Chapter 1 AAA & RADIUS & HWTACACS
Configuration Commands
1.1.1 access-limit
Syntax
access-limit
{ disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable:
Specifies not to limit the number of access users that can be contained in
current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be contained
in current ISP domain. The value of max-user-number ranges from 1 to
4,120.
Description
Use the access-limit command to set
the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit
command to restore the default setting.
By default, the number of access users that
can be contained in current ISP domain is not limited.
Because resource contention may occur
between access users, there is a need to properly limit the number of access
users in an ISP domain to provide reliable performance for the users in the ISP
domain.
Example
# Allow ISP domain aabbcc.net to contain up
to 500 access users.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] access-limit
enable 500
Syntax
attribute {
ip ip-address | mac mac-address | idle-cut
second | access-limit max-user-number | vlan vlan-id
| location { nas-ip ip-address port port-number
| port port-number } }*
undo attribute { ip | mac | idle-cut | access-limit |
vlan | location }*
View
Local user view
Parameter
ip: Sets the
IP address to which the user is bound.
mac: Sets
the MAC address to which the user is bound. mac-address is in
dash-delimited hexadecimal notation, that is, in the H-H-H format.
idle-cut second:
Allows/disallows the enabling of the idle-cut function by the local user (The
data for idle-cut operation depends on the configuration in the ISP domain).
The second argument is the idle time (in seconds) before cutting down.
It ranges from 60 to 7,200.
access-limit max-user-number: Sets the maximum number
of users who can access the switch with current user name. The value of max-user-number
ranges from 1 to 4,096.
vlan vlan-id: Sets the VLAN to which the user is bound; that is, sets which VLAN
the user belongs to. vlan-id is an integer ranging from 1 to 4,094.
location:
Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of the access server to which the user is
bound to. ip-address is in dotted decimal notation and is 127.0.0.1
(representing this device) by default.
port port-number: Sets the port that is bound to the user. port-number is in
the format of "slot number subslot number port number". If the bound
port has no subslot number, just input 0 for this argument.
Description
Use the attribute command to set the
attributes of a local user.
Use the undo attribute command to
cancel attribute settings of the local user.
Note that,
if the user is bound to a remote port, make sure you specify the nas-ip
keyword. If the user is bound to a local port, you need not specify the nas-ip
keyword.
If the accounting optional switch is turned on (with the accounting
optional command) in the ISP domain to which the local user belongs or the
RADIUS scheme referenced by the ISP, you cannot limit the number of accesses by
the local user. That is, in such a case, the attribute access-limit
command does not take effect.
Related command: display local-user.
Example
# Set the IP address of aabbcc to
10.110.50.1.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc] attribute ip
10.110.50.1
Syntax
cut connection { all | access-type dot1x | domain domain-name
| interface interface-type interface-number | ip ip-address
| mac mac-address | radius-scheme radius-scheme-name
| vlan vlan-id | ucibindex ucib-index | user-name
user-name }
View
System view
Parameter
all: Cuts
down all user connections
access-type dot1x:
Cuts down all 802.1x user connections.
domain isp-name:
Cuts down all user connections in the specified ISP domain. isp-name is
the name of an ISP domain. It is a string of up to 24 characters. You can only
specify an existing ISP domain.
interface interface-type
interface-number: Cuts down all user connections to the specified port.
ip ip-address:
Cuts down the connection of the user with the specified IP address.
mac mac-address:
Cuts down the user connection with the specified MAC address. mac-address
is in dash-delimited hexadecimal notation, that is, in the H-H-H format.
radius-scheme radius-scheme-name: Cuts down all user
connections using the specified RADIUS scheme. radius-scheme-name is a
character string of up to 32 characters.
vlan vlan-id:
Cuts down all user connections of the specified VLAN. vlan-id ranges
from 1 to 4,094.
ucibindex ucib-index:
Cuts down the user connection with the specified connection index. The value of
ucib-index ranges from 0 to 4,119.
user-name user-name:
Cuts down the user connection of the specified user. user-name is a
character string of up to 80 characters. The string cannot contain the
following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the part before @) can contain
no more than 55 characters.
Description
Use the cut connection command to
cut down one user connection or one type of user connections forcibly.
This command cuts down the connections of
802.1x users only.
Related command: display connection.
Example
# Cut down all the 802.1x user connections
in the ISP domain named aabbcc.net.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] cut connection domain
aabbcc.net
Syntax
display connection [ access-type dot1x | domain domain-name
| interface interface-type interface-number | ip ip-address
| mac mac-address | radius-scheme radius-scheme-name
| vlan vlan-id | ucibindex ucib-index | user-name
user-name ]
View
Any view
Parameter
access-type dot1x:
Displays all the 802.1x user connections.
domain isp-name:
Displays all user connections in the specified ISP domain. isp-name is
the name of an ISP domain, a character string of up to 24 characters. You can
only specify an existing ISP domain.
interface interface-type
interface-number: Displays all user connections on the specified port.
ip ip-address:
Displays all user connections with the specified IP address.
mac mac-address:
Displays the connection of the user with the specified MAC address. mac-address
is in dash-delimited hexadecimal notation (in the form of H-H-H).
radius-scheme radius-scheme-name: Displays all user connections using the specified RADIUS scheme. radius-scheme-name
is a character string of up to 32 characters.
vlan vlan-id:
Displays all user connections of the specified VLAN. The value of vlan-id
ranges from 1 to 4,094.
ucibindex ucib-index:
Displays the user connection with the specified connection index.
user-name user-name:
Displays the user connection with the specified user name. user-name is
a character string of up to 32 characters. The string cannot contain the
following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the part before @) can contain
no more than 24 characters.
Description
Use the display connection command
to display information about the specified user connection or all user
connections, so as to troubleshoot user connections.
If you execute this command without
specifying any argument, all user connections will be displayed.
This command displays information about the
connections of 802.1x users only.
Related command: cut connection.
Example
# Display information about all 802.1x user
connections.
<H3C> display connection
Total 0 connections matched ,0
listed.
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Name of an ISP domain, a character string of up to 24 characters. This
must be the name of an existing ISP domain.
Description
Use the display domain command to
display the configuration information about one specific or all the ISP
domains.
If you execute this command without
specifying any argument, the configuration of all the ISP domains will be
displayed.
The output information helps with ISP
domain diagnosis and troubleshooting
Related command: access-limit, domain,
radius-scheme, user-template, state, display domain.
Example
# Display the configuration information
about all the ISP domains.
<H3C> display domain
0 Domain = system
State = Active
Scheme = LOCAL
Access-limit = Disable
Vlan-assignment-mode = Integer
accounting-mode = time
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Messenger Time = Disable
Default Domain Name: system
Total 1 domain(s).1 listed.
Table 1-1 describes the fields shown in the display.
Table 1-1 Description
on the fields of the display domain command
|
Field
|
Description
|
|
0 Domain
|
ISP domain index…Domain name
|
|
State
|
State
|
|
Scheme
|
AAA scheme used by the domain: LOCAL
(local authentication), NONE (no authentication), or RADIUS scheme name
|
|
Access-limit
|
Limit on the number of access users
|
|
Vlan-assignment-mode
|
Dynamic VLAN assignment mode: integer or
string
|
|
accounting-mode
|
Accounting mode: time (time-based
accounting) and traffic (traffic-based accounting)
|
|
Domain User Template
|
Domain user template
|
|
Idle-cut
|
Sets the idle-cut function. Disable means
the idle-cut function is disabled; enable means the function is enabled.
|
|
Self-service
|
URL of the self-service server. Disable
means the self-service server location function is disabled. After the
self-service server location function is enabled, the URL of the configured
self-service server is displayed.
|
|
Messenger Time
|
State of the messenger time service.
Disable means the messenger time service is disabled. After the messenger
time service is configured, the time and interval of the prompt messages are
displayed.
|
Syntax
display local-user [ domain isp-name | idle-cut { enable |
disable } | service-type { telnet | ftp | ssh |
terminal | lan-access } | state { active | block
} | user-name user-name | vlan vlan-id ]
View
Any view
Parameter
domain isp-name:
Displays all the local users who belong to the specified ISP domain. isp-name
is the name of an ISP domain, a character string of up to 24 characters. You
can only specify an existing ISP domain.
idle-cut:
Displays the local users who are inhibited from enabling the idle-cut function,
or the local users who are allowed to enable the idle-cut function. disable
specifies the inhibited local users and enable specifies the allowed
local users. This keyword only applies to the users configured with lan-access
service. For users configured with any other type of service, the display
local-user idle-cut enable and display local-user idle-cut disable commands
do not output any user information.
service-type:
Displays the local users of the specified type. You can specify one of the
following user types: telnet, ftp, lan-access (generally,
this type of users are Ethernet access users, for example, 802.1x users), ssh,
terminal (this type of users are terminal users who log into the switch
through the Console port).
state { active
| block }: Displays the local users in the specified state. active
represents the users allowed to request network services, and block
represents the users inhibited to request network services.
user-name user-name:
Displays the local user who has the specified user name. user-name is a
character string of up to 80 characters. The string cannot contain the
following characters: /:*?<>. It can contain no more than one @
character. The pure user name (user ID, that is, the part before @) can contain
no more than 55 characters.
vlan vlan-id:
Displays the local users belonging to the specified VLAN. The value of vlan-id
ranges from 1 to 4,094.
Description
Use the display local-user command
to display information about a specific or all local users, so as to
troubleshoot local user configuration.
By default, this command displays the
information about all local users.
Related command: local-user, service-type.
Example
# Display information about all the local
users.
<H3C> display local-user
The contents of local user user1:
State: Active
ServiceType Mask: T
Idle-cut: Disable
Access-limit: Disable
Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
User Privilege: 0
Total 1 local user(s) Matched, 1
listed.
Table 1-2 describes the fields in the above display output.
Table 1-2 Description
on the fields of the display local-user command
|
Field
|
Description
|
|
State
|
State of the local user
|
|
ServiceType Mask
|
Service type mark of local user:
T: Telnet
S: SSH
C: Terminal service
LM: lan-access
F: FTP
None: No service type is set.
|
|
Idle Cut
|
State of the idle-cut function
|
|
Access-limit
|
Limit on the number of access users
|
|
Bind location
|
Whether or not bound to a port
|
|
VLAN ID
|
VLAN of the user
|
|
IP address
|
IP address of the user
|
|
MAC address
|
MAC address of the user
|
|
User Privilege
|
User privilege
|
Syntax
domain { isp-name
| default { disable | enable
isp-name } }
undo domain isp-name
View
System view
Parameter
isp-name:
Name of a ISP domain, a character string of up to than 24 characters. This
string cannot contain the following characters: /:*?<>.
default enable isp-name: Specifies the default ISP domain.
disable:
Restores the default ISP domain "system".
Description
Use the domain command to create an
ISP domain or enter the view of an existing ISP domain.
Use the undo domain command to
delete a specified ISP domain.
The default ISP domain is
"system".
An ISP domain is an ISP user group
comprising the users of the same ISP. Normally, in a username (such as
gw20010608@aabbcc.net) in the userid@isp-name format, isp-name (such as
aabbcc.net in the above example) after "@" is the name of the ISP
domain. When implementing access control, for ISP users with the name format
userid@isp-name, an H3C series Ethernet switch uses userid as the username for
authentication and uses "isp-name" as domain name.
ISP domains are intended to support a
multi-ISP application environment where an access device may be accessed by
users of different ISPs. The user attributes, such as username/password
composition and service type/privilege, of ISP users may vary. Therefore, it is
necessary to distinguish between them by setting ISP domains. You can configure
a complete set of independent ISP domain attributes, including AAA schemes
(such as the RADIUS scheme used), for each ISP domain in ISP domain view.
For the switch, each access user belongs to
an ISP domain.
You can configure up to 16 ISP domains in
the system. If the specified ISP domain does not exist when you issue this
command, the system creates a new ISP domain. An ISP domain is active
immediately after being created.
Related command: access-limit, scheme,
state, display domain
Example
# Create an ISP domain named aabbcc.net and
enter its view.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net]
Syntax
idle-cut { disable
| enable minute flow }
View
ISP domain view
Parameter
disable:
Inhibits users from enabling the idle-cut function.
enable:
Allows users to enable the idle-cut function.
minute:
Maximum idle time, ranging from 1 minute to 120 minutes.
flow:
Minimum data flow, ranging from 1 byte to 10,240,000 bytes (10 M).
Description
Use the idle-cut command to set the
user idle-cut function in current ISP domain.
By default, after an ISP domain is created,
the idle-cut function in its user template is disabled.
A user template is a set of default user
attributes. If a user requesting for a network service does not possess a
required attribute, the attribute in the specified user template is used as the
user's default attribute. If neither the user nor the RADIUS server specifies
whether its idle-cut function is enabled, the idle-cut function state of the
user template is specified as that of the user.
A user template applies to only one ISP
domain. Therefore, you need to configure different user template attributes for
users in different ISP domains.
Related command: domain.
Example
# Allow users in ISP domain aabbcc.net to
enable the idle-cut attribute in user template (that is, allow the user to use
the idle-cut function), with the maximum idle time of 50 minutes and the
minimum data flow of 500 bytes.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] idle-cut enable
50 500
Syntax
level level
undo level
View
Local user view
Parameter
level:
Priority level of the user. It is an integer ranging from 0 to 3 and defaulting
to 0.
Description
Use the level command to set the
priority level of the user.
Use the undo level command to
restore the default priority level of the user.
The commands that a user can access after login are determined by the priority level of the user and the level set on the user interface. If the
two levels are different:
l
The command level that a user passing AAA/RADIUS
authentication can access is determined by the priority level of the user. For
example, if the priority level of a user is 3 and the command level set on the
VTY 0 user interface is 1, the user can access the commands under level 3 after
logging in to the system from VTY 0.
l
The command level that a user passing RSA
authentication can access is determined by the level set on the user interface.
Example
# Set the user level to 3.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc] level 3
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { telnet |
ftp | lan-access | ssh | terminal } ] }
View
System view
Parameter
user-name:
Name of a local user, a character string of up to 80 characters. This string
cannot contain the following characters: /:*?<>. It can contain no more
than one @ character. The pure user name (user ID, that is, the part before @)
cannot be longer than 55 characters. The local user name is case insensitive;
for example, the system considers UserA and usera as the same user.
service-type:
Specifies the local users of the specified type. You can specify one of the
following user types: telnet, ftp, and lan-access
(generally, this type of users are Ethernet access users, for example, 802.1x
users), ssh, and terminal (this type of users are terminal users
who log into the switch through the Console port).
all:
Specifies all the local users.
Description
Use the local-user command to add a
local user and enter local user view.
Use the undo local-user command to
delete one or more specified local users.
By default, there is no local user in the
system.
Related command: display local-user
and service-type.
Example
# Add a local user named aabbcc.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc]
Syntax
local-user password-display-mode {
cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force:
Adopts the forcible cipher mode; that is, the passwords of all the local users
must be displayed in cipher text.
auto: Adopts
the automatic mode; that is, the passwords of local users are displayed in the
modes set with the password command.
Description
Use the local-user password-display-mode
command to set the password display mode of all the local users
Use the undo local-user
password-display-mode command to restore the default password display mode
of all the local users.
When the cipher-force mode is
adopted, all passwords will be displayed in cipher text even through some users
have specified to display their passwords in plain text by using the password
command with the simple keyword.
By default, the password display mode of
all access users is auto.
Related command: display local-user
and password.
Example
# Specify to display all the local user
passwords in cipher text forcibly.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user
password-display-mode cipher-force
1.1.12 messenger
Syntax
messenger time
{ enable limit interval | disable }
undo messenger time
View
ISP domain view
Parameter
limit: Time
limit in minutes, ranging from 1 to 60. The switch will send prompt messages at
regular intervals to users whose remaining online time is less than this limit.
interval:
Interval at which to send prompt messages (in minutes). This argument ranges
from 5 to 60 and must be a multiple of 5.
Description
Use the messenger time enable
command to enable the messenger function and set the related parameters.
Use the messenger time disable
command to disable the messenger function.
Use the undo messenger time
command to restore the messenger function to its default state.
By default, the messenger function is
disabled on the switch.
The purpose of this function is to remind
online users of their remaining online time through clients in the form of
message dialog.
The messenger function is implemented as
follows:
l
You can use messenger time enable
command to set a remaining online time limit and the interval to send prompt
messages.
l
After that, the switch regularly sends prompt
messages at the set interval to the clients of the users whose remaining online
time is less than the set limit.
l
The clients inform the users of their remaining
online time in the form of message dialog.
Example
# Enable the switch to send prompt messages
every five minutes to users after their remaining online time is less than 30
minutes.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
New Domain added.
[H3C-isp-system] messenger time
enable 30 5
Syntax
name string
undo name
View
VLAN view
Parameter
string: VLAN
name for VLAN assignment, a character string of up to 32 characters.
Description
Use the name command to set a VLAN
name, which will be used for VLAN assignment.
Use the undo name command to cancel
the VLAN name.
By default, a VLAN uses its VLAN ID (like
VLAN 0001) as its name.
This command is used for the dynamic VLAN
assignment function. For details about this function, refer to the vlan-assignment-mode
command.
Related command: dot1x guest-vlan and
vlan-assignment-mode.
Example
# Set the name of VLAN 100 to test.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] vlan 100
[H3C-vlan100] name test
Syntax
password { simple
| cipher } password
undo password
View
Local user view
Parameter
simple:
Specifies to display the password in plain text.
cipher:
Specifies to display the password in cipher text.
password:
Password you want to set, a character string.
l
For simple mode, the password must be in
plain text.
l
For cipher mode, the password can be
either in cipher text or in plain text, depending on your input.
A password in plain text can be a string
with of up to 16 consecutive characters, for example, aabbcc918. A password in
cipher text must be 24 characters in length, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a
password for the local user.
Use the undo password command to
cancel the password configured.
Note that, after the local-user
password-display-mode cipher-force command is executed, the password
will be displayed in cipher text even if you use the password command to
set the password to be displayed in plain text, that is, in the simple mode.
Related command: display local-user.
Example
# Set the password of a user named aabbcc
to 20030422 and specify to display the password in plain text.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc] password simple
20030422
Syntax
radius-scheme radius-scheme-name
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32
characters.
Description
Use the radius-scheme command to
specify the RADIUS scheme to be used by current ISP domain.
Once an ISP domain is created, it uses the
local AAA scheme instead of any RADIUS scheme by default.
The RADIUS scheme you specified in the radius-scheme
command must be an existing scheme. This command is equivalent to the scheme
command.
Related command: radius scheme, display
radius.
Example
# Specify the scheme "scheme1" as
the RADIUS scheme to be used by current ISP domain "aabbcc.net".
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] radius-scheme
scheme1
Syntax
scheme { radius-scheme
radius-scheme-name [ local ] | local | none }
undo scheme [
radius-scheme | none ]
View
ISP domain view
Parameter
radius-scheme-name: Name of a RADIUS scheme referenced, a character string of up to 32
characters.
local:
Specifies to use local authentication.
none:
Specifies not to perform authentication.
Description
Use the scheme command to specify
the AAA scheme used by current ISP domain.
Use the undo scheme command to
restore the default AAA scheme used by the ISP domain.
By default, the ISP domain uses the local
AAA scheme.
If you execute the scheme radius-scheme
radius-scheme-name local command, the local scheme becomes
the secondary scheme in case the RADIUS server does not respond normally. That
is, if the communication between the switch and the RADIUS server is normal, no
local authentication is performed; otherwise, local authentication is
performed. If you configure a RADIUS scheme but configure no local
authentication, local authentication does not work after the authentication
fails.
If the AAA scheme is specified as local,
the system uses local authentication only but not RADIUS authentication. This
is also true of the none and local AAA schemes.
You can also configure the RADIUS scheme
used by the ISP domain by using the radius-scheme command.
Related command: radius scheme and display
radius
Example
# Specify the RADIUS scheme
"scheme1" as the AAA scheme referenced by the ISP domain
"aabbcc.net".
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] scheme
radius-scheme scheme1
Syntax
self-service-url enable url-string
self-service-url disable
View
ISP domain view
Parameter
url-string:
URL of the web page used to modify user password on the self-service server. It
is a string of 1 to 64 characters. This string can contain no question mark
"?". If the actual URL of the self-service server contains any
question mark, you need to change the question mark to the "|" character
before entering the URL at the command line.
Description
Use the self-service-url enable
command to enable the self-service server location function
Use the self-service-url disable
command to disable the self-service server location function
By default, this function is disabled on
the switch.
This command must be used with in
cooperation with a self-service-supported RADIUS server (such as CAMS). Through
self-service, users can manage and control their accounts or card numbers by
themselves. A server installed with the self-service software is called a
self-service server.
After this command is executed on the
switch, users can locate the self-service server by performing the following
steps:
l
Choose [change user password] on the 802.1x
client.
l
The client opens the default browser (for
example, IE or Netscape) and locates the specified URL page used to change user
password on the self-service server.
l
Then, the user can change the password.
A user can choose the [change user
password] option on the client only after passing the authentication. If the
user fails the authentication, this option is greyed out and is unavailable.
Example
# Under the
default ISP domain "system", set the URL of the web page used to
modify user password on the self-service server to
http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain system
[H3C-isp-system] self-service-url
enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
Syntax
service-type
{ ftp [ ftp-directory directory ] | lan-access |
{ ssh | telnet | terminal }* [ level level ]
}
undo service-type { ftp [ ftp-directory ] | lan-access | {
ssh | telnet | terminal }* }
View
Local user view
Parameter
ftp:
Specifies that this is an FTP user.
ftp-directory directory: Specifies the path for FTP
users. directory is a string of up to 64 characters.
lan-access:
Specifies that this is a LAN access user (who is generally an Ethernet access
user, for example, 802.1x user).
ssh:
Specifies that this is an SSH user.
telnet:
Specifies that this is a Telnet user.
terminal:
Authorizes the user to access the terminal service (that is, allows the user to
log into the switch through the Console port).
level level: Specifies the level of the Telnet, terminal or SSH user. level
is an integer ranging from 0 to 3 and defaulting to 0.
Description
Use the service-type command to
authorize the user to access the specified type(s) of service(s).
Use the undo service-type command to
inhibit the user from accessing the specified type(s) of service(s).
Example
# Authorize aabbcc to access the lan-access
service.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc] service-type
lan-access
1.1.19 state
Syntax
state { active
| block }
View
ISP domain view or local user view
Parameter
active:
Activates the current ISP domain (in ISP domain view) or current user (in local
user view), to allow users in current ISP domain or current user to access the
network.
block:
Blocks the current ISP domain (in ISP domain view) or current user (in local
user view), to inhibit users in current ISP domain or current user from
accessing the network.
Description
Use the state command to set the
status of current ISP domain or the status of the local user.
By default, an ISP domain is in the active
state once it is created (in ISP domain view), and a local user is in the active
state once the user is created (in local user view).
In ISP domain view, each ISP domain can be
in one of two states: active and block. Users in an active
ISP domain are allowed to access the network. After an ISP domain is set to the
block state, except the online users, the users under this domain are
not allowed to access the network.
Related command: domain.
Example
# Set the ISP domain aabbcc.net to the
block state so that all its offline users cannot access the network.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net] state block
# Set aabbcc to the block state.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] local-user aabbcc
[H3C-luser-aabbcc] state block
Syntax
vlan-assignment-mode { integer | string }
View
ISP domain name
Parameter
integer:
Sets the VLAN assignment mode to integer.
string: Sets
the VLAN assignment mode to string.
Description
Use the vlan-assignment-mode command
to set the VLAN assignment mode (integer or string) on the switch.
By default, the VLAN assignment mode is
integer; that is, the switch supports its RADIUS authentication server to
assign integer VLAN IDs.
The dynamic VLAN assignment feature enables
a switch to dynamically add the ports with successfully authenticated users to
different VLANs according to the attributes assigned by the RADIUS server, so
as to control the network resources that different users can access. In actual
applications, to use this feature together with Guest VLAN, you should better
set port control to port-based mode.
Currently, the switch supports the RADIUS
authentication server to assign the following two types of VLAN IDs: integer
and string.
l
Integer: Upon receiving an integer ID assigned
by the RADIUS authentication server, the switch adds the port to the VLAN whose
VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the
switch first creates a VLAN with the assigned ID, and then adds the port to the
newly created VLAN.
l
String: Upon receiving a string ID assigned by
the RADIUS authentication server, the switch compares the ID with existing VLAN
names on the switch. If it finds a match, it adds the port to the corresponding
VLAN. Otherwise, the VLAN assignment fails and the user cannot pass the
authentication.
The two dynamic VLAN assignment modes,
integer and string, supported by the switch are set according to the
authentication server. Different authentication servers adopt different dynamic
VLAN assignment modes, you are recommended to configure the device according to
the dynamic VLAN assignment mode in use.
Table 1-3 lists some common dynamic VLAN assignment modes.
Table 1-3 Common
dynamic VLAN assignment modes
|
Server type
|
Dynamic VLAN assignment mode
|
|
CAMS
|
Integer (the mode of the latest version
is determined by the attribute)
|
|
ACS
|
String
|
|
FreeRADIUS
|
Determined by the attribute (100 for
integer; “100” for string)
|
|
Shiva Access Manager
|
String
|
|
Steel-Belted Radius Administrator
|
String
|
Caution:
l
You are recommended to configure the VLAN
assignment mode for the switch the same as that of the assignment attribute
value of the RADIUS authentication server. Configure the correct assignment
mode with the vlan-assignment-mode command so that the switch correctly
identifies the dynamic VLAN assigned by the server. If the assignment modes are
different, the expected configuration may not take effect.
l
In string mode, the VLAN to be assigned must
exist on the switch and must have been configured with a VLAN name. This is not
required in integer mode.
l
In string mode, if the VLAN ID assigned by the
RADIUS server is a character string containing only digits (for example, 1024),
the switch first regards it as an integer VLAN ID: the switch transforms the
string to an integer value and judges if the value is in the valid VLAN ID
range; if it is, the switch adds the authenticated port to the VLAN with the
value as the VLAN ID (VLAN 1024, for example).
Related command: name, dot1x
guest-vlan
Example
# Set the VLAN assignment mode to string.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] domain aabbcc.net
New Domain added.
[H3C-isp-aabbcc.net]
vlan-assignment-mode string
1.2 RADIUS Configuration Commands
Syntax
accounting-on enable [ send times | interval interval ]
undo accounting-on { enable | send | interval }
View
RADIUS scheme view
Parameter
times:
Maximum number of attempts to send Accounting-On packets, ranging from 1 to 256
and defaulting to 40.
interval:
Interval at which Accounting-On packets are sent, ranging from 1 to 30 and
defaulting to 3 seconds.
Description
Use the accounting-on enable command
to enable the user re-authentication upon device restart function.
Use the undo accounting-on enable
command to disable the user re-authentication upon device restart function and
restore the default interval and maximum number of attempts to transmit
Accounting-On packets.
Use the undo accounting-on send
command to restore the default maximum number of attempts to transmit
Accounting-On packets.
Use the undo accounting-on interval
command to restore the default interval to transmit Accounting-On packets.
By default, this function is disabled.
The purpose of this function is to resolve
this problem: users cannot re-log into the switch after the switch restarts
because they are already online. After this function is enabled, every time the
switch restarts:
l
The switch generates an Accounting-On packet,
which mainly contains the following information: NAS-ID, NAS-IP address (source
IP address), and session ID.
l
The switch sends the Accounting-On packet to
CAMS at regular intervals.
l
Once the CAMS receives the Accounting-On packet,
it sends a response to the switch. At the same time, it finds and deletes the
original online information of the users who accessed the network through the switch
before the restart according to the information contained in this packet
(NAS-ID, NAS-IP address and session ID), and ends the accounting of the users
based on the last accounting update packet.
l
Once the switch receives the response from the
CAMS, it stops sending other Accounting-On packets.
l
If the switch does not receive any response from
the CAMS after the times it transmit Accounting-On packet reaches the
configured maximum times,
