Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.1 access-limit
Syntax
access-limit
{ disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable:
Specifies not to limit the number of access users that can be contained in
current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be contained
in current ISP domain. Where, max-user-number ranges from 1 to 1024.
Description
Use the access-limit command to set
the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit
command to restore the default maximum number.
By default, the number of access users that
can be contained in current ISP domain is unlimited.
Because resource contention may occur
between access users, there is a need to properly limit the number of access
users in an ISP domain to provide reliable performance to the users in the ISP
domain.
Example
# Allow ISP domain aabbc.net to contain at
most 500 access users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname]domain aabbcc.net
[Sysname-isp-aabbcc.net] access-limit
enable 500
Syntax
accounting default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local |
none }
undo accounting default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local
accounting.
none:
Unaccounting.
Description
Use the accounting default command
to configure an accounting scheme for all users.
Use the undo accounting default command
to restore the default accounting scheme for all users.
By default, the local scheme is
configured.
It should be noted that:
l
The accounting scheme configured by the
accounting default command is applicable to all users. Its priority is
lower than that configured by a specified access mode.
l
Local accounting is only used to support the
management of local user connections without real statistical function. The
management of local connections takes effect for local accounting rather than
local authentication and authorization.
l
In the login access mode, accounting is not
supported for FTP services.
Related command: authentication default
and authorization default.
Example
# In the default ISP domain named system,
configure local as the default accounting scheme for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] auccounting
default local
# In the default ISP domain named system,
configure radius as the default accounting scheme named rd for all users
and local as backup accounting. Note that the rd scheme must be already
configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting
default radius-scheme rd local
# In the default ISP domain named system, restore
the default accounting scheme for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting
default
Syntax
accounting lan-access
{ radius-scheme radius-scheme-name [ local ] | local
| none }
undo accounting lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local
accounting.
none: Unaccounting.
Description
Use the accounting lan-access command
to configure accounting for a lan-access user. Use the undo accounting
lan-access command to remove accounting for a lan-access user.
Related command: accounting default.
Example
# In the default ISP domain named system,
configure local as the accounting scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]accounting
lan-access local
# In the default ISP domain named system,
configure radius as the accounting scheme named rd for the lan-access
user and local as backup accounting. Note that the rd scheme must be
already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting
lan-access radius-scheme rd local
# In the default ISP domain named system,
remove the accounting scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting
lan-access
Syntax
accounting login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local
| none }
undo accounting login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local
accounting.
none:
Unaccounting.
Description
Use the accounting login command to
configure accounting for the login user.
Use the undo accounting login command
to remove accounting for the login user.
Related command: accounting default.
Example
# In the default ISP domain named system,
configure local as the accounting scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login
local
# In the default ISP domain named system,
configure radius as the accounting scheme named rd for the login
user and local as backup accounting. Note that the rd scheme must
be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login
radius-scheme rd local
# In the default ISP domain named system,
remove the accounting scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting
login
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional
command to open the accounting-optional switch.
Use the undo accounting optional
command to close the accounting-optional switch.
By default, the accounting-optional switch
is closed.
Note that:
l
When the system charges an online user but it
does not find any available RADIUS accounting server or fails to communicate with
any RADIUS accounting server, the user can continue the access to network
resources if the accounting optional command has been used; otherwise,
the user is disconnected from the system. The accounting optional
command is often used in the cases where only authentication is needed and no
accounting is needed.
l
With the accounting optional command
executed, the system does not send real time accounting updating packets and
accounting-stop packets to all users in RADIUS scheme.
Example
# Open the accounting-optional switch for
the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] accounting
optional
Syntax
attribute {
ip ip-address | mac mac-address | idle-cut
minute | access-limit max-user-number | vlan vlan-id
| location { nas-ip ip-address port portnum
| port portnum } } *
undo attribute { ip | mac | idle-cut | access-limit |
vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user. The attribute ip command
for a local user only applies to H3C 802.1x clients. If you configure this
command on a non-H3C client, local authentication will fail.
mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H
format.
idle-cut minute:
Allows the local user to enable the idle-cut function. Where, minute is
the idle time before cutting down, which ranges from 1 minutes to 120 minutes.
access-limit max-user-number: Sets the maximum number
of users who can access the switch with current user name. Where, max-user-number
ranges from 1 to 1024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, which VLAN the user
belongs to). Where, vlan-id is an integer ranging from 1 to 4094.
location:
Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of the access server to which the user is
bound to. Where, ip-address is in dotted decimal notation and is
127.0.0.1 (representing this device) by default. If the user is bound to a
remote port, you must specify the nas-ip parameter. If the user is bound
to a local port, you need not specify the nas-ip parameter.
port port-number: Sets the port bound with the user.
Description
Use the attribute command to set the
attributes of a user whose service type is lan-access.
Use the undo attribute command to
cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP address of user1 to
10.110.50.1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] attribute ip
10.110.50.1
Syntax
authentication default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local
| none }
undo authentication default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters
local: Local
authentication.
none:
Unauthentication.
Description
Use the authentication default command
to configure authentication scheme for all users.
Use the undo authentication default command
to restore the default authentication scheme for all users.
By default, the local authentication
is used.
The authentication scheme configured by the
authentication default command is applicable to all users. But its
priority is lower than that configured by a special access mode.
Related command: authorization default and
accounting default.
Example
# In the default ISP domain named system,
configure local as the default authentication for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
default local
# In the default ISP domain named system,
configure radius as the default authentication scheme named rd for all
users and local as backup authentication. Note that the rd scheme
must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
default radius-scheme rd local
# In the default ISP domain named system, restore
the default authentication scheme for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo
authentication default
Syntax
authentication lan-access { radius-scheme radius-scheme-name [ local ] |
local | none }
undo authentication lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local
authentication.
none:
Unauthentication.
Description
Use the authentication lan-access command
to configure authentication scheme for a lan-access user.
Use the undo authentication lan-access command
to remove authentication scheme for a lan-access user.
Related command: authentication default.
Example
# In the default ISP domain named system,
configure local as the authentication scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
lan-access local
# In the default ISP domain named system,
configure radius as the default authentication named rd for the
lan-access user and local as backup authentication. Note that rd
authentication must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
lan-access radius-scheme rd local
# In the default ISP domain named system,
remove the authentication scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo
authentication lan-access
Syntax
authentication login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local
| none }
undo authentication login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local
authentication.
none:
Unauthentication.
Description
Use the authentication login command
to configure authentication for a login user. Use the undo authentication
login command to remove authentication for a login user.
Related command: authentication default.
Example
# In the default ISP domain named system,
configure local as the authentication scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
login local
# In the default ISP domain named system,
configure radius as the default authentication named rd for the login
user and local as backup authentication. Note that the rd
authentication must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication
login radius-scheme rd local
# In the default ISP domain named system,
remove the authentication scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo
authentication login
Syntax
authorization command hwtacacs-scheme hwtacacs-scheme-name
undo authorization command
View
ISP domain view
Parameter
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
Description
Use the authorization command
command to configure the authorization scheme for a CLI user
Use the undo authorization
command command to remove the authorization scheme for a CLI user
Related command: authorization default.
Example
# In the default ISP domain named system,
configure HWTACACS as the authorization scheme named hw for the CLI user.
Note that the hw authorization must be already configured. Related
command: hwtacacs scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
command hwtacacs-scheme hw
Syntax
authorization default { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local
| none }
undo authorization default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local
authorization.
none: Direct
authorization. In this case, the user passes the authentication directly, but only
owns the default rights.
Description
Use the authorization default command to configure the default authorization for all users.
Use the undo authorization default command
to restore the default authorization scheme for all users.
By default, the local authorization
is used.
It should be noted that:
l
The authorization scheme configured by the
authorization default command is applicable to all users. Its priority
is lower than that configured by a specified access mode.
l
As a special procedure, RADIUS authorization
takes effect when the radius schemes for authentication and authorization are
similar. In case of failure to all RADIUS authorization, the reason returned to
NAS is that the Server did not respond.
Related command: authentication default and
accounting default.
Example
# In the default ISP domain named system,
configure local as the default authorization for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
default local
# In the default ISP domain named system,
configure radius as the default authorization named rd for all users and
local as backup authorization. Note that the rd scheme must be already
configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
default radius-scheme rd local
# In the default ISP domain named system, restore
the default authorization scheme for all users.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization
default
Syntax
authorization lan-access { radius-scheme radius-scheme-name [ local ] |
local | none }
undo authorization lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local
authorization.
none: Direct
authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization lan-access command
to configure authorization for a lan-access user.
Use the undo authorization lan-access command
to remove authorization for a lan-access user.
Related command: authorization default.
Example
# In the default ISP domain named system,
configure local as the authorization scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]authorization
lan-access local
# In the default ISP domain named system,
configure radius as the authorization scheme named rd for the lan-access
user and local as backup authorization. Note that the rd scheme must be
already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
lan-access radius-scheme rd local
# In the default ISP domain named system,
remove the authorization scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo
authorization lan-access
Syntax
authorization login { radius-scheme radius-scheme-name [ local ] |
hwtacacs-scheme hwtacacs-scheme-name [ local ] | local
| none }
undo authorization login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local
authorization.
none: Direct
authorization. In this case, the user passes the authentication directly, but
only owns the default rights.
Description
Use the authorization login command
to configure authorization for a login user.
Use the undo authorization login command
to remove authorization for a login user.
Related command: authorization default.
Example
# In the default ISP domain named system,
configure local as the authorization scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
login local
# In the default ISP domain named system,
configure radius as the authorization scheme named rd for the login user
and local as backup authorization. Note that the rd scheme must be
already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization
login radius-scheme rd local
# In the default ISP domain named system,
remove the authorization scheme for the login user.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo
authorization login
Syntax
cut connection { all | access-type { dot1x | mac-authentication
} | domain domain-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| vlan vlan-id | ucibindex ucib-index | user-name
user-name }
View
System view
Parameter
all: Cuts
down all user connections.
access-type
{ dot1x | mac-authentication }: Cuts down user connections using
the specified access method. dot1x is used to cut down all 802.1x user
connections, and mac-authentication is used to cut down all MAC
authentication user connections.
domain isp-name:
Cuts down all user connections in the specified ISP domain. Where, isp-name
is the name of an ISP domain. It is a character string of up to 24 characters.
You can only specify an existing ISP domain.
interface interface-type
interface-number: Cuts down all user connections under the specified port.
Where interface-type is the port type and interface-number is the
port number.
ip ip-address:
Cuts down the connection of the user with the specified IP address.
mac mac-address:
Cuts down the user connection with the specified MAC address. Where, mac-address
is in the H-H-H format.
vlan vlan-id:
Cuts down all user connections of the specified VLAN. Where, vlan-id ranges
from 1 to 4094.
ucibindex ucib-index:
Cuts down the user connection with the specified connection index. Where, ucib-index
ranges from 0 to 4294967295.
user-name user-name:
Cuts down the user connection of the specified user.
Where, user-name is a character string of up to 80 characters. The
string cannot contain the following characters: /:*?<>. It can contain no
more than one @ character. The pure user name (user ID, that is, the part
before @) cannot contain more than 55 characters,
Description
Use the cut
connection command to cut down one user connection
or one type of user connections forcibly.
This command cannot cut down the
connections of Telnet, SSH and FTP users.
Related command: display
connection.
Example
# Cut down all user connections in the ISP
domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] cut connection domain
aabbcc.net
Syntax
display connection [ access-type { dot1x | mac-authentication
} | domain domain-name | interface interface-type
interface-number | ip ip-address | mac mac-address
| vlan vlan-id | ucibindex ucib-index | user-name
user-name ]
View
Any view
Parameter
access-type
{ dot1x | mac-authentication }: Displays the user connections in
specified access mode. Where, dot1x is used to display all 802.1x user
connections, and mac-authentication is used to display all MAC
authentication user connections.
domain isp-name:
Displays all user connections under the specified ISP domain. Where, isp-name
is the name of an ISP domain, a character string of up to 24 characters. You
can only specify an existing ISP domain.
interface interface-type
interface-number: Displays all user connections on the specified port.
ip ip-address:
Displays all user connections with the specified IP address.
mac mac-address:
Displays the connection of the user with the specified MAC address. Where, mac-address
is in dotted hexadecimal notation (in the form of H.H.H).
vlan vlan-id:
Displays all user connections of the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
ucibindex ucib-index:
Displays the user connection with the specified connection index. Where, ucib-index
ranges from 0 to 4294967295.
user-name user-name:
Displays the user connection with the specified user name. Where, user-name
is a character string in the format of pure-username@domain-name. The
pure-username cannot be longer than 55 characters, and the whole string cannot
be longer than 80 characters.
Description
Use the display connection command
to display information about specified or all user connections.
If you execute this command without
specifying any parameter, all user connections will be displayed.
This command cannot display information
about the connections of the FTP users.
Related command: cut connection.
Example
# Display information about all user
connections.
<Sysname> display connection
Total 0 connections matched ,0
listed.
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name:
Name of an ISP domain, a character string of up to 24 characters. This must be
the name of an existing ISP domain.
Description
Use the display domain command to
display the configuration information about one specific or all ISP domains.
Related command: access-limit, domain
and state.
Example
# Display the configuration information
about all ISP domains.
<Sysname>display domain
0 Domain = system
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme
: local
Default authorization scheme
: local
Default accounting scheme
: local
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Default Domain Name: system
Total 1 domain(s).
Table 1-1 Description on the fields of
the display domain command
|
Field
|
Description
|
|
Domain
|
Domain name
|
|
State
|
State
|
|
Access-Limit
|
Limit on the number of access users
|
|
Accounting method
|
Accounting method
|
|
default Authentication scheme
|
default Authorization scheme
|
|
default Authorization scheme
|
default Authorization scheme
|
|
default Accounting scheme
|
default Accounting scheme
|
|
Domain User Template
|
Domain user template
|
|
Idle-Cut
|
State of the idle-cut function
|
|
Self-service
|
State of the self service
|
|
Default Domain Name
|
Default domain name
|
|
Total 1 domain(s)
|
There is totally one domain
|
Syntax
display local-user [ domain isp-name | idle-cut { disable
| enable } | vlan vlan-id | service-type { lan-access
| telnet | ssh | terminal | ftp } | state { active
| block } | user-name user-name ]
View
Any view
Parameter
domain isp-name:
Displays all local users belonging to the specified ISP domain. Where, isp-name
is the name of an ISP domain, a character string of up to 24 characters. You
can only specify an existing ISP domain.
idle-cut { disable
| enable }: Displays the local users who are inhibited from enabling the
idle-cut function, or the local users who are allowed to enable the idle-cut
function. Where, disable specifies the inhibited local users and enable
specifies the allowed local users.
vlan vlan-id:
Displays the local users belonging to the specified VLAN. Where, vlan-id
ranges from 1 to 4094.
service-type:
Displays the local users of the specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
terminal (this type of users are terminal users who log into the switch
through the Console port).
state { active
| block }: Displays the local users in the specified state. Where active
represents the users allowed to request network services, and block
represents the users inhibited to request network services.
user-name user-name:
Displays the local user who has the specified user name.
Where, user-name is a character string of up to 80 characters. The
string cannot contain the following characters: /:*?<>. It can contain no
more than one @ character. The pure user name (user ID, that is, the part
before @) cannot be longer than 55 characters.
Description
Use the display
local-user command to display information about
specified or all local users.
Related command: local-user.
Example
# Display information about all local
users.
<Sysname> display local-user
The contents of local user user1:
State: Active
ServiceType:
lan-access/telnet
Idle-cut: Disable
Access-limit:
Disable Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
User Privilege: 3
Total 1 local user(s) Matched,1
listed..
Table 1-2
Description on the fields of the display
local-user command
|
Field
|
Description
|
|
State
|
State of the local user
|
|
ServiceType
|
ServiceType
|
|
Idle-Cut
|
State of the idle-cut function
|
|
Access-Limit
|
Limit on the number of access users
|
|
Current AccessNum
|
Number of current access users
|
|
Bind location
|
Whether or not bound to a port
|
|
Vlan ID
|
VLAN of the user
|
|
IP address
|
IP address of the user
|
|
MAC address
|
MAC address of the user
|
|
User Privilege
|
User Privilege
|
When the local
RADIUS authentication server (local-server) is enabled, the value of “Current
AccessNum” may be inconsistent with the actual number of accessed users
and the displayed value here is just for reference.
Syntax
domain { isp-name
| default { disable | enable isp-name
} }
undo domain isp-name
View
System view
Parameter
isp-name:
Name of a ISP domain, a character string of up to than 24 characters. This
string cannot contain the following characters: /:*?<>.
default:
Manually configures the default ISP domain, which is "system" by
default. There is one and only one default ISP domain.
disable:
Disables the configured default ISP domain.
enable: Enables
the configured default ISP domain.
Description
Use the domain command to create an
ISP domain and enter its view, or enter the view of an existing ISP domain, or
configure the default ISP domain.
Use the undo domain command to
delete a specified ISP domain.
By default, an ISP domain
"system" has already existed in the system, and you can use the display
domain command to check the settings of this default ISP domain.
After you execute the domain
command, the system creates a new ISP domain if the specified ISP domain does
not exist. Once an ISP domain is created, it is in the active state. You
can manually configure the default domain only when it has already existed.
Related command: access-limit, state
and display domain.
Example
# Create a new ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net]
Syntax
idle-cut { disable
| enable minute }
View
ISP domain view
Parameter
disable:
Inhibits users from enabling the idle-cut function.
enable:
Allows users to enable the idle-cut function.
minute:
Maximum idle time, ranging from 1 minute to 120 minutes.
Description
Use the idle-cut command to set the
user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain.
Example
# Allow users in ISP domain aabbcc.net to
enable the idle-cut attribute in user template (that is, allow the user to use
the idle-cut function), with the maximum idle time of 50 minutes.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] idle-cut
enable 50
Syntax
level level
undo level
View
Local user view
Parameter
level:
Priority level of the user. It is an integer ranging from 0 to 3 and defaulting
to 0.
Description
Use the level command to set the
priority level of the user.
Use the undo level command to
restore the default priority level of the user.
Note that:
l
If the configured authentication method is none
or requires a password, the command level that a user can access after login is
determined by the level of the user interface.
l
If the configured authentication method requires
a user name and a password, the command level that a user can access after
login is determined by the priority level of the user. For SSH users, when they
use RSA shared keys for authentication, the commands they can access are
determined by the levels sets on the user interfaces.
Related command: local-user.
Example
# Set the level of user1 to 3.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] level 3
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { lan-access
| telnet | ssh | terminal | ftp } ] }
View
System view
Parameter
user-name:
Name of the local user, a character string of up to 80 characters. This string
cannot contain the following characters: /:*?<>. It can contain no more
than one @ character. The pure user name (user ID, that is, the part before @)
cannot be longer than 55 characters. User names are case-sensitive. For
example, the system regards UserA and usera as two different users.
all:
Specifies all local users.
service-type:
Specifies the local users of the specified type. You can specify one of the
following user types: ftp, lan-access (generally, this type of
users are Ethernet access users, for example, 802.1x users), ssh, telnet,
and terminal (this type of users are terminal users who log into the switch
through the Console port).
Description
Use the local-user command to add a
local user and enter local user view.
Use the undo local-user command to
delete one or more specified local users.
By default, there is no local user in the
system.
“a”, “al”, “all”
cannot be name of the local user.
Related command: display local-user
and service-type.
Example
# Add a local user named user1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1]
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force:
Adopts the forcible cipher mode so that the passwords of all local users must be
displayed in cipher text.
auto: Adopts
the automatic mode so that the passwords of local users are displayed in the
modes set with the password command.
Description
Use the local-user password-display-mode
command to set the password display mode of all local users
Use the undo local-user
password-display-mode command to restore the default password display mode
of all local users.
By default, the password display mode of
all access users is auto.
When the cipher-force mode is
adopted, all passwords will be displayed in cipher text even through some users
have specified to display their passwords in plain text by using the password
command with the simple keyword.
Related command: display local-user
and password.
Example
# Specify to display all local user
passwords in cipher text forcibly.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user
password-display-mode cipher-force
Syntax
password { simple
| cipher } password
undo password
View
Local user view
Parameter
simple: Specifies
to display passwords in simple text.
cipher: Specifies
to display passwords in cipher text.
password:
Password you want to set, a character string.
l
For simple mode, the password must be in
plain text.
l
For cipher mode, the password can be
either in cipher text or in plain text, which it is depends on your input.
A password in plain text can be a string
with of up to 63 consecutive characters, for example, aabbcc. Encrypted text
password string can contain 24, 32, 44, 56, 64, 76, 88, characters such as_(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a
password for the local user.
Use the undo password command to
cancel the password of the local user.
Note that, after the local-user
password-display-mode cipher-force command is executed, the password
will be displayed in cipher text even though you use the password
command to set the display mode of the password to simple.
Related command: display local-user.
Example
# Set the password of user1 to 20030422 and
specify to display the password in plain text.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] password simple
20030422
Syntax
