the scheme none command, no authentication is performed.
Related command: radius scheme.
Example
# Specify the RADIUS scheme radius1 as the
primary AAA scheme referenced by the ISP domain aabbcc.net and specify the
local scheme as the secondary authentication scheme.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] scheme
radius-scheme raduis1 local
Syntax
self-service-url { disable | enable url-string }
undo self-service-url
View
ISP domain view
Parameter
url-string:
URL of the web page used to modify user password on the self-service server. It
is a character string with 1 character to 64 characters. This string cannot
contain a question mark "?". If the actual URL of the self-service
server contains any question mark, you should change it to an elect bar
"|".
Description
Use the self-service-url enable
command to enable the self-service server location function
Use the self-service-url disable
command to disable the self-service server location function
Use the undo self-service-url
command to restore the default state of this function.
By default, this function is disabled.
Note that:
l
This command must be used with the cooperation
of a self-service-supported RADIUS server (such as CAMS). Through self-service,
users can manage and control their accounts or card numbers by themselves. A
server installed with the self-service software is called a self-service server.
l
After this command is executed on the switch,
users can locate the self-service server through the following operation: choose
[change user password] on the 802.1x client, the client opens the default
browser (for example, IE or NetScape) and locates the specified URL page used
to change user password on the self-service server. Then, the user can change
the password.
l
A user can choose the [change user password]
option on the client only after passing the authentication. If the user fails
the authentication, this option is in grey and is unavailable.
H3C's CAMS Server
is a service management system used to manage networks and secure networks and
user information. Cooperating with other network devices (such as switches) in
a network, the CAMS Server accomplishes the AAA (authentication, authorization
and accounting) services and rights management.
Example
# Under the
default ISP domain "system", set the URL of the web page used to
modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
[H3C-isp-system] self-service-url
enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
Syntax
service-type { ftp | lan-access | { telnet | ssh |
terminal }* [ level level ] }
undo service-type { ftp | lan-access | { telnet | ssh |
terminal }* }
View
Local user view
Parameter
ftp: Specifies
that this is a ftp user.
lan-access: Specifies
that this is a LAN access user (who is generally an Ethernet access user, for
example, 802.1x user).
telnet:
Authorizes the user to access the Telnet service.
ssh:
Authorizes the user to access the SSH service.
terminal:
Authorizes the user to access the terminal service (that is, allows the user to
log into the switch through the Console port).
level level: Specifies the level of the Telnet, terminal or SSH user. Where, level
is an integer ranging from 0 to 3 and defaulting to 0.
Description
Use the service-type command to authorize
the user to access the specified type(s) of service(s).
Use the undo service-type command to
inhibit the user from accessing the specified type(s) of service(s).
By default, the user is inhibited from
accessing any type of service.
Example
# Authorize user1 to access the Telnet
service.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
New local user added.
[H3C-luser-user1] service-type telnet
1.1.23 state
Syntax
state { active
| block }
View
ISP domain view or local user view
Parameter
active:
Activates the current ISP domain (in ISP domain view) or local user (in local
user view), to allow users in current ISP domain or current local user to access
the network.
block: Hangs
up the current ISP domain (in ISP domain view) or local user (in local user
view), to inhibit users in current ISP domain or current local user from accessing
the network.
Description
Use the state command to set the
status of current ISP domain (in ISP domain view) or the status of the local
user (in local user view).
By default, an ISP domain is in the active
state once it is created, and a local user is in the active state once
the user is created.
After an ISP domain is set to the block
state, except the online users, the users under this domain are not allowed to access
the network.
After the local user is set to the block
state, the user is not allowed to access the network.
Related command: domain.
Example
# Set the ISP domain aabbcc.net to the
block state, so that all its offline users cannot access the network.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] state block
# Set user1 to the block state.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user user1
[H3C-user-user1] state block
Syntax
vlan-assignment-mode { integer | string }
View
ISP domain name
Parameter
integer:
Sets the VLAN assignment mode to integer.
string: Sets
the VLAN assignment mode to string.
Description
Use the vlan-assignment-mode command
to set the VLAN assignment mode (integer or string) on the switch.
By default, the VLAN assignment mode is
integer, that is, the switch supports its RADIUS authentication server to
assign integer VLAN IDs.
The dynamic VLAN assignment feature enables
a switch to dynamically add the ports of the successfully authenticated users
to different VLANs according to the attributes assigned by the RADIUS server,
so as to control the network resources that different users can access.
In actual applications, to use this feature
together with Guest VLAN, you should better set port control to port-based
mode.
Currently, the switch supports the RADIUS
authentication server to assign the following two types of VLAN IDs: integer
and string.
l
Integer: If the RADIUS server assigns integer
type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch
(this is also the default mode on the switch). Then, upon receiving an integer
ID assigned by the RADIUS authentication server, the switch adds the port to
the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN
exists, the switch first creates a VLAN with the assigned ID, and then adds the
port to the newly created VLAN.
l
String: If the RADIUS server assigns string type
of VLAN IDs, you can set the VLAN assignment mode to string on the switch.
Then, upon receiving a string ID assigned by the RADIUS authentication server, the
switch compares the ID with existing VLAN names on the switch. If it finds a
match, it adds the port to the corresponding VLAN. Otherwise, the VLAN
assignment fails and the user cannot pass the authentication.
The two dynamic VLAN assignment modes supported
by the switch are set according to the authentication server. Different
authentication servers adopt different dynamic VLAN assignment modes, you are
recommended to configure the device according to the dynamic VLAN assignment mode
in use.
Table 1-3lists some common dynamic VLAN assignment modes.
Table 1-3 Common
dynamic VLAN assignment modes
|
Server type
|
Dynamic VLAN assignment mode
|
|
CAMS
|
Integer (the latest version is determined
by the attribute)
|
|
ACS
|
String
|
|
FreeRADIUS
|
Determined by the attribute (100 is
integer; “100” is string)
|
|
Shiva Access Manager
|
