10-Security

HomeSupportResource CenterH3C Access Controllers Command References(E5208P03 E5215P01 R5215P01)-6W10210-Security
01-AAA commands
Title Size Download
01-AAA commands 560.39 KB

Contents

AAA commands· 1

General AAA commands· 1

aaa nas-id profile· 1

aaa session-limit 1

accounting command· 2

accounting default 3

accounting lan-access· 4

accounting login· 5

accounting portal 6

accounting ppp· 8

accounting quota-out 9

accounting start-fail 10

accounting update-fail 10

authentication default 11

authentication ike· 12

authentication lan-access· 13

authentication login· 14

authentication portal 15

authentication ppp· 16

authentication super 17

authorization command· 18

authorization default 20

authorization ike· 21

authorization lan-access· 22

authorization login· 23

authorization portal 24

authorization ppp· 25

authorization-attribute (ISP domain view) 26

basic-service-ip-type· 27

dhcpv6-follow-ipv6cp· 28

display domain· 29

domain· 33

domain default enable· 34

domain if-unknown· 34

ita-policy· 35

nas-id bind vlan· 36

service-type (ISP domain view) 37

session-time include-idle-time· 37

state (ISP domain view) 38

user-address-type· 39

Local user commands· 40

access-limit 40

authorization-attribute (local user view/user group view) 40

bind-attribute· 43

company· 44

description· 45

display local-guest waiting-approval 45

display local-user 46

display user-group· 50

email 51

full-name· 52

group· 53

local-guest auto-delete enable· 53

local-guest email format 54

local-guest email sender 55

local-guest email smtp-server 56

local-guest generate· 56

local-guest manager-email 58

local-guest send-email 58

local-guest timer 59

local-user 60

local-user-export class network guest 61

local-user-import class network guest 62

password· 64

phone· 65

reset local-guest waiting-approval 66

service-type (local user view) 66

sponsor-department 67

sponsor-email 67

sponsor-full-name· 68

state (local user view) 69

user-group· 69

validity-datetime· 70

Local BYOD authorization commands· 71

byod authorization· 71

byod rule· 73

byod rule-order 74

display byod rule· 75

display byod rule-order 76

RADIUS commands· 77

accounting-on enable· 77

accounting-on extended· 78

attribute 15 check-mode· 79

attribute 25 car 79

attribute 31 mac-format 80

attribute remanent-volume· 81

client 82

data-flow-format (RADIUS scheme view) 82

display radius scheme· 83

display radius statistics· 86

key (RADIUS scheme view) 87

nas-ip (RADIUS scheme view) 88

port 89

primary accounting (RADIUS scheme view) 90

primary authentication (RADIUS scheme view) 91

radius dscp· 92

radius dynamic-author server 93

radius nas-ip· 93

radius scheme· 95

radius session-control client 95

radius session-control enable· 96

radius-server test-profile· 97

reset radius statistics· 98

retry· 98

retry realtime-accounting· 99

secondary accounting (RADIUS scheme view) 100

secondary authentication (RADIUS scheme view) 101

snmp-agent trap enable radius· 103

state primary· 104

state secondary· 105

timer quiet (RADIUS scheme view) 106

timer realtime-accounting (RADIUS scheme view) 107

timer response-timeout (RADIUS scheme view) 108

user-name-format (RADIUS scheme view) 109

HWTACACS commands· 110

data-flow-format (HWTACACS scheme view) 110

display hwtacacs scheme· 111

hwtacacs nas-ip· 112

hwtacacs scheme· 113

key (HWTACACS scheme view) 114

nas-ip (HWTACACS scheme view) 115

primary accounting (HWTACACS scheme view) 116

primary authentication (HWTACACS scheme view) 117

primary authorization· 119

reset hwtacacs statistics· 120

secondary accounting (HWTACACS scheme view) 120

secondary authentication (HWTACACS scheme view) 122

secondary authorization· 123

timer quiet (HWTACACS scheme view) 124

timer realtime-accounting (HWTACACS scheme view) 125

timer response-timeout (HWTACACS scheme view) 126

user-name-format (HWTACACS scheme view) 126

LDAP commands· 127

attribute-map· 127

authentication-server 128

authorization-server 129

display ldap scheme· 129

ip· 131

ipv6· 132

ldap attribute-map· 133

ldap scheme· 133

ldap server 134

login-dn· 135

login-password· 135

map· 136

protocol-version· 137

search-base-dn· 138

search-scope· 138

server-timeout 139

user-parameters· 140

ITA policy commands· 141

accounting-level 141

accounting-merge enable· 141

accounting-method· 142

ita policy· 143

traffic-quota-out 143

traffic-separate· 144


AAA commands

General AAA commands

aaa nas-id profile

Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.

Use undo aaa nas-id profile to delete a NAS-ID profile.

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

Default

No NAS-ID profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.

Examples

# Create a NAS-ID profile named aaa and enter its view.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

Related commands

·     nas-id bind vlan

·     port-security nas-id-profile

·     portal nas-id-profile

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range for this argument is 1 to 32 for FTP, SSH, and Telnet users, and 1 to 64 for HTTP and HTTPS users.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.

·     When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.

·     When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

·     accounting default

·     command accounting (Fundamentals Command Reference)

·     hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting methods are used for all users that support these methods and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

accounting lan-access

Use accounting lan-access to specify accounting methods for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

Default

The default accounting methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

·     The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.

·     The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

·     accounting default

·     local-user

·     radius scheme

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

·     accounting default

·     hwtacacs scheme

·     local-user

·     radius scheme

accounting portal

Use accounting portal to specify accounting methods for portal users.

Use undo accounting portal to restore the default.

Syntax

accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

Default

The default accounting methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

·     The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.

·     The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

·     accounting default

·     local-user

·     radius scheme

accounting ppp

Use accounting ppp to specify accounting methods for PPP users.

Use undo accounting ppp to restore the default.

Syntax

accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting ppp

Default

The default accounting methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

·     The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.

·     The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp local

# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp radius-scheme rd local

# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

·     accounting default

·     local-user

·     radius scheme

accounting quota-out

Use accounting quota-out to configure access control for users that have used up their data quotas.

Use undo accounting quota-out to restore the default.

Syntax

accounting quota-out { offline | online }

undo accounting quota-out

Default

The device logs off users that have used up their data quotas.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that have used up their data quotas.

online: Allows users that have used up their data quotas to stay online.

Examples

# In ISP domain test, configure the device to allow users that have used up their data quotas to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting quota-out online

accounting start-fail

Use accounting start-fail to configure access control for users that encounter accounting-start failures.

Use undo accounting start-fail to restore the default.

Syntax

accounting start-fail { offline | online }

undo accounting start-fail

Default

The device allows users that encounter accounting-start failures to stay online.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that encounter accounting-start failures.

online: Allows users that encounter accounting-start failures to stay online.

Examples

# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting start-fail online

accounting update-fail

Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.

Use undo accounting update-fail to restore the default.

Syntax

accounting update-fail { [ max-times times ] offline | online }

undo accounting update-fail

Default

The device allows users that have failed all their accounting-update attempts to stay online.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

max-times times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1.

offline: Logs off users that have failed all their accounting-update attempts.

online: Allows users that have failed all their accounting-update attempts to stay online.

Examples

# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting update-fail online

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication methods are used for all users that support these methods and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication ike

Use authentication ike to specify extended authentication methods for IKE users.

Use undo authentication ike to restore the default.

Syntax

authentication ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication ike

Default

The default authentication methods of the ISP domain are used for IKE extended authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local authentication through IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ike local

# In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ike radius-scheme rd local

Related commands

·     authentication default

·     local-user

·     radius scheme

authentication lan-access

Use authentication lan-access to specify authentication methods for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

Default

The default authentication methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

·     authentication default

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

·     authentication default

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication portal

Use authentication portal to specify authentication methods for portal users.

Use undo authentication portal to restore the default.

Syntax

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

Default

The default authentication methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

·     authentication default

·     ldap scheme

·     local-user

·     radius scheme

authentication ppp

Use authentication ppp to specify authentication methods for PPP users.

Use undo authentication ppp to restore the default.

Syntax

authentication ppp { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication ppp

Default

The default authentication methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp local

# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp radius-scheme rd local

Related commands

·     authentication default

·     local-user

·     radius scheme

authentication super

Use authentication super to specify methods for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role authentication, the following rules apply:

·     If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role of which username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.

·     If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n represents a user role level. For example, to obtain a level-3 user role, the device uses the username string $enab3$.

For more information about user role authentication, see Fundamentals Configuration Guide.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

·     authentication default

·     hwtacacs scheme

·     radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

·     command authorization (Fundamentals Command Reference)

·     hwtacacs scheme

·     local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Non-login users can access the network.

·     Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

·     The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization methods are used for all users that support these methods and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

authorization ike

Use authorization ike to specify authorization methods for IKE extended authentication.

Use undo authorization ike to restore the default.

Syntax

authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ike

Default

The default authorization methods of the ISP domain are used for IKE extended authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ike radius-scheme radius-scheme-name local none command specifies one primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ike local

Related commands

·     authorization default

·     local-user

authorization lan-access

Use authorization lan-access to specify authorization methods for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

Default

The default authorization methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

·     authorization default

·     local-user

·     radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

·     The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

·     authorization default

·     hwtacacs scheme

·     local-user

·     radius scheme

authorization portal

Use authorization portal to specify authorization methods for portal users.

Use undo authorization portal to restore the default.

Syntax

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

Default

The default authorization methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

·     authorization default

·     local-user

·     radius scheme

authorization ppp

Use authorization ppp to specify authorization methods for PPP users.

Use undo authorization ppp to restore the default.

Syntax

authorization ppp { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ppp

Default

The default authorization methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp local

# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp radius-scheme rd local

Related commands

·     authorization default

·     local-user

·     radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | idle-cut minute [ flow ] | igmp max-access-number number | ip-pool pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-group user-group-name | user-profile profile-name }

undo authorization-attribute { acl | idle-cut | igmp | ip-pool | ipv6-pool | ipv6-prefix | mld | primary-dns | secondary-dns | session-timeout | url | user-group | user-profile }

Default

No authorization attributes are configured for users in an ISP domain and the idle cut feature is disabled.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the ACL applies before portal authentication. This option is applicable only to LAN and portal users.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 600.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.

igmp max-access-number number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the number argument is 1 to 64. This option is applicable only to portal and PPP users.

ip-pool pool-name: Specifies an IPv4 address pool for users. The pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the ipv6-prefix prefix-length argument is 1 to 128. This option is applicable only to PPP users.

mld max-access-number number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the number argument is 1 to 64. This option is applicable only to portal and PPP users.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to PPP users.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to PPP users.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to PPP users.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to PPP users.

session-timeout minutes: Specifies the session timeout timer for users, in minutes. The value range for the minutes argument is 1 to 4294967295. The device logs off a user when the user's session timeout timer expires. This option is applicable only to PPP, portal, and LAN users.

url url-string: Specifies the URL to which PPP users are redirected after they pass authentication. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPP users.

user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.

user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to LAN, portal, and PPP users.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user.

You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.

Examples

# Configure the idle cut feature for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute idle-cut 30 10240

Related commands

display domain

basic-service-ip-type

Use basic-service-ip-type to specify the types of IP addresses that PPPoE users must rely on to use the basic services.

Use undo basic-service-ip-type to restore the default.

Syntax

basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *

undo basic-service-ip-type

Default

PPPoE users do not rely on any types of IP addresses to use the basic services.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ipv4: Specifies the IPv4 address type.

ipv6: Specifies the IPv6 address type.

ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.

Usage guidelines

This command takes effect only when the device acts as a PPPoE server.

A PPPoE user might request multiple services of different IP address types. By default, the device logs off a PPPoE user if the user does not obtain the types of IP addresses required by all services. This command enables the device to allow the user to come online if the user has obtained IP addresses of all the specified types for the basic services.

The device does not allow a PPPoE user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a PPPoE user to come online if the user does not obtain an IPv6 address.

Examples

# In ISP domain test, specify PPPoE users to rely on IPv4 addresses to use the basic services.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] basic-service-ip-type ipv4

dhcpv6-follow-ipv6cp

Use dhcpv6-follow-ipv6cp to set the DHCPv6 request timeout timer for PPPoE users.

Use undo dhcpv6-follow-ipv6cp to restore the default.

Syntax

dhcpv6-follow-ipv6cp timeout delay-time

undo dhcpv6-follow-ipv6cp

Default

The DHCPv6 request timeout timer for PPPoE users is 60 seconds.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

timeout delay-time: Specifies the DHCPv6 request timeout timer, in the range of 30 to 120 seconds.

Usage guidelines

This command takes effect only when the device acts as a PPPoE server.

After the device finishes IPv6CP negotiation with a PPPoE user, PPP instructs DHCPv6 to assign an IPv6 address to the user. The user cannot come online if the IP address assignment fails within the DHCPv6 request timeout timer and the user basic services rely on an IPv6 address.

As a best practice, increase the DHCPv6 request timeout timer in the following situations:

·     The network communication is unstable.

·     The ISP domain serves a large number of PPPoE users.

Examples

# In ISP domain test, set the DHCPv6 request timeout timer to 90 seconds for PPPoE users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90

Related commands

basic-service-ip-type

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

 

Domain: system

  State: Active

  Default authentication scheme:  Local

  Default authorization  scheme:  Local

  Default accounting     scheme:  Local

  Accounting start failure action: Online

  Accounting update failure action: Online

  Accounting quota out action: Offline

  Service type: HSI

  Session time: Exclude idle time

  DHCPv6-follow-IPv6CP timeout: 60 seconds

  Authorization attributes :

    Idle-cut: Disabled

    Session timeout: Disabled

    IGMP access number: 4

    MLD access number:  4

 

Domain: dm

  State: Active

  Login   authentication scheme:  RADIUS=rad

  Login   authorization  scheme:  HWTACACS=hw

  Super   authentication scheme:  RADIUS=rad

  PPP     accounting     scheme:  RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local

  Command authorization  scheme:  HWTACACS=hw

  LAN access authentication scheme:  RADIUS=r4

  Portal  authentication scheme:  LDAP=ldp

  Default authentication scheme:  LDAP=rad, Local, None

  Default authorization  scheme:  Local

  Default accounting     scheme:  None

  Accounting start failure action: Online

  Accounting update failure action: Online

  Accounting quota out action: Offline

  ITA service poilcy: ita1

  Service type: HSI

  Session time: Include idle time

  User basic service IP type: IPv4 IPv6 IPv6-PD

  DHCPv6-follow-IPv6CP timeout: 60 seconds

  Authorization attributes :

    Idle-cut : Enabled

      Idle timeout: 2 minutes

      Flow: 10240 bytes

    Session timeout: 34 minutes

    IP pool: appy

    User profile: test

    ACL number: 3000

    User group: ugg

    IPv6 prefix: 1::1/34

    IPv6 pool: ipv6pool

    Primary DNS server: 6.6.6.6

    Secondary DNS server: 3.6.2.3

    URL: http://portal

    IGMP access number: 12

    MLD access number: 35

 

Default domain name: system

Table 1 Command output

Field

Description

Domain

ISP domain name.

State

Status of the ISP domain.

Default authentication scheme

Default authentication method.

Default authorization scheme

Default authorization method.

Default accounting scheme

Default accounting method.

Accounting start failure action

Access control for users that encounter accounting-start failures:

·     OnlineAllows the users to stay online.

·     Offline—Logs off the users.

Accounting update failure max-times

Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.

Accounting update failure action

Access control for users that have failed all their accounting-update attempts:

·     OnlineAllows the users to stay online.

·     Offline—Logs off the users.

Accounting quota out action

Access control for users that have used up their data quotas:

·     OnlineAllows the users to stay online.

·     Offline—Logs off the users.

ITA service policy

ITA policy applied to the ISP domain.

Service type

Service type of the ISP domain, including HSI, STB, and VoIP.

Session time

Online duration sent to the server for users that went offline due to connection failure or malfunction:

·     Include idle time—The online duration includes the idle timeout period.

·     Exclude idle time—The online duration does not include the idle timeout period.

User basic service IP type

Types of IP addresses that PPPoE users rely on to use the basic services:

·     IPv4.

·     IPv6.

·     IPv6-PD.

DHCPv6-follow-IPv6CP timeout

DHCPv6 request timeout timer (in seconds) that starts after IPv6CP negotiation for PPPoE users.

Login authentication scheme

Authentication method for login users.

Login authorization scheme

Authorization method for login users.

Login accounting scheme

Accounting method for login users.

Authorization attributes

Authorization attributes for users in the ISP domain.

Idle-cut

Idle cut feature status:

·     Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period.

·     Disabled—The feature is disabled. It is the default idle cut state.

Idle timeout

Idle timeout period, in minutes.

Flow

Minimum traffic that a login user must generate in an idle timeout period, in bytes.

Session timeout

Session timeout timer for users, in minutes.

IP pool

Name of the IPv4 address pool authorized to users.

User profile

Name of the authorization user profile.

ACL number

Authorization ACL for users.

User group

Authorization user group for users.

IPv6 prefix

IPv6 address prefix authorized to users.

IPv6 pool

Name of the IPv6 address pool for users.

Primary DNS server

IP address of the primary DNS server for users.

Secondary DNS server

IP address of the secondary DNS server for users.

URL

Redirect URL for users.

IGMP max access number

Maximum number of IGMP groups that an IPv4 user can join concurrently.

MLD max access number

Maximum number of MLD groups that an IPv6 user can join concurrently.

RADIUS

RADIUS scheme.

HWTACACS

HWTACACS scheme.

LDAP

LDAP scheme.

Local

Local scheme.

None

No authentication, no authorization, or no accounting.

Super authentication scheme

Authentication method for obtaining another user role without reconnecting to the device.

PPP authentication scheme

Authentication method for PPP users.

PPP authorization scheme

Authorization method for PPP users.

PPP accounting scheme

Accounting method for PPP users.

Command authorization scheme

Command line authorization method.

Command accounting scheme

Command line accounting method.

LAN access authentication scheme

Authentication method for LAN users.

LAN access authorization scheme

Authorization method for LAN users.

LAN access accounting scheme

Accounting method for LAN users.

Portal authentication scheme

Authentication method for portal users.

Portal authorization scheme

Authorization method for portal users.

Portal accounting scheme

Accounting method for portal users.

IKE authentication scheme

IKE extended authentication method.

IKE authorization scheme

Authorization method for IKE extended authentication.

 

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.

Examples

# Create an ISP domain named test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

·     display domain

·     domain default enable

·     domain if-unknown

·     state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.

Usage guidelines

The system has only one default ISP domain.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

·     display domain

·     domain

domain if-unknown

Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-domain-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

Parameters

isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

The device chooses an authentication domain for each user in the following order:

1.     The authentication domain specified for the access module.

2.     The ISP domain in the username.

3.     The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

 

 

NOTE:

Support for the authentication domain configuration depends on the access module.

 

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

ita-policy

Use ita-policy to apply an ITA policy to users in an ISP domain.

Use undo ita-policy to restore the default.

Syntax

ita-policy policy-name

undo ita-policy

Default

No ITA policy is applied to users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an ITA policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The ITA policy assigned from a RADIUS server takes precedence over the ITA policy in an ISP domain. If an ISP domain user has been assigned an ITA policy from the RADIUS server, the ITA policy of the ISP domain does not take effect. The server-assigned ITA policy might not even exist on the device.

Examples

# Apply ITA policy ita1 to users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] ita-policy ita1

Related commands

ita policy

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN bindings exist.

Views

NAS-ID profile view

Predefined user roles

network-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

service-type (ISP domain view)

Use service-type to specify the service type for users in an ISP domain.

Use undo service-type to restore the default.

Syntax

service-type { hsi | stb | voip }

undo service-type

Default

The service type is hsi for users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hsi: Specifies the High-Speed Internet (HSI) service.

stb: Specifies the Set Top Box (STB) service.

voip: Specifies the Voice over IP (VoIP) service.

Usage guidelines

You can configure only one service type for an ISP domain.

When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.

When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.

When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.

For 802.1X and PPP (non-PPPoE) users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.

Examples

# Specify the STB service for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] service-type stb

session-time include-idle-time

Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The device excludes the idle timeout period from the user online duration sent to the server.

Views

ISP domain view

Predefined user roles

network-admin

Usage guidelines

Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the network accounting policy. The idle timeout period is authorized by the server after users pass authentication. For portal users, the idle timeout period set by using the portal [ ipv6 ] user-detect command takes priority over the idle timeout period authorized by the server.

If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.

·     If the session-time include-idle-time command is used, the device adds the idle timeout period to the actual online duration. The online duration sent to the server is longer than the actual online duration of the user.

·     If the undo session-time include-idle-time command is used, the device excludes the idle timeout period from the actual online duration. The online duration sent to the server is shorter than the actual online duration of the user.

Examples

# Configure the device to include the idle timeout period in the online duration sent to the server for the users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] session-time include-idle-time

Related commands

display domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable users of the domain from requesting network services. The online users are not affected.

Examples

# Place ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

user-address-type

Use user-address-type to specify the user address type in the ISP domain.

Use undo user-address-type to restore the default.

Syntax

user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }

undo user-address-type

Default

No user address type is specified for the ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ds-lite: Specifies the DS-Lite address type.

ipv6: Specifies the IPv6 address type.

nat64: Specifies the NAT64 address type.

private-ds: Specifies the private-DS address type.

private-ipv4: Specifies the private IPv4 address type.

public-ds: Specifies the public-DS address type.

public-ipv4: Specifies the public IPv4 address type.

Usage guidelines

Any change to the user address type does not affect online users.

Examples

# Specify the private-DS address type for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] user-address-type private-ds

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 for the local user account named abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns | session-timeout | url | user-profile | user-role role-name | vlan | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user are assigned the network-operator user role.

Views

Local user view

User group view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.

ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.

session-timeout minutes: Sets the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.

url url-string: Specifies the URL to which the user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

·     For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, and user-profile.

·     For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, session-timeout, and user-profile.

·     For LAN users, only the following authorization attributes take effect: acl, idle-cut, session-timeout, user-profile, and vlan.

·     For Telnet and terminal users, only the user-role and work-directory authorization attributes take effect.

·     For HTTP and HTTPS users, only the user-role authorization attribute takes effect.

·     For SSH and FTP users, only the user-role and work-directory authorization attributes take effect.

·     For IKE users, only the ip-pool authorization attribute takes effect.

·     For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an IRF master/subordinate switchover, do not specify slot information for the working directory.

To make sure the user has only the user roles authorized by this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

·     When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

·     When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

·     display local-user

·     display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attributes are configured for a local user.

Views

Local user view

Predefined user roles

network-admin

Parameters

call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.

subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.

ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN, portal, and PPP users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN, portal, and PPP users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN, portal, and PPP users.

Usage guidelines

To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.

Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packets. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the authentication packets. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.

·     If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface through which the user accesses the device.

·     If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface through which the user accesses the device.

·     If the user is a portal user, specify the portal-enabled interface through which the user accesses the device. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.

Examples

# Bind IP address 3.3.3.3 with network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3

Related commands

display local-user

company

Use company to specify the company of a local guest.

Use undo company to restore the default.

Syntax

company company-name

undo company

Default

No company is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify company yyy for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] company yyy

description

Use description to configure a description for a network access user.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a network access user.

Views

Network access user view

Predefined user roles

network-admin

Parameters

text: Configures a description, a case-sensitive string of 1 to 255 characters.

Examples

# Configure a description for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] description Manager of MSC company

# Configure a description for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] description Manager of MSC company

Related commands

display local-user

display local-guest waiting-approval

Use display local-guest waiting-approval to display pending registration requests for local guests.

Syntax

display local-guest waiting-approval [ user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name cannot be a, al, or all, and cannot contain the following items:

·     A domain name.

·     Any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

If you do not specify a guest, this command displays pending registration requests for all local guests.

Usage guidelines

On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.

Examples

# Display all pending registration requests for local guests.

<Sysname> display local-guest waiting-approval

Total 1 guest informations matched.

 

Guest user Smith:

  Full name  : Smith Li

  Company    : YYY

  Email      : Smith@yyy.com

  Phone      : 139189301033

  Description: The employee of YYY company

Table 2 Command output

Field

Description

Total 1 guest informations matched.

Number of local guests.

Full name

Full name of the local guest.

Company

Company name of the local guest.

Email

Email address of the local guest.

Phone

Phone number of the local guest.

Description

Description of the local guest.

 

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

class: Specifies the local user type.

manage: Device management user.

network: Network access user.

guest: Guest user account.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ike: IKE users that access the network through IKE extended authentication.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters and does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Device management user root:

 State:                    Active

 Service type:             SSH/Telnet/Terminal

 User group:               system

 Bind attributes:

 Authorization attributes:

  Work directory:          cfa0:

  User role list:          network-admin

 Password control configurations:

  Password aging:          Enabled (3 days)

Network access user jj:

 State:                    Active

 Service type:             Lan-access

 User group:               system

 Bind attributes:

  IP address:              2.2.2.2

  Location bound:          GigabitEthernet1/0/1

  MAC address:             0001-0001-0001

  VLAN ID:                 2

  Calling number:          2:2

 Authorization attributes:

  Idle timeout:            33 minutes

  Work directory:          cfa0:

  ACL number:              2000

  User profile:            pp

  User role list:          network-operator, level-0, level-3

Network access guest user user1:

  State:                     Active

  Service type:              LAN access/Portal

  User group:                guest1

  Full name:                 Jack

  Company:                   cc

  Email:                     Jack@cc.com

  Phone:                     131129237

  Description:               A guest from company cc

  Sponsor full name:         Sam

  Sponsor department:        security

  Sponsor email:             Sam@aa.com

  Validity period:

    Start date and time:     2015/04/01-08:00:00

    Expiration date and time:2015/04/03-18:00:00

Total 3 local users matched.

Table 3 Command output

Field

Description

State

Status of the local user: active or blocked.

Service type

Service types that the local user can use, including FTP, HTTP, HTTPS, IKE, LAN access, portal, PPP, SSH, Telnet, and terminal.

User group

Group to which the local user belongs.

Bind attributes

Binding attributes of the local user.

IP address

IP address of the local user.

Location bound

Binding port of the local user.

MAC address

MAC address of the local user.

VLAN ID

Binding VLAN of the local user.

Calling number

Calling number of the ISDN user.

Authorization attributes

Authorization attributes of the local user.

Idle timeout

Idle timeout period of the user, in minutes.

Callback number

Authorized PPP callback number of the local user.

Work directory

Directory that the FTP, SFTP, or SCP user can access.

ACL number

Authorization ACL of the local user.

VLAN ID

Authorized VLAN of the local user.

User profile

Authorization user profile of the local user.

User role list

Authorized roles of the local user.

IP address

IPv4 address authorized to the local user.

IPv6 address

IPv6 address authorized to the local user.

IPv6 prefix

IPv6 address prefix authorized to the local user.

IPv6 pool

IPv6 address pool authorized to the local user.

Primary DNS server

IP address of the primary DNS server for the local user.

Secondary DNS server

IP address of the secondary DNS server for the local user.

URL

Redirect URL of the local user.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user that failed to log in after using up all login attempts.

Full name

Name of the local guest.

Company

Company name of the local guest.

Email

Email address of the local guest.

Phone

Phone number of the local guest.

Description

Description of the local guest.

Sponsor full name

Name of the guest sponsor.

Sponsor department

Department of the guest sponsor.

Sponsor email

Email address of the guest sponsor.

Validity period

Validity period of the local guest.

Start date and time

Date and time from which the local guest begins to take effect.

Expiration date and time

Date and time at which the local guest expires.

 

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | name group-name [ byod-authorization ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

byod-authorization: Specifies BYOD authorization information. If you do not specify this keyword, the command does not display BYOD authorization information and only displays whether BYOD authorization attributes are configured.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

 

User group system:

  Authorization attributes:

    Work directory:          cfa0:

  BYOD authorization attributes: Not configured

User group jj:

  Authorization attributes:

    Idle timeout:            2 minutes

    Callback number:         2:2

    Work directory:          cfa0:/

    ACL number:              2000

    VLAN ID:                 2

  User profile:            pp

  BYOD authorization attributes: Not configured

  Password control configurations:

    Password aging:          Enabled (2 days)

Table 4 Command output

Field

Description

Authorization attributes

Authorization attributes of the user group.

BYOD authorization attributes

BYOD authorization attributes of the user group.

Idle timeout

Idle timeout period, in minutes.

Callback number

Authorized PPP callback number.

Work directory

Directory that FTP, SFTP, or SCP users in the group can access.

ACL number

Authorization ACL.

VLAN ID

Authorized VLAN.

User profile

Authorization user profile.

IPv6 prefix

IPv6 address prefix authorized to the user group.

IPv6 pool

IPv6 address pool authorized to the user group.

Primary DNS server

IP address of the primary DNS server authorized to the user group.

Secondary DNS server

IP address of the secondary DNS server authorized to the user group.

URL

Redirect URL for the user group.

Password control configurations

Password control attributes that are configured for the user group.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user that failed to log in after using up all login attempts.

 

email

Use email to configure the email address of a local guest.

Use undo email to restore the default.

Syntax

email email-string

undo email

Default

No email address is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.

Usage guidelines

The local guest uses the email address to receive notifications from the device.

Examples

# Configure the email address as abc@yyy.com for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] email abc@yyy.com

Related commands

display local-user

full-name

Use full-name to configure the name of a local guest.

Use undo full-name to restore the default.

Syntax

full-name name-string

undo full-name

Default

No name is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the name as abc Snow for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] full-name abc Snow

Related commands

display local-user

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-guest auto-delete enable

Use local-guest auto-delete enable to enable the guest auto-delete feature. This feature enables the device to automatically delete the local guest accounts when the accounts expire.

Use undo local-guest auto-delete enable to restore the default.

Syntax

local-guest auto-delete enable

undo local-guest auto-delete enable

Default

The guest auto-delete feature is disabled. The device does not automatically delete the local guest accounts when the accounts expire.

Views

System view

Predefined user roles

network-admin

Examples

# Enable the guest auto-delete feature.

<Sysname> system-view

[Sysname] local-guest auto-delete enable

Related commands

validity-datetime

local-guest email format

Use local-guest email format to configure the subject and body for the email notifications of local guest information.

Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.

Syntax

local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }

undo local-guest email format to { guest | manager | sponsor } { body | subject }

Default

No subject or body is configured for the email notifications of local guest information.

Views

System view

Predefined user roles

network-admin

Parameters

to: Specifies the email recipient.

guest: Specifies the local guest.

manager: Specifies the guest manager.

sponsor: Specifies the guest sponsor.

body body-string: Configures the body contents, a case-sensitive string of 1 to 255 characters.

subject sub-string: Configures the email subject, a case-sensitive string of 1 to 127 characters.

Usage guidelines

Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.

You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.

You must configure both the subject and body for each recipient.

Examples

# Configure the subject and body for the email notifications to send to the local guest.

<Sysname> system-view

[Sysname] local-guest email format to guest subject Guest account information

[Sysname] local-guest email format to guest body A guest account has been created for your use. The username, password, and valid dates for the account are given below.

Related commands

·     local-guest email sender

·     local-guest email smtp-server

·     local-guest manager-email

·     local-guest send-email

local-guest email sender

Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.

Use undo local-guest email sender to restore the default.

Syntax

local-guest email sender email-address

undo local-guest email sender

Default

No email sender address is configured for the email notifications of local guests sent by the device.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email sender address, a case-insensitive string of 1 to 255 characters.

Usage guidelines

If you do not specify an email sender address, the device cannot send email notifications.

The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the email sender address as abc@yyy.com for email notifications of local guests.

<Sysname> system-view

[Sysname] local-guest email sender abc@yyy.com

Related commands

·     local-guest email format

·     local-guest email smtp-server

·     local-guest manager-email

·     local-guest send-email

local-guest email smtp-server

Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.

Use undo local-guest email smtp-server to restore the default.

Syntax

local-guest email smtp-server url-string

undo local-guest email smtp-server

Default

No SMTP server is specified to send email notifications of local guests.

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the path of the SMTP server, a case-insensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and starts with smtp://.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the SMTP server at smtp://www.test.com/smtp to send email notifications of local guests.

<Sysname> system-view

[Sysname] local-guest email smtp-server smtp://www.test.com/smtp

Related commands

·     local-guest email format

·     local-guest email sender

·     local-guest manager-email

·     local-guest send-email

local-guest generate

Use local-guest generate to create local guests in batch.

Syntax

local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time

Views

System view

Predefined user roles

network-admin

Parameters

username-prefix name-prefix: Specifies the name prefix, a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.

suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.

group group-name: Specifies a user group by the name. The user group name is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group named system.

count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.

validity-datetime: Specifies the validity period of the local guests.

start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the end date and time of the validity period.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.

The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.

Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.

If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.

Examples

# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The validity period is 2016/06/01 00:00:00 to 2010/06/02 12:00:00.

<Sysname> system-view

[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2016/06/01 00:00:00 to 2016/06/02 12:00:00

Related commands

·     display local-user

·     local-user

local-guest manager-email

Use local-guest manager-email to configure the email address of the guest manager.

Use undo local-guest manager-email to restore the default.

Syntax

local-guest manager-email email-address

undo local-guest manager-email

Default

No email address is configured for the guest manager.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.

Usage guidelines

Use this command to specify the email address to which the device sends the local guest registration requests for approval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the email address of the guest manager as xyz@yyy.com.

<Sysname> system-view

[Sysname] local-guest manager-email xyz@yyy.com

Related commands

·     local-guest email format

·     local-guest email sender

·     local-guest email smtp-server

·     local-guest send-email

local-guest send-email

Use local-guest send-email to send emails to a local guest or guest sponsor.

Syntax

local-guest send-email user-name user-name to { guest | sponsor }

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

·     Cannot be a, al, or all.

·     Cannot contain a domain name.

·     Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

to: Specifies the email recipient.

guest: Specifies the local guest.

sponsor: Specifies the guest sponsor.

Usage guidelines

Guest managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.

Examples

# Send an email to notify local guest abc of the guest password and validity period information.

<Sysname> system-view

[Sysname] local-guest send-email user-name abc to guest

local-guest timer

Use local-guest timer to set the waiting-approval timeout timer for local guests.

Syntax

local-guest timer waiting-approval time-value

undo local-guest timer waiting-approval

Default

The setting is 24 hours.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the waiting-approval timeout timer in the range of 1 to 720, in hours.

Usage guidelines

The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.

Examples

# Set the waiting-approval timeout timer to 12 hours.

<Sysname> system-view

[Sysname] local-guest timer waiting-approval 12

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class { manage | network [ guest ] } ]

undo local-user { user-name class { manage | network } | all [ service-type { ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } | class { manage | network [ guest ] } ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

·     Cannot contain a domain name.

·     Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

·     Cannot be a, al, or all.

class: Specifies the local user type.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

network: Network access user that accesses network resources through the device. Except guests, network access users can use IKE, LAN access, portal, and PPP services.

guest: Guest that can access network resources through the device during the validity period. Guests can use LAN and portal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ike: IKE users that access the network through IKE extended authentication.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Usage guidelines

If you do not specify the class { manage | network } option, this command adds a device management user.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2 and enter local user view.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

# Add a local guest named user3 and enter local guest view.

<Sysname> system-view

[Sysname] local-user user3 class network guest

[Sysname-luser-network(guest)-user3]

Related commands

·     display local-user

·     service-type (local user view)

local-user-export class network guest

Use local-user-export class network guest to export local guest account information to a .csv file in the specified path.

Syntax

local-user-export class network guest url url-string

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can import the user account information back to the device or to other devices that support the local-user-import class network guest command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network guest."

The device supports TFTP and FTP file transfer modes. Table 5 describes the valid URL formats of the .csv file.

Table 5 URL formats

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

·     With FTP user name and password:
ftp://username:password@server/path/filename

·     Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

 

Examples

# Export local guest account information to file guest.csv in path ftp://1.1.1.1/user/.

<Sysname> system-view

[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv

Related commands

·     display local-user

·     local-user-import class network guest

local-user-import class network guest

Use local-user-import class network guest to import local guest account information from a .csv file in the specified path to the device and create local guests based on the imported information.

Syntax

local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the source file path, a case-insensitive string of 1 to 255 characters.

validity-datetime: Specifies the guest validity period of the local guests.

start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the end date and time of the validity period.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups of the guests do not exist on the device. The local guests are automatically assigned to the created groups. If you do not specify this keyword, the device adds all imported local guests with nonexistent groups to the system-defined user group named system.

override: Enables the device to override the existing account with the same name as a guest account to be imported. If you do not specify this keyword, the command retains the existing account and does not import the local guest with the same name.

start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.

Usage guidelines

The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:

·     Username—User name of the guest account. The user name is required for each account, and it must meet the following requirements:

¡     Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

¡     Cannot be a, al, or all.

An invalid name results in account import failure and interruption.

·     Password—Password of the guest account. If the password is empty, the device generates a random password for the guest.

·     User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group system.

·     Guest full name—Name of the guest.

·     Guest company—Company of the guest.

·     Guest email—Email address of the guest.

·     Guest phone—Phone number of the guest.

·     Description—Description of the guest.

·     Sponsor full name—Name of the guest sponsor.

·     Sponsor department—Department of the guest sponsor.

·     Sponsor email—Email address of the guest sponsor.

Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,

Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com

The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file.

Table 6 URL formats

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

·     With FTP user name and password:
ftp://username:password@server/path/filename

·     Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

 

Examples

# Import guest account information from file ftp://1.1.1.1/user/guest.csv, and specify the guest validity period.

<Sysname> system-view

[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00

Related commands

·     display local-user

·     local-user-export class network guest

password

Use password to configure a password for a local user.

Use undo password to restore the default.

Syntax

password [ { cipher | hash | simple } string ]

undo password

Default

No password is configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

Views

Local user view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. This argument is case sensitive.

·     The plaintext form of the password is a string of 1 to 63 characters.

·     The hashed form of the password is a string of 1 to 110 characters.

·     The encrypted form of the password is a string of 1 to 117 characters.

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password. Only device management users support passwords configured in interactive mode.

A non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user.

Examples

# Set the password of device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

# Set the password of network access user user2 to 123456TESTuser&! in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple 123456TESTuser&!

Related commands

display local-user

phone

Use phone to specify the phone number of a local guest.

Use undo phone to restore the default.

Syntax

phone phone-number

undo phone

Default

No phone number is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-).

Examples

# Specify the phone number as 138-137239201 for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] phone 138-137239201

reset local-guest waiting-approval

Use reset local-guest waiting-approval to clear pending registration requests for local guests.

Syntax

reset local-guest waiting-approval [ user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name cannot contain a domain name. If you do not specify a guest, this command clears information about all registration requests for local guests.

Examples

# Clear information about all registration requests for local guests.

<Sysname> reset local-guest waiting-approval

Related commands

display local-guest waiting-approval

service-type (local user view)

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }

undo service-type { ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ike: Authorizes the user to use the IKE extended authentication service.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console.

portal: Authorizes the user to use the Portal service.

ppp: Authorizes the user to use the PPP service.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

sponsor-department

Use sponsor-department to specify the department of the guest sponsor for a local guest.

Use undo sponsor-department to restore the default.

Syntax

sponsor-department department-string

undo sponsor-department

Default

No department is specified for the guest sponsor of a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.

Examples

# Specify the department as test for the sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-department test

sponsor-email

Use sponsor-email to specify the email address of the guest sponsor for a local guest.

Use undo sponsor-email to restore the default.

Syntax

sponsor-email email-string

undo sponsor-email

Default

No email address is specified for the guest sponsor.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.

Examples

# Specify the email address as Sam@a.com for the sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com

sponsor-full-name

Use sponsor-full-name to specify the sponsor name for a local guest.

Use undo sponsor-full-name to restore the default.

Syntax

sponsor-full-name name-string

undo sponsor-full-name

Default

No sponsor name is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the sponsor name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify the sponsor name as Sam Li for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

validity-datetime

Use validity-datetime to specify the validity period for a local guest.

Use undo validity-datetime to restore the default.

Syntax

validity-datetime start-date start-time to expiration-date expiration-time

undo validity-datetime

Default

A local guest does not expire.

Views

Local guest view

Predefined user roles

network-admin

Parameters

start-date: Specifies the date on which the local guest becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the time when the local guest becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the expiration date and time for the local guest.

expiration-date: Specifies the date on which the local guest expires. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the time when the local guest expires. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

The expiration date and time must be later than the start date and time.

Expired local guest accounts cannot be used for authentication.

Examples

# Specify the validity period for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00

Related commands

display local-user

Local BYOD authorization commands

byod authorization

Use byod authorization to configure authorization attributes for a type of BYOD endpoints in a user group.

Use undo byod authorization to delete the authorization attributes for a type of BYOD endpoints in a user group.

Syntax

byod authorization device-type type-name { acl acl-number | callback-number callback-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | vlan vlan-id } *

undo byod authorization device-type type-name { acl | callback-number | idle-cut | ip-pool | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns | session-timeout | url | user-profile | vlan } *

Default

No authorization attributes are configured for any type of BYOD endpoints in a user group.

Views

User group view

Predefined user roles

network-admin

Parameters

device-type type-name: Specifies an endpoint type. The type-name argument is a case-insensitive string of 1 to 127 characters. If the type name contains spaces, you must enclose the type name into a pair of quotation marks (for example, "Chrome OS").

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.

idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. After passing authentication, a local user can obtain an IP address from the pool.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. After passing authentication, a local user can obtain an IP address from the pool.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix. The value range for the prefix-length argument is 1 to 128. After passing authentication, a local user can use the IPv6 address prefix.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users.

session-timeout minutes: Sets the session timeout timer in minutes. The value range for the minutes argument is 1 to 1440. The device logs off a user after the user's session timeout timer expires.

url url-string: Specifies the URL to which a user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters.

user-profile profile-name: Specifies an authorization user profile by the name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

·     For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, and user-profile.

·     For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, session-timeout, and user-profile.

·     For LAN users, only the following authorization attributes take effect: acl, session-timeout, user-profile, and vlan.

·     For other types of local users, no authorization attribute takes effect.

For a user, an endpoint type-specific authorization attribute takes precedence over the same common authorization attribute specified for the user. A common authorization attribute specified for the user takes precedence over the same common authorization attribute specified for the user group to which the user belongs. To specify common authorization attributes, use the authorization-attribute command.

Examples

# Specify VLAN 3 as the authorization VLAN for endpoints of the iPhone 6 type in user group abc.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] byod authorization device-type iphone6 vlan 3

Related commands

·     display byod rule

·     display local-user

·     display user-group

byod rule

Use byod rule to configure a BYOD endpoint identification rule.

Use undo byod rule to delete a BYOD endpoint identification rule.

Syntax

byod rule { dhcp-option option-string | http-user-agent agent-string | mac-address mac-address mask mac-mask } device-type type-name

undo byod rule { dhcp-option option-string | http-user-agent agent-string | mac-address mac-address mask mac-mask }

Default

Predefined BYOD endpoint identification rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

dhcp-option option-string: Specifies the DHCP Option 55 fingerprint. The option-string argument is a case-insensitive string of 1 to 255 characters. If the fingerprint contains spaces, you must enclose the fingerprint into a pair of quotation marks (for example, "Microsoft Windows 8").

http-user-agent agent-string: Specifies the HTTP user agent fingerprint. The agent-string argument is a case-insensitive string of 1 to 255 characters. If the fingerprint contains spaces, you must enclose the fingerprint into a pair of quotation marks (for example, "Apple iPod").

mac-address mac-address: Specifies the MAC address of an endpoint, in the H-H-H format. The address cannot be a multicast MAC address or an all-zero MAC address. You can omit the leading zeros in each section. For example, enter f-e2-1 to indicate 000f-00e2-0001.

mask mac-mask: Specifies the MAC address mask in the H-H-H format.

device-type type-name: Specifies an endpoint type, a case-insensitive string of 1 to 127 characters. If the type name contains spaces, you must enclose the type name into a pair of quotation marks (for example, "Chrome OS").

Usage guidelines

A BYOD endpoint identification rule defines the mapping between an endpoint type and a fingerprint string. The device obtains fingerprint information from the authentication request of an endpoint, and matches the fingerprint with the rules for the associated endpoint type.

A fingerprint string can match only one endpoint type. However, an endpoint type can be associated with multiple fingerprint strings. You can use the byod rule-order command to specify the fingerprint types supported by the device and their match priority order.

Examples

# Specify a rule to identify BYOD endpoints containing DHCP Option 55 fingerprint di2ns0ns as the iPhone 6 type.

<Sysname> system-view

[Sysname] byod rule dhcp-option di2ns0ns device-type iphone6

Related commands

·     byod authorization

·     display byod rule

byod rule-order

Use byod rule-order to specify the types of BYOD endpoint identification rules supported by the device and their priority order.

Use undo byod rule-order to restore the default.

Syntax

byod rule-order { dhcp-option | http-user-agent | mac-address } *

undo byod rule-order

Default

The device uses the following types of BYOD endpoint identification rules to identify an endpoint type and their match priority order is as follows:

1.     DHCP Option 55-based rules.

2.     HTTP user agent-based rules.

3.     MAC address-based rules.

Views

System view

Predefined user roles

network-admin

Parameters

dhcp-option: Specifies the DHCP Option 55-based rules.

http-user-agent: Specifies the HTTP user agent-based rules.

mac-address: Specifies the MAC address-based rules.

Usage guidelines

The type of BYOD endpoint identification rules not specified by this command will not be used for endpoint identification.

The order of the keywords determines the priority order of the BYOD endpoint identification rule types. For example, if you configure the byod rule-order mac-address http-user-agent command, the device only uses the MAC address-based and HTTP user agent-based rules to identify an endpoint type. The MAC address-based rules take precedence over the HTTP user agent-based rules.

Examples

# Specify the priority order of BYOD endpoint identification rules as MAC address-based rules, HTTP user agent-based rules, and DHCP Option 55-based rules.

<Sysname> system-view

[Sysname] byod rule-order mac-address http-user-agent dhcp-option

Related commands

byod rule

display byod rule

Use display byod rule to display BYOD endpoint identification rules.

Syntax

display byod rule { dhcp-option [ option-string ] | http-user-agent [ agent-string ] | mac-address [ mac-address ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dhcp-option: Specifies identification rules based on DHCP Option 55 fingerprints.

option-string: Specifies a DHCP Option 55 fingerprint, a case-insensitive string of 1 to 255 characters. If you do not specify this argument, this command displays all identification rules based on DHCP Option 55 fingerprints.

http-user-agent: Specifies identification rules based on HTTP user agent fingerprints.

agent-string: Specifies an HTTP user agent fingerprint, a case-insensitive string of 1 to 255 characters. If you do not specify this argument, this command displays all identification rules based on HTTP user agent fingerprints.

mac-address: Specifies identification rules based on MAC addresses.

mac-address: Specifies the MAC address of an endpoint, in the H-H-H format. The address cannot be a multicast MAC address or an all-zero MAC address. You can omit the leading zeros in each section. For example, enter f-e2-1 to indicate 000f-00e2-0001. If you do not specify this argument, this command displays all identification rules based on MAC addresses.

Examples

# Display all identification rules based on DHCP Option 55 fingerprints.

<Sysname> display byod rule dhcp-option

Total 3 DHCP option rules matched.

 

  DHCP option: 1

  Device type: Defy

 

  DHCP option: 1,

  Device type: Galaxy Ace2 X

 

  DHCP option: 1,121,33,3,6,12,15,26,28,51,54,58,59,119,252

  Device type: Chrome OS

# Display all identification rules based on HTTP user agent fingerprints.

<Sysname> display byod rule http-user-agent

Total 2 HTTP user agent rules matched.

 

  HTTP user agent: ##_MAX 4G 5.0 _T-Mobile_4.2.2_android_en_5.0.4428_DID999

  Device type: Generic Android

 

  HTTP user agent: ##_SM-G900V_Network Extender_4.4.4_android_en_5.0.4402_VZW007

  Device type: Generic Android

# Display all identification rules based on MAC addresses.

<Sysname> display byod rule mac-address

Total 2 MAC rules matched.

 

  MAC address: 0000-4600-0000             MAC mask: ffff-ff00-0000

  Device type: OnePlus One

 

  MAC address: 0001-3600-0000             MAC mask: ffff-ff00-0000

  Device type: Generic Android

Table 7 Command output

Field

Description

Total n DHCP option rules matched.

Number of DHCP Option 55-based BYOD endpoint identification rules.

Total n HTTP user agent rules matched.

Number of HTTP user agent-based BYOD endpoint identification rules.

Total n MAC rules matched.

Number of MAC address-based BYOD endpoint identification rules.

DHCP option

DHCP Option 55 fingerprint.

HTTP user agent

HTTP user agent fingerprint.

MAC mask

MAC address mask.

Device type

BYOD endpoint type.

 

display byod rule-order

Use display byod rule-order to display BYOD endpoint identification rule types supported by the device and their priority order.

Syntax

display byod rule-order

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display BYOD endpoint identification rule types supported by the device and their priority order.

<Sysname> display byod rule-order

 BYOD rule matching order: mac-address http-user-agent dhcp-option

Related commands

byod rule-order

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set by using the accounting-on enable command take effect immediately.

Examples

# In RADIUS scheme radius1, enable the accounting-on feature, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

accounting-on extended

Use accounting-on extended to enable the extended accounting-on feature.

Use undo accounting-on extended to disable the extended accounting-on feature.

Syntax

accounting-on extended

undo accounting-on extended

Default

The extended accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

network-operator

Usage guidelines

The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.

The extended accounting-on feature is applicable to LAN and PPP users. The user data is saved to the member devices through which the users access the IRF fabric.

When the extended accounting-on feature is enabled, the IRF fabric automatically sends an accounting-on packet to the RADIUS server after a member device reboot (IRF fabric not reboot). The packet contains the member device identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the IRF fabric through the member device.

The IRF fabric uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.

Execute the save command to ensure that the accounting-on extended command takes effect at the next member device reboot. For information about the save command, see Fundamentals Command Reference.

Examples

# Enable the extended accounting-on feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on extended

Related commands

·     accounting-on enable

·     display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

attribute 25 car

Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to configure the device to not interpret the RADIUS class attribute as CAR parameters.

Syntax

attribute 25 car

undo attribute 25 car

Default

The RADIUS class attribute is not interpreted as CAR parameters.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.

Examples

# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

display radius scheme

attribute 31 mac-format

Use attribute 31 mac-format to configure the MAC address format for RADIUS attribute 31.

Use undo attribute 31 mac-format to restore the default.

Syntax

attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }

undo attribute 31 mac-format

Default

A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase

Related commands

display radius scheme

attribute remanent-volume

Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.

Use undo attribute remanent-volume to restore the default.

Syntax

attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }

undo attribute remanent-volume unit

Default

The data measurement unit is kilobyte for the Remanent_Volume attribute.

Views

RADIUS scheme view

Predefined user roles

network-admin

network-operator

Parameters

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

Usage guidelines

Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.

Examples

# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte

Related commands

display radius scheme

client

Use client to specify a RADIUS DAC.

Use undo client to remove a RADIUS DAC.

Syntax

client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string ] *

undo client { ip ipv4-address | ipv6 ipv6-address }

Default

No RADIUS DACs are specified.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a DAC by its IPv4 address.

ipv6 ipv6-address: Specifies a DAC by its IPv6 address.

key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.

The device discards any DAE packets sent from DACs that are not specified for the DAS.

You can execute the client command multiple times to specify multiple DACs for the DAS.

Examples

# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456

Related commands

·     radius dynamic-author server

·     port

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

display radius scheme

Use display radius scheme to display RADIUS scheme configuration.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

 

------------------------------------------------------------------

RADIUS scheme name  : radius1

  Index : 0

  Primary authentication server:

    IP   : 2.2.2.2                                  Port: 1812

    State: Active

    Test profile: 132

      Probe username: test

      Probe interval: 60 minutes

  Primary accounting server:

    IP : 1.1.1.1                                    Port: 1813

    State: Active

  Second authentication server:

    IP : 3.3.3.3                                    Port: 1812

    State: Block

    Test profile: Not configured

  Second accounting server:

    IP : 3.3.3.3                                    Port: 1813

    State: Block (Mandatory)

  Accounting-On function                     : Enabled

    extended function                        : Enabled

    retransmission times                     : 5

    retransmission interval(seconds)         : 2

  Timeout Interval(seconds)                  : 3

  Retransmission Times                       : 3

  Retransmission Times for Accounting Update : 5

  Server Quiet Period(minutes)               : 5

  Realtime Accounting Interval(minutes)      : 22

  NAS IP Address                             : 1.1.1.1

  User Name Format                           : with-domain

  Data flow unit                             : Megabyte

  Packet unit                                : One

  Attribute 15 check-mode                    : Strict

  Attribute 25                               : CAR

  Attribute Remanent-Volume unit             : Mega

  Attribute 31 MAC format                    : hh:hh:hh:hh:hh:hh

------------------------------------------------------------------

Table 8 Command output

Field

Description

Index

Index number of the RADIUS scheme.

Primary authentication server

Information about the primary authentication server.

Primary accounting server

Information about the primary accounting server.

Second authentication server

Information about the secondary authentication server.

Second accounting server

Information about the secondary accounting server.

IP

IP address of the server. If no server is configured, this field displays Not configured.

Port

Service port number of the server. If no port number is specified, this field displays the default port number.

State

Status of the server:

·     Active—The server is in active state.

·     Block—The server is changed to blocked state automatically.

·     Block (Mandatory)—The server is set to blocked state manually.

Test profile

Test profile used for RADIUS server status detection.

Probe username

Username used for RADIUS server status detection.

Probe interval

Server status detection interval, in minutes.

Accounting-On function

Whether the accounting-on feature is enabled.

extended function

Whether the extended accounting-on feature is enabled.

retransmission times

Number of accounting-on packet transmission attempts.

retransmission interval(seconds)

Interval at which the device retransmits accounting-on packets, in seconds.

Timeout Interval(seconds)

RADIUS server response timeout period, in seconds.

Retransmission times

Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Retransmission Times for Accounting Update

Maximum number of accounting attempts.

Server Quiet Period(minutes)

Quiet period for the servers, in minutes.

Realtime Accounting Interval(minutes)

Interval for sending real-time accounting updates, in minutes.

NAS IP Address

Source IP address for outgoing RADIUS packets.

User Name Format

Format for the usernames sent to the RADIUS servers of the RADIUS scheme:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards a username as the username is entered.

Data flow unit

Measurement unit for data flows.

Packet unit

Measurement unit for packets.

Attribute 15 check-mode

RADIUS Login-Service attribute check method for SSH, FTP, and terminal users:

·     StrictMatches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

·     Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

Attribute 25

RADIUS attribute 25 interpretation status:

·     Standard—The attribute is not interpreted as CAR parameters.

·     CAR—The attribute is interpreted as CAR parameters.

Attribute Remanent-Volume unit

Data measurement unit for the RADIUS Remanent_Volume attribute.

Attribute 31 MAC format

MAC address format for RADIUS attribute 31.

 

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

 

                                 Auth.         Acct.       SessCtrl.

          Request Packet:          0             0             0

            Retry Packet:          0             0             -

          Timeout Packet:          0             0             -

        Access Challenge:          0             -             -

           Account Start:          -             0             -

          Account Update:          -             0             -

            Account Stop:          -             0             -

       Terminate Request:          -             -             0

              Set Policy:          -             -             0

    Packet With Response:          0             0             0

 Packet Without Response:          0             0             -

          Access Rejects:          0             -             -

          Dropped Packet:          0             0             0

          Check Failures:          0             0             0

Table 9 Command output

Field

Description

Auth.

Authentication packets.

Acct.

Accounting packets.

SessCtrl.

Session-control packets.

Request Packet

Number of request packets.

Retry Packet

Number of retransmitted request packets.

Timeout Packet

Number of request packets timed out.

Access Challenge

Number of access challenge packets.

Account Start

Number of start-accounting packets.

Account Update

Number of accounting update packets.

Account Stop

Number of stop-accounting packets.

Terminate Request

Number of packets for logging off users forcibly.

Set Policy

Number of packets for updating user authorization information.

Packet With Response

Number of packets for which responses were received.

Packet Without Response

Number of packets for which no responses were received.

Access Rejects

Number of Access-Reject packets.

Dropped Packet

Number of discarded packets.

Check Failures

Number of packets with checksum errors.

 

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS authentication or accounting communication.

Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured for secure RADIUS authentication or accounting communication.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure RADIUS accounting communication.

authentication: Specifies the shared key for secure RADIUS authentication communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

Examples

# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete the source IP address of the specified type for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the primary IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

A RADIUS scheme can have only one source IPv4 address and one source IPv6 address for outgoing RADIUS packets.

Examples

# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the source IP address for outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

·     display radius scheme

·     radius nas-ip

port

Use port to specify the RADIUS DAS port.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The RADIUS DAS port number is 3799.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

port-number: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.

Examples

# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] port 3790

Related commands

·     client

·     radius dynamic-author server

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the primary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.

Examples

# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     secondary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the primary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument specifies the test profile name, which is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Make sure the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

When you specify a test profile for the primary authentication server, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     radius-server test-profile

·     secondary authentication (RADIUS scheme view)

radius dscp

Use radius dscp to change the DSCP priority of RADIUS packets.

Use undo radius dscp to restore the default.

Syntax

radius [ ipv6 ] dscp dscp-value

undo radius [ ipv6 ] dscp

Default

The DSCP priority of RADIUS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.

dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.

Usage guidelines

Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmission priority.

Examples

# Set the DSCP priority of IPv4 RADIUS packets to 10.

<Sysname> system-view

[Sysname] radius dscp 10

radius dynamic-author server

Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.

Use undo radius dynamic-author server to restore the default.

Syntax

radius dynamic-author server

undo radius dynamic-author server

Default

The RADIUS DAS feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After the RADIUS DAS feature is enabled, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs.

Examples

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server]

Related commands

·     client

·     port

radius nas-ip

Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address }

undo radius nas-ip { ipv4-address | ipv6 ipv6-address }

Default

The source IP address of an outgoing RADIUS packet is the primary IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

You can specify a maximum of 16 source IP addresses, including:

·     Zero or one public-network source IPv4 address.

·     Zero or one public-network source IPv6 address.

·     Private-network source IP addresses.

Examples

# Specify IP address 129.10.10.1 as the source address for outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be used by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control client

Use radius session-control client to specify a RADIUS session-control client.

Use undo radius session-control client to remove the specified RADIUS session-control clients.

Syntax

radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string ] *

undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } }

Default

No RADIUS session-control clients are specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a session-control client by its IPv4 address.

ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.

key: Specifies the shared key for secure communication with the session-control client.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

all: Specifies all session-control clients.

Usage guidelines

To verify the session-control packets sent from a RADIUS server running on IMC, specify the RADIUS server as a session-control client to the device. The IP address and shared key settings of the session-control client must be the same as the corresponding settings of the RADIUS server.

You can specify multiple session-control clients on the device.

The device matches a session-control packet to a session-control client based on the IP address setting, and then uses the shared key of the matched client to validate the packet.

The device searches the session-control client settings prior to searching all RADIUS scheme settings for a server with matching IP address setting. This process narrows the search scope for finding the matched RADIUS server.

The session-control client settings take effect only when the RADIUS session-control feature is enabled.

Examples

# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.

<Sysname> system-view

[Sysname] radius session-control client ip 10.110.1.2 key simple 12345

Related commands

radius session-control enable

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to disable the RADIUS session-control feature.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

An H3C IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812.

This feature must work with H3C IMC servers.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ interval interval ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.

interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

Usage guidelines

You can execute this command multiple times to configure multiple test profiles.

If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

You can specify the same test profile for multiple RADIUS servers.

When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.

Examples

# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin interval 10

Related commands

·     primary authentication (RADIUS scheme view)

·     secondary authentication (RADIUS scheme view)

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retries

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

·     If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

·     If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:

·     The maximum number of RADIUS packet transmission attempts.

·     The RADIUS server response timeout period.

·     The number of RADIUS authentication servers in the RADIUS scheme.

When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.

Examples

# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

·     radius scheme

·     timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retries

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.

To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the following conditions exist:

·     The RADIUS server response timeout period is 3 seconds (set by using the timer response-timeout command).

·     The maximum number of RADIUS packet transmission attempts is 3 (set by using the retry command).

·     The real-time accounting interval is 12 minutes (set by using the timer realtime-accounting command).

·     The maximum number of accounting attempts is 5 (set by using the retry realtime-accounting command).

In the above case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

·     retry

·     timer realtime-accounting (RADIUS scheme view)

·     timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary RADIUS accounting servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# In RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary RADIUS authentication servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument represents the test profile name, which is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

When you specify a test profile for secondary authentication servers, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# In RADIUS scheme radius2, specify two secondary authentication servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary authentication (RADIUS scheme view)

·     radius-server test-profile

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All RADIUS SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

accounting-server-down: Specifies notifications to be sent when the RADIUS accounting server becomes unreachable.

accounting-server-up: Specifies notifications to be sent when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Specifies notifications to be sent when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Specifies notifications to be sent when the RADIUS authentication server becomes unreachable.

authentication-server-up: Specifies notifications to be sent when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS:

·     RADIUS server unreachable notificationThe RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

·     RADIUS server reachable notificationThe RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

·     Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the device to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the primary RADIUS accounting server.

authentication: Specifies the primary RADIUS authentication server.

active: Specifies the active state.

block: Specifies the blocked state.

Usage guidelines

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

·     Changes the status of the primary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

·     If you set the status of the server to blocked, the device stops detecting the status of the server.

·     If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of the primary authentication server to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

·     display radius scheme

·     radius-server test-profile

·     state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ] { active | block }

Default

A secondary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies a secondary RADIUS accounting server.

authentication: Specifies a secondary RADIUS authentication server.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

active: Specifies the active state.

block: Specifies the blocked state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

·     Changes the status of the secondary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

·     If you set the status of the server to blocked, the device stops detecting the status of the server.

·     If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of all the secondary authentication servers to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

·     display radius scheme

·     radius-server test-profile

·     state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

·     A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

·     A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting interval [ second ]

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval: Specifies the real-time accounting interval in the range of 0 to 71582.

second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.

Usage guidelines

When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 10 Recommended real-time accounting intervals

Number of users

Real-time accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:

·     The maximum number of RADIUS packet transmission attempts.

·     The RADIUS server response timeout period.

·     The number of RADIUS authentication servers in the RADIUS scheme.

When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.

Examples

# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

·     display radius scheme

·     retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of usernames to be sent to the RADIUS servers of a RADIUS scheme.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to the RADIUS servers of a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the usernames to the RADIUS servers as the usernames are entered.

with-domain: Includes the ISP domain name in the usernames sent to the RADIUS servers.

without-domain: Excludes the ISP domain name from the usernames sent to the RADIUS servers.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the usernames are sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.

If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users might fail.

Examples

# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 TACACS schemes

 

------------------------------------------------------------------

HWTACACS Scheme Name  : hwtac

  Index : 0

  Primary Auth Server:

    IP  : 2.2.2.2         Port: 49     State: Active

    Single-connection: Enabled

  Primary Author Server:

    IP  : 2.2.2.2         Port: 49     State: Active

    Single-connection: Disabled

  Primary Acct Server:

    IP  : Not Configured  Port: 49     State: Block

    Single-connection: Disabled

 

  NAS IP Address                        : 2.2.2.3

  Server Quiet Period(minutes)          : 5

  Realtime Accounting Interval(minutes) : 12

  Response Timeout Interval(seconds)    : 5

  Username Format                       : with-domain

  Data flow unit                        : Byte

  Packet unit                           : One

------------------------------------------------------------------

Table 11 Command output

Field

Description

Index

Index number of the HWTACACS scheme.

Primary Auth Server

Primary HWTACACS authentication server.

Primary Author Server

Primary HWTACACS authorization server.

Primary Acct Server

Primary HWTACACS accounting server.

Secondary Auth Server

Secondary HWTACACS authentication server.

Secondary Author Server

Secondary HWTACACS authorization server.

Secondary Acct Server

Secondary HWTACACS accounting server.

IP

IP address of the HWTACACS server. If no server is configured, this field displays Not configured.

Port

Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.

Single-connection

Single connection status:

·     Enabled—Establish only one TCP connection for all users to communicate with the server.

·     Disabled—Establish a TCP connection for each user to communicate with the server.

State

Status of the HWTACACS server: active or blocked.

NAS IP Address

Source IP address for outgoing HWTACACS packets.

Server Quiet Period(minutes)

Quiet period for the primary servers, in minutes.

Realtime Accounting Interval(minutes)

Real-time accounting interval, in minutes.

Response Timeout Interval(seconds)

HWTACACS server response timeout period, in seconds.

Username Format

Format for the usernames sent to the HWTACACS servers of the HWTACACS scheme:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards a username as the username is entered.

Data flow unit

Measurement unit for data flows.

Packet unit

Measurement unit for packets.

 

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address }

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address }

Default

The source IP address of an HWTACACS packet sent to the server is the primary IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

You can specify a maximum of 16 source IP addresses, including:

·     Zero or one public-network source IPv4 address.

·     Zero or one public-network source IPv6 address.

·     Private-network source IP addresses.

Examples

# Specify IP address 129.10.10.1 as the source IP address for outgoing HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure HWTACACS accounting communication.

authentication: Specifies the shared key for secure HWTACACS authentication communication.

authorization: Specifies the shared key for secure HWTACACS authorization communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

Examples

# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete the source IP address of the specified type for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the primary IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

You can specify only one source IPv4 address and one source IPv6 address for an HWTACACS scheme.

Examples

# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address for outgoing HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authentication (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to restore the default.

Syntax

primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authorization

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary HWTACACS accounting servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary accounting (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number ]* ]

Default

No secondary HWTACACS authentication servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authentication (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number ]* ]

Default

No secondary HWTACACS authorization servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authorization

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Table 12 Recommended real-time accounting intervals

Number of users

Real-time accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS authentication servers in the scheme. Any violation will result in user logoffs before the authentication process is complete.

Examples

# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of usernames to be sent to the HWTACACS servers of an HWTACACS scheme.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to the HWTACACS servers of an HWTACACS scheme.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the usernames to the HWTACACS servers as the usernames are entered.

with-domain: Includes the ISP domain name in the usernames sent to the HWTACACS servers.

without-domain: Excludes the ISP domain name from the usernames sent to the HWTACACS servers.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the usernames are sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

If the HWTACACS scheme is used for wireless users, specify the username format as keep-original. Otherwise, authentication of the wireless users might fail.

Examples

# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

LDAP commands

attribute-map

Use attribute-map to specify the LDAP attribute map in an LDAP scheme.

Use undo attribute-map to restore the default.

Syntax

attribute-map map-name

undo attribute-map

Default

An LDAP scheme does not use an LDAP attribute map.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

When the LDAP scheme used for authorization contains an LDAP attribute map, the device converts server-assigned LDAP attributes to device-recognizable AAA attributes based on the mapping entries.

You can specify only one LDAP attribute map in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

If you specify another attribute map or change the mapping entries, the new settings are effective only on the LDAP authorization that occurs after your operation.

Examples

# Specify LDAP attribute map map1 in LDAP scheme test.

<Sysname> system-view

[Sysname] ldap scheme test

[Sysname-ldap-test] attribute-map map1

Related commands

·     display ldap-scheme

·     ldap attribute-map

authentication-server

Use authentication-server to specify the LDAP authentication server for an LDAP scheme.

Use undo authentication-server to restore the default.

Syntax

authentication-server server-name

undo authentication-server

Default

No LDAP authentication server is specified for an LDAP scheme.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In LDAP scheme ldap1, specify the LDAP authentication server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server ccc

Related commands

·     display ldap scheme

·     ldap server

authorization-server

Use authorization-server to specify the LDAP authorization server for an LDAP scheme.

Use undo authorization-server to restore the default.

Syntax

authorization-server server-name

undo authorization-server

Default

No LDAP authorization server is specified for an LDAP scheme.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In LDAP scheme ldap1, specify the LDAP authorization server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authorization-server ccc

Related commands

·     display ldap scheme

·     ldap server

display ldap scheme

Use display ldap scheme to display LDAP scheme configuration.

Syntax

display ldap scheme [ ldap-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

Total 1 LDAP schemes

 

------------------------------------------------------------------

LDAP scheme name             : aaa

  Authentication server      : aaa

    IP                       : 1.1.1.1

    Port                     : 111

    LDAP protocol version    : LDAPv3

    Server timeout interval  : 10 seconds

    Login account DN         : Not configured

    Base DN                  : Not configured

    Search scope             : all-level

    User searching parameters:

      User object class      : Not configured

      Username attribute     : cn

      Username format        : with-domain

  Authorization server       : aaa

    IP                       : 1.1.1.1

    Port                     : 111

    LDAP protocol version    : LDAPv3

    Server timeout interval  : 10 seconds

    Login account DN         : Not configured

    Base DN                  : Not configured

    Search scope             : all-level

    User searching parameters:

      User object class      : Not configured

      Username attribute     : cn

      Username format        : with-domain

  Attribute map              : map1

 ------------------------------------------------------------------

Table 13 Command output

Field

Description

Authentication server

Name of the LDAP authentication server. If no server is configured, this field displays Not configured.

Authorization server

Name of the LDAP authorization server. If no server is configured, this field displays Not configured.

IP

IP address of the LDAP server. If no server is specified, this field displays Not configured.

Port

Port number of the server. If no port number is specified, this field displays the default port number.

LDAP protocol version

LDAP version, LDAPv2 or LDAPv3.

Server timeout interval

LDAP server timeout period, in seconds.

Login account DN

DN of the administrator.

Base DN

Base DN for user search.

Search scope

User DN search scope, including:

·     all-level—All subdirectories.

·     single-levelNext lower level of subdirectories under the base DN.

User searching parameters

User search parameters.

User object class

User object class for user DN search. If no user object class is configured, this field displays Not configured.

Username attribute

User account attribute for login.

Username format

Format for the usernames sent to the server.

Attribute map

LDAP attribute map used by the scheme. If no LDAP attribute map is used, this field displays Not configured.

 

ip

Use ip to configure the IP address of the LDAP server.

Use undo ip to restore the default.

Syntax

ip ip-address [ port port-number ]

undo ip

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of LDAP server ccc as 192.168.0.10 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300

Related commands

ldap server

ipv6

Use ipv6 to configure the IPv6 address of the LDAP server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ port port-number ]

undo ipv6

Default

An LDAP server does not have an IPv6 address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IPv6 address and port number of LDAP server ccc as 1:2::3:4 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300

Related commands

ldap server

ldap attribute-map

Use ldap attribute-map to create an LDAP attribute map and enter its view, or enter the view of an existing LDAP attribute map.

Use undo ldap attribute-map to delete an LDAP attribute map.

Syntax

ldap attribute-map map-name

undo ldap attribute-map map-name

Default

No LDAP attribute maps exist.

Views

System view

Predefined user roles

network-admin

Parameters

map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute.

Examples

# Create an LDAP attribute map named map1 and enter LDAP attribute map view.

<Sysname> system-view

[Sysname] ldap attribute-map map1

[Sysname-ldap-map-map1]

Related commands

·     attribute-map

·     ldap scheme

·     map

ldap scheme

Use ldap scheme to create an LDAP scheme and enter its view, or enter the view of an existing LDAP scheme.

Use undo ldap scheme to delete an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

ldap-scheme-name: Specifies the LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An LDAP scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 LDAP schemes.

Examples

# Create an LDAP scheme named ldap1 and enter LDAP scheme view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

ldap server

Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server.

Use undo ldap server to delete an LDAP server.

Syntax

ldap server server-name

undo ldap server server-name

Default

No LDAP servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the LDAP server name, a case-insensitive string of 1 to 64 characters.

Examples

# Create an LDAP server named ccc and enter LDAP server view.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to restore the default.

Syntax

login-dn dn-string

undo login-dn

Default

No administrator DN is specified.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city for LDAP server ldap1.

<Sysname> system-view

[Sysname] ldap server ldap1

[Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

login-password { cipher | simple } string

undo login-password

Default

No administrator password is configured.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 128 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.

Usage guidelines

This command is effective only after the login-dn command is configured.

Examples

# Configure the administrator password as abcdefg in plaintext form for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] login-password simple abcdefg

Related commands

·     display ldap scheme

·     login-dn

map

Use map to configure a mapping entry in an LDAP attribute map.

Use undo map to delete the specified mapping entries from the LDAP attribute map.

Syntax

map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute { user-group | user-profile }

undo map [ ldap-attribute ldap-attribute-name ]

Default

An LDAP attribute map does not contain mapping entries.

Views

LDAP attribute map view

Predefined user roles

network-admin

Parameters

ldap-attribute ldap-attribute-name: Specifies an LDAP attribute by its name. The ldap-attribute-name argument is a case-insensitive string of 1 to 63 characters.

prefix prefix-value delimiter delimiter-value: Specifies a partial value string of the LDAP attribute for attribute mapping. The prefix-value argument represents the position where the partial string starts. The prefix is a case-insensitive string of 1 to 7 characters, such as cn=. The delimiter-value argument represents the position where the partial string ends, such as a comma (,). If you do not specify the prefix prefix-value delimiter delimiter-value option, the mapping entry uses the entire value string of the LDAP attribute.

aaa-attribute: Specifies an AAA attribute.

user-group: Specifies the user group attribute.

user-profile: Specifies the user profile attribute.

Usage guidelines

Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.

An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.

If you do not specify an LDAP attribute for the undo map command, the command deletes all mapping entries from the LDAP attribute map.

Examples

# In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.

<Sysname> system-view

[Sysname] ldap attribute-map map1

[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group

Related commands

·     ldap attribute-map

·     user-group

·     user-profile

protocol-version

Use protocol-version to specify the LDAP version.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

v2: Specifies the LDAP version LDAPv2.

v3: Specifies the LDAP version LDAPv3.

Usage guidelines

For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.

If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2 for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] protocol-version v2

Related commands

display ldap scheme

search-base-dn

Use search-base-dn to specify the base DN for user search.

Use undo search-base-dn to restore the default.

Syntax

search-base-dn base-dn

undo search-base-dn

Default

No base DN is specified for user search.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

Examples

# Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com

Related commands

·     display ldap scheme

·     ldap server

search-scope

Use search-scope to specify the user search scope.

Use undo search-scope to restore the default.

Syntax

search-scope { all-level | single-level }

undo search-scope

Default

The user search scope is all-level.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

all-level: Specifies that the search goes through all subdirectories of the base DN.

single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.

Examples

# Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-scope all-level

Related commands

·     display ldap scheme

·     ldap server

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.

Usage guidelines

If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Set the LDAP server timeout period to 15 seconds for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] server-timeout 15

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.

Use undo user-parameters to restore the default of an LDAP user attribute.

Syntax

user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { user-name-attribute | user-name-format | user-object-class }

Default

The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the usernames to be sent to the server. The with-domain keyword indicates that the usernames contain the domain name, and the without-domain keyword indicates that the usernames do not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

If the usernames on the LDAP server do not contain the domain name, specify the without-domain keyword. If the usernames contain the domain name, specify the with-domain keyword.

Examples

# Set the user object class to person for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] user-parameters user-object-class person

Related commands

·     display ldap scheme

·     login-dn

ITA policy commands

accounting-level

Use accounting-level to specify a traffic level for ITA accounting.

Use undo accounting-level to remove the ITA accounting configuration for a traffic level.

Syntax

accounting-level level { ipv4 | ipv6 }

undo accounting-level [ level ]

Default

No traffic levels are specified for ITA accounting.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

level: Specifies a traffic level in the range of 1 to 8.

ipv4: Counts the traffic as IPv4 traffic.

ipv6: Counts the traffic as IPv6 traffic.

Usage guidelines

By defining different traffic levels based on the destination addresses of users' traffic, you can use ITA to separate the traffic accounting statistics of different levels for each user.

Execute this command multiple times to specify multiple traffic levels for ITA accounting.

If you do not specify a level for the undo accounting-level command, this command removes the ITA accounting configuration for all traffic levels in the ITA policy.

Examples

# In ITA policy ita1, specify traffic levels 2 and 5, and count the level-2 traffic as IPv4 traffic and the level-5 traffic as IPv6 traffic.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting-level 2 ipv4

[Sysname-ita-policy-ita1] accounting-level 5 ipv6

Related commands

ita policy

accounting-merge enable

Use accounting-merge enable to enable the accounting merge feature.

Use undo accounting-merge enable to disable the accounting merge feature.

Syntax

accounting-merge enable

undo accounting-merge enable

Default

The accounting merge feature is disabled.

Views

ITA policy view

Predefined user roles

network-admin

Usage guidelines

When accounting merge is enabled, the device merges accounting statistics for the ITA traffic of all levels in the ITA policy. It reports the traffic as the lowest level of the policy to the accounting server.

Examples

# Enable the accounting merge feature for ITA policy ita1.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting-merge enable

Related commands

ita policy

accounting-method

Use accounting-method to configure the accounting method for an ITA policy.

Use undo accounting-method to restore the default.

Syntax

accounting-method { none | radius-scheme radius-scheme-name [ none ] }

undo accounting-method

Default

The default accounting method of an ITA policy is none.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Use this command to configure accounting methods for an ITA policy. ITA accounting is separated from accounting of other services.

You can specify one primary accounting method and one backup accounting method for an ITA policy.

When the primary method is invalid, the device uses the backup method. For example, the accounting-method radius-scheme radius-scheme-name none command specifies RADIUS accounting as the primary method and no accounting as the backup method. The device performs RADIUS accounting by default and does not perform accounting when the RADIUS server is invalid.

Examples

# Specify RADIUS accounting scheme radius1 for ITA policy ita1.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting radius-scheme radius1

Related commands

·     ita policy

·     radius scheme

ita policy

Use ita policy to create an ITA policy and enter its view, or enter the view of an existing ITA policy.

Use undo ita policy to delete an ITA policy.

Syntax

ita policy policy-name

undo ita policy policy-name

Default

No ITA policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the ITA policy name, a case-insensitive string of 1 to 31 characters.

Examples

# Create an ITA policy named ita1 and enter ITA policy view.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1]

traffic-quota-out

Use traffic-quota-out to configure access control for users that have used up their ITA data quotas.

Use undo traffic-quota-out to restore the default.

Syntax

traffic-quota-out { offline | online }

undo traffic-quota-out

Default

Users cannot access the authorized IP subnets after their ITA data quotas are used up.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

offline: Prohibits users from accessing the authorized IP subnets after their ITA data quotas are used up.

online: Permits users to access the authorized IP subnets after their ITA data quotas are used up.

Examples

# In ITA policy ita1, prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] traffic-quota-out offline

Related commands

ita policy

traffic-separate

Use traffic-separate enable to exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

Use undo traffic-separate enable to include the amount of ITA traffic into the overall traffic statistics that are sent to the accounting server.

Syntax

traffic-separate enable

undo traffic-separate enable

Default

The amount of ITA traffic is included in the overall traffic statistics that are sent to the accounting server.

Views

ITA policy view

Predefined user roles

network-admin

Examples

# In ITA policy ita1, exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] traffic-separate enable

Related commands

ita policy