Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Command Manual-Release 1205-(V1.03)
- 00-1Cover
- 01-Login Command
- 02-Basic System Configuration and Maintenance Command
- 03-File System Management Command
- 04-VLAN Command
- 05-QinQ-BPDU TUNNEL Command
- 06-Port Correlation Configuration Command
- 07-MAC Address Table Management Command
- 08-MSTP Commands
- 09-IP Address and Performance Command
- 10-IPv6 Configuration Command
- 11-Routing Overview Command
- 12-IPv4 Routing Command
- 13-IPv6 Routing Command
- 14-802.1x-HABP-MAC Authentication Command
- 15-AAA-RADIUS-HWTACACS Command
- 16-Multicast Protocol Command
- 17-ARP Command
- 18-DHCP Command
- 19-ACL Command
- 20-QoS Command
- 21-Port Mirroring Command
- 22-Cluster Command
- 23-SNMP-RMON Command
- 24-NTP Command
- 25-DNS Command
- 26-Information Center Command
- 27-NQA Command
- 28-SSH Terminal Service Command
- 29-UDP Helper Command
- 30-SSL-HTTPS Command
- 31-PKI Command
- 32-PoE-PoE Profile Command
- 33-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-AAA-RADIUS-HWTACACS Command | 418 KB |
Table of Contents
Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands
1.1 AAA Configuration Commands
1.1.8 authentication lan-access
1.1.12 authorization lan-access
1.1.22 local-user password-display-mode
1.2 RADIUS Configuration Commands
1.2.2 display local-server statistics
1.2.4 display radius statistics
1.2.5 display stop-accounting-buffer
1.2.13 reset radius statistics
1.2.14 reset stop-accounting-buffer
1.2.16 retry realtime-accounting
1.2.19 secondary authentication
1.2.22 stop-accounting-buffer enable
1.2.24 timer realtime-accounting
1.3 HWTACACS Configuration Commands
1.3.3 display stop-accounting-buffer
1.3.11 reset hwtacacs statistics
1.3.12 reset stop-accounting-buffer
1.3.15 secondary authentication
1.3.16 secondary authorization
1.3.17 stop-accounting-buffer enable
1.3.19 timer realtime-accounting
Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands
1.1 AAA Configuration Commands
1.1.1 access-limit
Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: Specifies not to limit the number of access users that can be contained in current ISP domain.
enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain. Where, max-user-number ranges from 1 to 1024.
Description
Use the access-limit command to set the maximum number of access users that can be contained in current ISP domain.
Use the undo access-limit command to restore the default maximum number.
By default, the number of access users that can be contained in current ISP domain is unlimited.
Because resource contention may occur between access users, there is a need to properly limit the number of access users in an ISP domain to provide reliable performance to the users in the ISP domain.
Example
# Allow ISP domain aabbc.net to contain at most 500 access users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]domain aabbcc.net
[Sysname-isp-aabbcc.net] access-limit enable 500
1.1.2 accounting default
Syntax
accounting default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local accounting.
none: Unaccounting.
Description
Use the accounting default command to configure an accounting scheme for all users.
Use the undo accounting default command to restore the default accounting scheme for all users.
By default, the local scheme is configured.
It should be noted that:
l The accounting scheme configured by the accounting default command is applicable to all users. Its priority is lower than that configured by a specified access mode.
l Local accounting is only used to support the management of local user connections without real statistical function. The management of local connections takes effect for local accounting rather than local authentication and authorization.
l In the login access mode, accounting is not supported for FTP services.
Related command: authentication default and authorization default.
Example
# In the default ISP domain named system, configure local as the default accounting scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] auccounting default local
# In the default ISP domain named system, configure radius as the default accounting scheme named rd for all users and local as backup accounting. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting default radius-scheme rd local
# In the default ISP domain named system, restore the default accounting scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting default
1.1.3 accounting lan-access
Syntax
accounting lan-access { radius-scheme radius-scheme-name [ local ] | local
| none }
undo accounting lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local accounting.
none: Unaccounting.
Description
Use the accounting lan-access command to configure accounting for a lan-access user. Use the undo accounting lan-access command to remove accounting for a lan-access user.
Related command: accounting default.
Example
# In the default ISP domain named system, configure local as the accounting scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]accounting lan-access local
# In the default ISP domain named system, configure radius as the accounting scheme named rd for the lan-access user and local as backup accounting. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting lan-access radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting lan-access
1.1.4 accounting login
Syntax
accounting login { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo accounting login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local accounting.
none: Unaccounting.
Description
Use the accounting login command to configure accounting for the login user.
Use the undo accounting login command to remove accounting for the login user.
Related command: accounting default.
Example
# In the default ISP domain named system, configure local as the accounting scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login local
# In the default ISP domain named system, configure radius as the accounting scheme named rd for the login user and local as backup accounting. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] accounting login radius-scheme rd local
# In the default ISP domain named system, remove the accounting scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo accounting login
1.1.5 accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Use the accounting optional command to open the accounting-optional switch.
Use the undo accounting optional command to close the accounting-optional switch.
By default, the accounting-optional switch is closed.
Note that:
l When the system charges an online user but it does not find any available RADIUS accounting server or fails to communicate with any RADIUS accounting server, the user can continue the access to network resources if the accounting optional command has been used; otherwise, the user is disconnected from the system. The accounting optional command is often used in the cases where only authentication is needed and no accounting is needed.
l With the accounting optional command executed, the system does not send real time accounting updating packets and accounting-stop packets to all users in RADIUS scheme.
Example
# Open the accounting-optional switch for the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] accounting optional
1.1.6 attribute
Syntax
attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit max-user-number | vlan vlan-id | location { nas-ip ip-address port portnum | port portnum } } *
undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*
View
Local user view
Parameter
ip ip-address: Sets the IP address of the user. The attribute ip command for a local user only applies to H3C 802.1x clients. If you configure this command on a non-H3C client, local authentication will fail.
mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H format.
idle-cut minute: Allows the local user to enable the idle-cut function. Where, minute is the idle time before cutting down, which ranges from 1 minutes to 120 minutes.
access-limit max-user-number: Sets the maximum number of users who can access the switch with current user name. Where, max-user-number ranges from 1 to 1024.
vlan vlan-id: Sets the VLAN attribute of the user (that is, which VLAN the user belongs to). Where, vlan-id is an integer ranging from 1 to 4094.
location: Sets the port binding attribute of the user.
nas-ip ip-address: Sets the IP address of the access server to which the user is bound to. Where, ip-address is in dotted decimal notation and is 127.0.0.1 (representing this device) by default. If the user is bound to a remote port, you must specify the nas-ip parameter. If the user is bound to a local port, you need not specify the nas-ip parameter.
port port-number: Sets the port bound with the user.
Description
Use the attribute command to set the attributes of a user whose service type is lan-access.
Use the undo attribute command to cancel attribute settings of the user.
Related command: display local-user.
Example
# Set the IP address of user1 to 10.110.50.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] attribute ip 10.110.50.1
1.1.7 authentication default
Syntax
authentication default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authentication default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters
local: Local authentication.
none: Unauthentication.
Description
Use the authentication default command to configure authentication scheme for all users.
Use the undo authentication default command to restore the default authentication scheme for all users.
By default, the local authentication is used.
The authentication scheme configured by the authentication default command is applicable to all users. But its priority is lower than that configured by a special access mode.
Related command: authorization default and accounting default.
Example
# In the default ISP domain named system, configure local as the default authentication for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default local
# In the default ISP domain named system, configure radius as the default authentication scheme named rd for all users and local as backup authentication. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication default radius-scheme rd local
# In the default ISP domain named system, restore the default authentication scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication default
1.1.8 authentication lan-access
Syntax
authentication lan-access { radius-scheme radius-scheme-name [ local ] | local | none }
undo authentication lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local authentication.
none: Unauthentication.
Description
Use the authentication lan-access command to configure authentication scheme for a lan-access user.
Use the undo authentication lan-access command to remove authentication scheme for a lan-access user.
Related command: authentication default.
Example
# In the default ISP domain named system, configure local as the authentication scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local
# In the default ISP domain named system, configure radius as the default authentication named rd for the lan-access user and local as backup authentication. Note that rd authentication must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication lan-access
1.1.9 authentication login
Syntax
authentication login { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authentication login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local authentication.
none: Unauthentication.
Description
Use the authentication login command to configure authentication for a login user. Use the undo authentication login command to remove authentication for a login user.
Related command: authentication default.
Example
# In the default ISP domain named system, configure local as the authentication scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login local
# In the default ISP domain named system, configure radius as the default authentication named rd for the login user and local as backup authentication. Note that the rd authentication must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authentication login radius-scheme rd local
# In the default ISP domain named system, remove the authentication scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authentication login
1.1.10 authorization command
Syntax
authorization command hwtacacs-scheme hwtacacs-scheme-name
undo authorization command
View
ISP domain view
Parameter
hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.
Description
Use the authorization command command to configure the authorization scheme for a CLI user
Use the undo authorization command command to remove the authorization scheme for a CLI user
Related command: authorization default.
Example
# In the default ISP domain named system, configure HWTACACS as the authorization scheme named hw for the CLI user. Note that the hw authorization must be already configured. Related command: hwtacacs scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization command hwtacacs-scheme hw
1.1.11 authorization default
Syntax
authorization default { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authorization default
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but only owns the default rights.
Description
Use the authorization default command to configure the default authorization for all users.
Use the undo authorization default command to restore the default authorization scheme for all users.
By default, the local authorization is used.
It should be noted that:
l The authorization scheme configured by the authorization default command is applicable to all users. Its priority is lower than that configured by a specified access mode.
l As a special procedure, RADIUS authorization takes effect when the radius schemes for authentication and authorization are similar. In case of failure to all RADIUS authorization, the reason returned to NAS is that the Server did not respond.
Related command: authentication default and accounting default.
Example
# In the default ISP domain named system, configure local as the default authorization for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default local
# In the default ISP domain named system, configure radius as the default authorization named rd for all users and local as backup authorization. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization default radius-scheme rd local
# In the default ISP domain named system, restore the default authorization scheme for all users.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization default
1.1.12 authorization lan-access
Syntax
authorization lan-access { radius-scheme radius-scheme-name [ local ] | local | none }
undo authorization lan-access
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but only owns the default rights.
Description
Use the authorization lan-access command to configure authorization for a lan-access user.
Use the undo authorization lan-access command to remove authorization for a lan-access user.
Related command: authorization default.
Example
# In the default ISP domain named system, configure local as the authorization scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system]authorization lan-access local
# In the default ISP domain named system, configure radius as the authorization scheme named rd for the lan-access user and local as backup authorization. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization lan-access radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the lan-access user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization lan-access
1.1.13 authorization login
Syntax
authorization login { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }
undo authorization login
View
ISP domain view
Parameter
radius-scheme-name: Name of RADIUS scheme, a string not exceeding 32 characters.
hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32 characters.
local: Local authorization.
none: Direct authorization. In this case, the user passes the authentication directly, but only owns the default rights.
Description
Use the authorization login command to configure authorization for a login user.
Use the undo authorization login command to remove authorization for a login user.
Related command: authorization default.
Example
# In the default ISP domain named system, configure local as the authorization scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login local
# In the default ISP domain named system, configure radius as the authorization scheme named rd for the login user and local as backup authorization. Note that the rd scheme must be already configured. Related command: radius scheme.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] authorization login radius-scheme rd local
# In the default ISP domain named system, remove the authorization scheme for the login user.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] undo authorization login
1.1.14 cut connection
Syntax
cut connection { all | access-type { dot1x | mac-authentication } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name }
View
System view
Parameter
all: Cuts down all user connections.
access-type { dot1x | mac-authentication }: Cuts down user connections using the specified access method. dot1x is used to cut down all 802.1x user connections, and mac-authentication is used to cut down all MAC authentication user connections.
domain isp-name: Cuts down all user connections in the specified ISP domain. Where, isp-name is the name of an ISP domain. It is a character string of up to 24 characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Cuts down all user connections under the specified port. Where interface-type is the port type and interface-number is the port number.
ip ip-address: Cuts down the connection of the user with the specified IP address.
mac mac-address: Cuts down the user connection with the specified MAC address. Where, mac-address is in the H-H-H format.
vlan vlan-id: Cuts down all user connections of the specified VLAN. Where, vlan-id ranges from 1 to 4094.
ucibindex ucib-index: Cuts down the user connection with the specified connection index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Cuts down the user connection of the specified user. Where, user-name is a character string of up to 80 characters. The string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) cannot contain more than 55 characters,
Description
Use the cut connection command to cut down one user connection or one type of user connections forcibly.
This command cannot cut down the connections of Telnet, SSH and FTP users.
Related command: display connection.
Example
# Cut down all user connections in the ISP domain named aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] cut connection domain aabbcc.net
1.1.15 display connection
Syntax
display connection [ access-type { dot1x | mac-authentication } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name ]
View
Any view
Parameter
access-type { dot1x | mac-authentication }: Displays the user connections in specified access mode. Where, dot1x is used to display all 802.1x user connections, and mac-authentication is used to display all MAC authentication user connections.
domain isp-name: Displays all user connections under the specified ISP domain. Where, isp-name is the name of an ISP domain, a character string of up to 24 characters. You can only specify an existing ISP domain.
interface interface-type interface-number: Displays all user connections on the specified port.
ip ip-address: Displays all user connections with the specified IP address.
mac mac-address: Displays the connection of the user with the specified MAC address. Where, mac-address is in dotted hexadecimal notation (in the form of H.H.H).
vlan vlan-id: Displays all user connections of the specified VLAN. Where, vlan-id ranges from 1 to 4094.
ucibindex ucib-index: Displays the user connection with the specified connection index. Where, ucib-index ranges from 0 to 4294967295.
user-name user-name: Displays the user connection with the specified user name. Where, user-name is a character string in the format of pure-username@domain-name. The pure-username cannot be longer than 55 characters, and the whole string cannot be longer than 80 characters.
Description
Use the display connection command to display information about specified or all user connections.
If you execute this command without specifying any parameter, all user connections will be displayed.
This command cannot display information about the connections of the FTP users.
Related command: cut connection.
Example
# Display information about all user connections.
<Sysname> display connection
Total 0 connections matched ,0 listed.
1.1.16 display domain
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Name of an ISP domain, a character string of up to 24 characters. This must be the name of an existing ISP domain.
Description
Use the display domain command to display the configuration information about one specific or all ISP domains.
Related command: access-limit, domain and state.
Example
# Display the configuration information about all ISP domains.
<Sysname>display domain
0 Domain = system
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut = Disable
Self-service = Disable
Default Domain Name: system
Total 1 domain(s).
Table 1-1 Description on the fields of the display domain command
|
Field |
Description |
|
Domain |
Domain name |
|
State |
State |
|
Access-Limit |
Limit on the number of access users |
|
Accounting method |
Accounting method |
|
default Authentication scheme |
default Authorization scheme |
|
default Authorization scheme |
default Authorization scheme |
|
default Accounting scheme |
default Accounting scheme |
|
Domain User Template |
Domain user template |
|
Idle-Cut |
State of the idle-cut function |
|
Self-service |
State of the self service |
|
Default Domain Name |
Default domain name |
|
Total 1 domain(s) |
There is totally one domain |
1.1.17 display local-user
Syntax
display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id | service-type { lan-access | telnet | ssh | terminal | ftp } | state { active | block } | user-name user-name ]
View
Any view
Parameter
domain isp-name: Displays all local users belonging to the specified ISP domain. Where, isp-name is the name of an ISP domain, a character string of up to 24 characters. You can only specify an existing ISP domain.
idle-cut { disable | enable }: Displays the local users who are inhibited from enabling the idle-cut function, or the local users who are allowed to enable the idle-cut function. Where, disable specifies the inhibited local users and enable specifies the allowed local users.
vlan vlan-id: Displays the local users belonging to the specified VLAN. Where, vlan-id ranges from 1 to 4094.
service-type: Displays the local users of the specified type. You can specify one of the following user types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, telnet, terminal (this type of users are terminal users who log into the switch through the Console port).
state { active | block }: Displays the local users in the specified state. Where active represents the users allowed to request network services, and block represents the users inhibited to request network services.
user-name user-name: Displays the local user who has the specified user name. Where, user-name is a character string of up to 80 characters. The string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) cannot be longer than 55 characters.
Description
Use the display local-user command to display information about specified or all local users.
Related command: local-user.
Example
# Display information about all local users.
<Sysname> display local-user
The contents of local user user1:
State: Active
ServiceType: lan-access/telnet
Idle-cut: Disable
Access-limit: Disable Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
IP address: Disable
MAC address: Disable
User Privilege: 3
Total 1 local user(s) Matched,1 listed..
Table 1-2 Description on the fields of the display local-user command
|
Field |
Description |
|
State |
State of the local user |
|
ServiceType |
ServiceType |
|
Idle-Cut |
State of the idle-cut function |
|
Access-Limit |
Limit on the number of access users |
|
Current AccessNum |
Number of current access users |
|
Bind location |
Whether or not bound to a port |
|
Vlan ID |
VLAN of the user |
|
IP address |
IP address of the user |
|
MAC address |
MAC address of the user |
|
User Privilege |
User Privilege |
& Note:
When the local RADIUS authentication server (local-server) is enabled, the value of “Current AccessNum” may be inconsistent with the actual number of accessed users and the displayed value here is just for reference.
1.1.18 domain
Syntax
domain { isp-name | default { disable | enable isp-name } }
undo domain isp-name
View
System view
Parameter
isp-name: Name of a ISP domain, a character string of up to than 24 characters. This string cannot contain the following characters: /:*?<>.
default: Manually configures the default ISP domain, which is "system" by default. There is one and only one default ISP domain.
disable: Disables the configured default ISP domain.
enable: Enables the configured default ISP domain.
Description
Use the domain command to create an ISP domain and enter its view, or enter the view of an existing ISP domain, or configure the default ISP domain.
Use the undo domain command to delete a specified ISP domain.
By default, an ISP domain "system" has already existed in the system, and you can use the display domain command to check the settings of this default ISP domain.
After you execute the domain command, the system creates a new ISP domain if the specified ISP domain does not exist. Once an ISP domain is created, it is in the active state. You can manually configure the default domain only when it has already existed.
Related command: access-limit, state and display domain.
Example
# Create a new ISP domain aabbcc.net.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
New Domain added.
[Sysname-isp-aabbcc.net]
1.1.19 idle-cut
Syntax
idle-cut { disable | enable minute }
View
ISP domain view
Parameter
disable: Inhibits users from enabling the idle-cut function.
enable: Allows users to enable the idle-cut function.
minute: Maximum idle time, ranging from 1 minute to 120 minutes.
Description
Use the idle-cut command to set the user idle-cut function in current ISP domain.
By default, this function is disabled.
Related command: domain.
Example
# Allow users in ISP domain aabbcc.net to enable the idle-cut attribute in user template (that is, allow the user to use the idle-cut function), with the maximum idle time of 50 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] idle-cut enable 50
1.1.20 level
Syntax
level level
undo level
View
Local user view
Parameter
level: Priority level of the user. It is an integer ranging from 0 to 3 and defaulting to 0.
Description
Use the level command to set the priority level of the user.
Use the undo level command to restore the default priority level of the user.
Note that:
l If the configured authentication method is none or requires a password, the command level that a user can access after login is determined by the level of the user interface.
l If the configured authentication method requires a user name and a password, the command level that a user can access after login is determined by the priority level of the user. For SSH users, when they use RSA shared keys for authentication, the commands they can access are determined by the levels sets on the user interfaces.
Related command: local-user.
Example
# Set the level of user1 to 3.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] level 3
1.1.21 local-user
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { lan-access | telnet | ssh | terminal | ftp } ] }
View
System view
Parameter
user-name: Name of the local user, a character string of up to 80 characters. This string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) cannot be longer than 55 characters. User names are case-sensitive. For example, the system regards UserA and usera as two different users.
all: Specifies all local users.
service-type: Specifies the local users of the specified type. You can specify one of the following user types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, telnet, and terminal (this type of users are terminal users who log into the switch through the Console port).
Description
Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to delete one or more specified local users.
By default, there is no local user in the system.
“a”, “al”, “all” cannot be name of the local user.
Related command: display local-user and service-type.
Example
# Add a local user named user1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1]
1.1.22 local-user password-display-mode
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force: Adopts the forcible cipher mode so that the passwords of all local users must be displayed in cipher text.
auto: Adopts the automatic mode so that the passwords of local users are displayed in the modes set with the password command.
Description
Use the local-user password-display-mode command to set the password display mode of all local users
Use the undo local-user password-display-mode command to restore the default password display mode of all local users.
By default, the password display mode of all access users is auto.
When the cipher-force mode is adopted, all passwords will be displayed in cipher text even through some users have specified to display their passwords in plain text by using the password command with the simple keyword.
Related command: display local-user and password.
Example
# Specify to display all local user passwords in cipher text forcibly.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user password-display-mode cipher-force
1.1.23 password
Syntax
password { simple | cipher } password
undo password
View
Local user view
Parameter
simple: Specifies to display passwords in simple text.
cipher: Specifies to display passwords in cipher text.
password: Password you want to set, a character string.
l For simple mode, the password must be in plain text.
l For cipher mode, the password can be either in cipher text or in plain text, which it is depends on your input.
A password in plain text can be a string with of up to 63 consecutive characters, for example, aabbcc. Encrypted text password string can contain 24, 32, 44, 56, 64, 76, 88, characters such as_(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the password command to set a password for the local user.
Use the undo password command to cancel the password of the local user.
Note that, after the local-user password-display-mode cipher-force command is executed, the password will be displayed in cipher text even though you use the password command to set the display mode of the password to simple.
Related command: display local-user.
Example
# Set the password of user1 to 20030422 and specify to display the password in plain text.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] password simple 20030422
1.1.24 self-service-url
Syntax
self-service-url { disable | enable url-string }
undo self-service-url
View
ISP domain view
Parameter
url-string: URL of the web page used to modify user password on the self-service server. It is a character string with 1 character to 64 characters. The string must begin with”http://”,and it cannot contain the character “?”.
Description
Use the self-service-url enable command to enable the self-service server location function
Use the self-service-url disable command to disable the self-service server location function
Use the undo self-service-url command to restore the default state of this function.
By default, this function is disabled.
Note that:
l This command must be used with the cooperation of a self-service-supported RADIUS server (such as CAMS). Through self-service, users can manage and control their accounts or card numbers by themselves. A server installed with the self-service software is called a self-service server.
l After this command is executed on the switch, users can locate the self-service server through the following operation: choose [change user password] on the 802.1x client, the client opens the default browser (for example, IE or NetScape) and locates the specified URL page used to change user password on the self-service server. Then, the user can change the password.
l A user can choose the [change user password] option on the client only after passing the authentication. If the user fails the authentication, this option is in grey and is unavailable.
Example
# Under the default ISP domain "system", set the URL of the web page used to modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain system
[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
1.1.25 service-type
Syntax
service-type { lan-access | { telnet | ssh | terminal }* [ level level ] }
undo service-type { lan-access | { telnet | ssh | terminal }* }
View
Local user view
Parameter
lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for example, 802.1x user).
telnet: Authorizes the user to access the Telnet service.
ssh: Authorizes the user to access the SSH service.
terminal: Authorizes the user to access the terminal service (that is, allows the user to log into the switch through the Console port).
level level: Specifies the level of the Telnet, terminal or SSH user. Where, level is an integer ranging from 0 to 3 and defaulting to 0.
Description
Use the service-type command to authorize the user to access the specified type(s) of service(s).
Use the undo service-type command to inhibit the user from accessing the specified type(s) of service(s).
By default, the user is inhibited from accessing any type of service.
Example
# Authorize user1 to access the Telnet service.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet
1.1.26 service-type ftp
Syntax
service-type ftp [ ftp-directory directory ]
undo service-type ftp [ ftp-directory ]
View
Local user view
Parameter
ftp-directory directory: Specifies the directory of the FTP user, directory is a character string of up to 64 characters.
Description
Use the service-type ftp command to configure the FTP service type and accessible directories for users. Use the undo service-type ftp command to restore the default settings.
By default, anonymous users cannot access the switch using FTP or are not authorized with any FTP service; authorized FTP users can only access the root directory.
Related command: service-type.
Example
# Configure the user with FTP server type.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-luser-user1] service-type ftp
1.1.27 state
Syntax
state { active | block }
View
ISP domain view or local user view
Parameter
active: Activates the current ISP domain (in ISP domain view) or local user (in local user view), to allow users in current ISP domain or current local user to access the network.
block: Hangs up the current ISP domain (in ISP domain view) or local user (in local user view), to inhibit users in current ISP domain or current local user from accessing the network.
Description
Use the state command to set the status of current ISP domain (in ISP domain view) or the status of the local user (in local user view).
By default, an ISP domain is in the active state once it is created, and a local user is in the active state once the user is created.
After an ISP domain is set to the block state, except the online users, the users under this domain are not allowed to access the network.
After the local user is set to the block state, the user is not allowed to access the network.
Related command: domain.
Example
# Set the ISP domain aabbcc.net to the block state, so that all its offline users cannot access the network.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] state block
# Set user1 to the block state.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-user user1
[Sysname-user-user1] state block
1.2 RADIUS Configuration Commands
1.2.1 data-flow-format
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*
undo data-flow-format { data | packet }
View
RADIUS scheme view
Parameter
data: Sets the unit of measure for data.
byte: Specifies to measure data in bytes.
giga-byte: Specifies to measure data in gigabytes.
kilo-byte: Specifies to measure data in kilobytes.
mega-byte: Specifies to measure data in megabytes.
packet: Sets the unit of measure for packets.
giga-packet: Specifies to measure packets in giga-packets.
kilo-packet: Specifies to measure packets in kilo-packets.
mega-packet: Specifies to measure packets in mega-packets.
one-packet: Specifies to measure packets in packets.
Description
Use the data-flow-format command to set the units of measure for data flows sent to RADIUS servers.
Use the undo data-flow-format command to restore the default units of measure.
By default, the unit of measure for data is byte and that for packets is one-packet.
Related command: display radius.
Example
# Specify to measure data and packets in data flows sent to RADIUS server in kilobytes and kilo-packets respectively.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
1.2.2 display local-server statistics
Syntax
display local-server statistics
View
Any view
Parameter
None
Description
Use the display local-server statistics command to display the statistics about all local RADIUS authentication servers.
Related command: local-server.
Example
# Display the statistics about local RADIUS authentication server.
<Sysname> display local-server statistics
The localserver packet statistics:
Receive: 30 Send: 30
Discard: 0 Receive Packet Error: 0
Auth Receive: 10 Auth Send: 10
Acct Receive: 20 Acct Send: 20
1.2.3 display radius
Syntax
display radius [ radius-scheme-name ]
View
Any view
Parameter
radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32 characters.
Description
Use the display radius scheme command to display the configuration information about one specific or all RADIUS schemes
Related command: radius scheme.
Example
# Display the configuration information about all RADIUS schemes.
<Sysname> display radius
------------------------------------------------------------------
SchemeName =system
Index=0 Type=extended
Primary Auth IP =127.0.0.1 Port=1645 State=block
Primary Acct IP =127.0.0.1 Port=1646 State=block
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= Not configured
Acct Server Encryption Key= Not configured
Interval for timeout(second) =3
Retransmission times for timeout =3
Interval for realtime accounting(minute) =12
Retransmission times of realtime-accounting packet =5
Retransmission times of stop-accounting packet =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =one
------------------------------------------------------------------
Total 1 RADIUS scheme(s). 1 listed
Table 1-3 Description on the fields of the display radius command
|
Field |
Description |
|
SchemeName |
Name of the RADIUS scheme |
|
Index |
Index number of the RADIUS scheme |
|
Type |
Type of the RADIUS servers |
|
Primary Auth IP/ Port/ State |
IP address/access port status of the primary authentication server |
|
Primary Acct IP/ Port/ State |
IP address/access port status of the primary accounting server |
|
Second Auth IP/ Port/ State |
IP address/access port status of the secondary authentication server |
|
Second Acct IP/ Port/ State |
IP address/access port status of the secondary accounting server |
|
Auth Server Encryption Key |
Shared key of the authentication servers |
|
Acct Server Encryption Key |
Shared key of the accounting servers |
|
Interval for timeout(second) |
RADIUS server response timeout time |
|
Retransmission times for timeout |
Retransmission times for timeout |
|
Interval for realtime accounting(minute) |
Interval for realtime accounting |
|
Retransmission times of realtime-accounting packet |
Retransmission times of realtime-accounting packet |
|
Retransmission times of stop-accounting packet |
Retransmission times of stop-accounting packet |
|
Quiet-interval(min) |
Wait time for the primary servers to restore the active state |
|
Username format |
User name format |
|
Data flow unit |
Unit of measure for data in data flows |
|
Packet unit |
Unit of measure for packets |
1.2.4 display radius statistics
Syntax
display radius statistics
View
Any view
Parameter
None
Description
Use the display radius statistics command to display the statistics about RADIUS packets.
Related command: radius scheme.
Example
# Display the statistics about RADIUS packets.
<Sysname> display radius statistics
state statistic(total=1024):
DEAD=1024 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=1
AcctStop=0 OnLine=1 Stop=0
StateErr=0
Received and Sent packets statistic:
Sent PKT total :38 Received PKT total:2
Resend Times Resend total
1 12
2 12
Total 24
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code= 3,Num=0 ,Err=0
Code= 5,Num=1 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
RADIUS received messages statistic:
Normal auth request , Num=13 , Err=0 , Succ=13
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=36 , Err=12 , Succ=24
PKT acct_timeout , Num=0 , Err=0 , Succ=0
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=2 , Err=0 , Succ=2
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
1.2.5 display stop-accounting-buffer
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
Any view
Parameter
radius-scheme radius-scheme-name: Displays the buffered stop-accounting requests of the specified RADIUS scheme. Where, radius-scheme-name is a character string of up to 32 characters.
session-id session-id: Displays the buffered stop-accounting requests of the specified session ID. Where, session-id is a character string of up to 50 characters.
time-range start-time stop-time: Displays the buffered stop-accounting requests in the specified request time range. Where, start-time is the start time of the request time range, and the earliest time can be 00:00:00-01/01/1970. stop-time is the end time of the request time range, and both are in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. and is used to display the buffered stop-accounting requests from the start time to the end time.
user-name user-name: Displays the buffered stop-accounting requests of the specified user. Where, user-name is a character string of up to 80 characters.
Description
Use the display stop-accounting-buffer command to display the no-response stop-accounting request packets buffered in the device.
& Note:
l You can choose to display the buffered stop-accounting packets of a specified RADIUS scheme, session ID, or user name. You can also specify a time range to display those which are sent within the specified time range. The displayed packet information helps you to diagnose and resolve problems relevant to RADIUS.
l When the switch sends out a stop-accounting packet but gets no response from the RADIUS server, it first buffers the packet and then retransmits it until the maximum number of retransmission attempts (set by the retry stop-accounting command) is reached.
Related command: reset stop-accounting-buffer, stop-accounting-buffer enable and retry stop-accounting.
Example
# Display the buffered stop-accounting requests from 0:0:0 08/31/2002 to 23:59:59 08/31/2002.
<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002
Total find 0 record(s)
1.2.6 key
Syntax
key { accounting | authentication } string
undo key { accounting | authentication }
View
RADIUS scheme view
Parameter
accounting: Specifies to set a shared key for the RADIUS accounting packets.
authentication: Specifies to set a shared key for the RADIUS authentication/authorization packets.
string: Shared key, a character string of up to 16 characters.
Description
Use the key command to set a shared key for the RADIUS authentication/authorization packets or accounting packets.
Use the undo key command to restore the corresponding default shared key.
By default, no key is set for any RADIUS server.
The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets exchanged with each other. The two parties verify the validity of the exchanged packets by using the shared keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same shared keys. If the authentication/authorization server and the accounting server are two separate devices and the two servers have different shared keys, you must set the shared keys for authentication/authorization packets and accounting packets respectively on the switch.
Related command: primary accounting, primary authentication and radius scheme.
Example
# Set the shared key for the RADIUS authentication/authorization packets in RADIUS scheme radius1 to hello.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] key authentication hello
# Set the shared key for the RADIUS accounting packets in RADIUS scheme radius1 to ok.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] key accounting ok
1.2.7 local-server
Syntax
local-server nas-ip ip-address key password
undo local-server nas-ip ip-address
View
System view
Parameter
nas-ip ip-address: Specifies the IP address of the local RADIUS server. Where, ip-address is in dotted decimal notation.
key password: Specifies the shared key of the authentication server and access server. Where, password is a character string of up to 16 characters.
Description
Use the local-server command to create a local RADIUS authentication server (that is, set the related parameters of the server).
Use the undo local-server command to delete the specified local RADIUS authentication server.
By default, a local RADIUS authentication server, with NAS-IP 127.0.0.1, has already been created.
Note that:
l The switch not only supports the traditional RADIUS client service to accomplish user AAA management through foreign authentication/authorization server and accounting server, but also provides a simple local RADIUS server function for authentication and authorization. This function is called local RADIUS authentication server function.
l When you use the local RADIUS authentication server function, the UDP port number for the authentication/authorization service must be 1645, the UDP port number for the accounting service is 1646.
l The packet encryption key set by the local-server command with the key password parameter must be identical with the authentication/authorization packet encryption key set by the key authentication command in RADIUS scheme view.
l The switch supports at most 16 IP addresses and shared keys of the network access server (including the default local RADIUS authentication server); that is, when the switch serves as a RADIUS authentication server, it can support at most 16 network access servers simultaneously to provide authentication.
Related command: radius scheme and state.
Example
# Create a network access server granted by the RADIUS authentication server with an IP address of 10.110.1.2 and a shared key of aabbcc.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] local-server nas-ip 10.110.1.2 key aabbcc
1.2.8 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
RADIUS scheme view
Parameter
ip-address: Source IP address for RADIUS packets, an IP address of this device. This address can neither be an all-zero address, class D address or loopback address.
Description
Use the nas-ip command to set the source IP address used by the switch to send RADIUS packets.
Use the undo nas-ip command to remove the source IP address setting.
By default, the IP address of the outbound interface is used as the source IP address of the packet.
& Note:
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the priority of configuration in RADIUS scheme view is higher than in system view.
You can specify the source IP address used to send RADIUS packets to prevent the unreachability of the packets returned from the server due to physical interface trouble. It is recommended to use the loopback interface address as the source IP address.
Related command: radius nas-ip.
Example
# Set the source IP address used by the switch to send the RADIUS packets to 10.1.1.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] nas-ip 10.1.1.1
1.2.9 primary accounting
Syntax
primary accounting ip-address [ port-number ]
undo primary accounting
View
RADIUS scheme view
Parameter
ip-address: IP address, in dotted decimal notation.
port-number: UDP port number, ranging from 1 to 65535. By default, the UDP port for accounting service is 1813.
Description
Use the primary accounting command to set the IP address and port number of the primary RADIUS accounting server.
Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted.
l By default, the system defines the RADIUS scheme system, with the IP address of the primary accounting server as 127.0.0.1 and port number as 1646.
Related command: key, radius scheme and state.
Example
# Set the IP address and UDP port number of the primary accounting server of the RADIUS scheme radius1 to 10.110.1.2 and 1813.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813
1.2.10 primary authentication
Syntax
primary authentication ip-address [ port-number ]
undo primary authentication
View
RADIUS scheme view
Parameter
ip-address: IP address, in dotted decimal notation.
port-number: UDP port number, ranging from 1 to 65535.
Description
Use the primary authentication command to set the IP address and port number of the primary RADIUS authentication/authorization server.
Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server.
By default, the system defines the RADIUS scheme system, with the IP address of the primary accounting server as 127.0.0.1 and UDP port number as 1646; for a newly-defined RADIUS scheme, the IP address of the primary accounting server is 127.0.0.1 and UDP port number is 1812.
Note that:
l After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each kind of server, you can configure two servers in a RADIUS scheme: primary and secondary servers. A RADIUS scheme has the following attributes: IP addresses of the primary and secondary servers, shared keys, and types of the RADIUS servers.
l In an actual network environment, you can configure the above parameters as required. But you should configure at least one authentication/authorization server and one accounting server, and at the same time, you should keep the RADIUS service port settings on the switch consistent with those on the RADIUS servers.
l You are not allowed to assign the same IP address to both primary and secondary authentication/authorization servers; otherwise, unsuccessful operation is prompted
Related command: key, radius scheme and state.
Example
# Set the IP address and UDP port number of the primary authentication/authorization server used by the RADIUS scheme radius1 to 10.110.1.1 and 1812.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812
1.2.11 radius nas-ip
Syntax
radius nas-ip ip-address
undo radius nas-ip
View
System view
Parameter
ip-address: Source IP address, an IP address of this device. This address can be neither an all-zero address, class D address or loopback address.
Description
Use the radius nas-ip command to set the source IP address used by the switch to send RADIUS packets.
Use the undo radius nas-ip command to restore the default setting.
By default, no source IP address is specified, and the IP address of the outbound interface is used as the source IP address of the packet.
& Note:
The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the priority of configuration in RADIUS scheme view is higher than in system view.
Note that:
l You can specify the source IP address used to send RADIUS packet to prevent the unreachability of the packets returned from the server due to physical interface trouble. It is recommended to use the loopback interface address as the source IP address.
l You can specify only one source IP address by using this command. When you use this command again, the newly specified source IP address will overwrite the old one.
Related command: nas-ip.
Example
# Set the source IP address used by the switch to send the RADIUS packets to 129.10.10.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius nas-ip 129.10.10.1
1.2.12 radius scheme
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Parameter
radius-scheme-name: Name of the RADIUS scheme, a character string of up to 32 characters.
To avoid the case where the display radius statistics command is shown in a fuzzy matching manner when you enter the display radius keywords, you are not recommended to define iradius-scheme-name as “statistics” or the first several characters.
Description
Use the radius scheme command to create a RADIUS scheme and enter its view.
Use the undo radius scheme command to delete the specified RADIUS scheme.
By default, a RADIUS scheme named "system" has already been created in the system.
Note that:
l All the attributes of the RADIUS scheme "system" take the default values, which you can see by using the display radius scheme command.
l The RADIUS protocol configuration is performed on a RADIUS scheme basis. For each RADIUS scheme, you should specify at least the IP addresses and UDP port numbers of the RADIUS authentication/authorization and accounting servers, and the parameters required for the RADIUS client to interact with the RADIUS servers. You should first create a RADIUS scheme and enter its view before performing other RADIUS protocol configurations.
l A RADIUS scheme can be referenced by multiple ISP domains simultaneously.
l The undo radius scheme command cannot be used to delete the default RADIUS scheme. In addition, you are not allowed to delete a RADIUS scheme which is being used by an online user.
Related command: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius and display radius statistics.
Example
# Create a RADIUS scheme named radius1 and enter its view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1]
1.2.13 reset radius statistics
Syntax
reset radius statistics
View
User view
Parameter
None
Description
Use the reset radius statistics command to clear the statistics about the RADIUS protocol.
Related command: display radius.
Example
# Clear the statistics about the RADIUS protocol.
<Sysname> reset radius statistics
1.2.14 reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
User view
Parameter
radius-scheme radius-scheme-name: Deletes the buffered stop-accounting requests depending on the specified RADIUS scheme. Where, radius-scheme-name is the name of a RADIUS scheme. This name is a character string of up to 32 characters.
session-id session-id: Deletes the buffered stop-accounting requests depending on the specified session ID. Where, session-id is a character string of up to 50 characters.
time-range start-time stop-time: Deletes the buffered stop-accounting requests depending on the time of the stop-accounting request. Where, start-time is the start time of the request period., the stop-time is the end time of the request period, and both are in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Deletes the buffered stop-accounting request packets depending on the specified user name. Where, user-name is a character string of up to 80 characters.
Description
Use the reset stop-accounting-buffer command to delete the buffered no-response stop-accounting request packets.
Related command: stop-accounting-buffer enable, retry stop-accounting and display stop-accounting-buffer.
Example
# Delete the stop-accounting request packets buffered in the system for the user user0001@aabbcc.net.
<Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net
# Delete the stop-accounting request packets buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002 in the system.
<Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002
1.2.15 retry
Syntax
retry retry-times
undo retry
View
RADIUS scheme view
Parameter
retry-times: Maximum number of transmission attempts, ranging from 1 to 20 and defaulting to 3.
Description
Use the retry command to set the maximum number of transmission attempts of RADIUS requests.
Use the undo retry command to restore maximum number of transmission attempts of RADIUS requests to default value
Note that:
l The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires. If the maximum number of transmission attempts is reached but the switch still receives no response, the switch considers that the request fails.
l Appropriately set this maximum number of transmission attempts according to the network situation can improve the reacting speed of the system.
l The product of the retry-times here and the seconds of the timer response-timeout command can be greater than 75.
Related command: radius scheme. timer response-timeout.
Example
# Set the maximum transmission times of RADIUS requests in the RADIUS scheme radius1 to five.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry 5
1.2.16 retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS scheme view
Parameter
retry-times: Maximum number of real-time accounting request attempts, ranging from 1 to 255.
Description
Use the retry realtime-accounting command to set the maximum number of real-time accounting request attempts.
Use the undo retry realtime-accounting command to restore the default maximum number of real-time accounting request attempts.
By default, the system can allow five real-time accounting request attempts at most.
Note that:
l Generally, the RADIUS server uses the connection timeout timer to determine whether a user is online or not. If the RADIUS server receives no real-time accounting packet for a specified period of time, it will consider that the line or the switch is in trouble and stop the accounting of the user. To make the switch cooperate with this feature on the RADIUS server, it is necessary to cut down the user connection on the switch as soon as possible after the RADIUS server terminates the charging and connection of the user in the case of unforeseen trouble. For this purpose, you can limit the number of continuous real-time no-response accounting requests, and the switch will cut down the user connection if it sends out the maximum number of real-time accounting requests but does not receive any response.
l A real-time account request may be sent multiple times (set by the retry command in RADIUS scheme view) for an accounting attempt. If no response is received even after the number of transmission attempts reaches the maximum, the accounting attempt fails. Suppose that the response timeout time of the RADIUS server is three seconds (set by the timer response-timeout command), that the maximum number of transmission attempts (set by the retry command) is 3, and that the real-time accounting interval is 12 minutes (set by the timer realtime-accounting command), the maximum number of real-time accounting request attempts is 5 (set by the retry realtime-accounting command). In this case, the switch sends an accounting request every 12 minutes; if the switch does not receive a response within 3 seconds after it sends out an accounting request, it resends the request; if the switch continuously sends the accounting request for three times but does not receive any response; it considers this real-time accounting a failure. Then, the switch sends the accounting request every 12 minutes; if the number of accounting failures exceeds five, the user connection is cut down. In general, the product of T and retry-times should be less than t.
Related command: radius scheme and timer realtime-accounting.
Example
# Allow the switch to continuously send at most 10 real-time accounting requests if it gets no response for the RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry realtime-accounting 10
1.2.17 retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS scheme view
Parameter
retry-times: Maximum number of transmission attempts of the buffered stop-accounting requests, ranging from 10 to 65535 and defaulting to 500.
Description
Use the retry stop-accounting command to set the maximum number of transmission attempts of the stop-accounting requests buffered due to no response.
Use the undo retry stop-accounting command to restore the default maximum number of transmission attempts of the buffered stop-accounting requests.
Stop-accounting requests are critical to billing and will eventually affect the charges of the users; they are important for both the users and the ISP. Therefore, the switch should do its best to transmit them to the RADIUS accounting server. If the RADIUS server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).
Related command: reset stop-accounting-buffer, radius scheme and display stop-accounting-buffer.
Example
# In RADIUS scheme radius1, specify that the switch can transmit a buffered stop-accounting request at most 1000 times
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] retry stop-accounting 1000
1.2.18 secondary accounting
Syntax
secondary accounting ip-address [ port-number ]
undo secondary accounting
View
RADIUS scheme view
Parameter
ip-address: IP address, in dotted decimal notation. By default, the IP address of the secondary accounting server is 0.0.0.0.
port-number: UDP port number, ranging from 1 to 65535. By default, the UDP port number of the secondary accounting service is 1813.
Description
Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server.
Use the undo secondary accounting command to restore the default IP address and port number of the secondary RADIUS accounting server.
You are not allowed to assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted
Related command: key, radius scheme and state.
Example
# Set the IP address and UDP port number of the secondary accounting server of the RADIUS scheme radius1 to 10.110.1.1 and 1813.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
1.2.19 secondary authentication
Syntax
secondary authentication ip-address [ port-number ]
undo secondary authentication
View
RADIUS scheme view
Parameter
ip-address: IP address, in dotted decimal notation. By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.
port-number: UDP port number, ranging from 1 to 65535. By default, the UDP port number of the secondary authentication/authorization service is 1812.
Description
Use the secondary authentication command to set the IP address and port number of the secondary RADIUS authentication/authorization server.
Use the undo secondary authentication command to restore the default IP address and port number of the secondary RADIUS authentication/authorization server.
Related command: key, radius scheme and state.
Example
# Set the IP address and UDP port number of the secondary authentication/authorization server used by the RADIUS scheme radius1 to 10.110.1.2 and 1812.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
1.2.20 server-type
Syntax
server-type { extended | standard }
undo server-type
View
RADIUS scheme view
Parameter
extended: Specifies to use H3C's private RADIUS protocol (such as the procedure and packet format) to interact with the H3C’s RADIUS server, which is generally the CAMS.
standard: Specifies to use the standard RADIUS protocol. That is, it is required that the RADIUS client (on the switch) and the RADIUS server interact with each other following the procedure and packet format of the standard RADIUS protocol (RFC2138/2139 or above).
Description
Use the server-type command to specify the RADIUS server type supported by the switch.
Use the undo server-type command to restore the default RADIUS server type supported by the switch.
By default, the switch supports the standard type of RADIUS server. The type of RADIUS server in the default RADIUS scheme "system" is extended.
Related command: radius scheme.
Example
# Set the RADIUS server type in RADIUS scheme radius1 to extended.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] server-type extended
1.2.21 state
Syntax
state { primary | secondary } { accounting | authentication } { block | active }
View
RADIUS scheme view
Parameter
primary: Specifies the server to be set is a primary RADIUS server.
secondary: Specifies the server to be set is a secondary RADIUS server.
accounting: Specifies the server to be set is a RADIUS accounting server.
authentication: Specifies the server to be set is a RADIUS authentication/authorization server.
block: Sets the status of the specified RADIUS server to block (that is, the down state).
active: Sets the status of the specified RADIUS server to active (that is, the normal working state).
Description
Use the state command to set the status of a RADIUS server.
By default, all the RADIUS servers in a user-defined RADIUS scheme are in the active state;
For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme, note that:
l When the switch fails to communicate with the primary server due to some server trouble, the switch will actively exchange packets with the secondary server.
l After the time the primary server keeps in the block state exceeds the time set with the timer quiet command, the switch will try to communicate with the primary server again when it has a RADIUS request. If the primary server recovers, the switch immediately restores the communication with the primary server instead of communicating with the secondary server, and at the same time restores the status of the primary server on the switch to the active state while keeping the status of the secondary server unchanged.
l When both the primary and secondary servers are in the active state, the switch sends packets only to the primary server.
Related command: radius scheme, primary authentication, secondary authentication, primary accounting and secondary accounting.
Example
# Set the status of the secondary authentication server in RADIUS scheme radius1 to active.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] state secondary authentication active
1.2.22 stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS scheme view
Parameter
None
Description
Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that bring no response.
Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that bring no response.
By default, the switch is enabled to buffer the stop-accounting requests that bring no response.
Stop-accounting requests are critical to billing and will eventually affect the charges; they are important for both the users and the ISP. Therefore, the switch should do its best to transmit them to the RADIUS server. If the RADIUS accounting server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).
Related command: reset stop-accounting-buffer, radius scheme and display stop-accounting-buffer.
Example
# Enable the switch to buffer the stop-accounting requests that bring no response from the servers in RADIUS scheme radius1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] stop-accounting-buffer enable
1.2.23 timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
RADIUS scheme view
Parameter
minutes: Wait time, ranging from 1 minute to 255 minutes. By default, it is 5 minutes.
Description
Use the timer quiet command to set the wait time for the primary server to restore the active state.
Use the undo timer quiet command to restore the default wait time.
Related command: display radius.
Example
# Set the wait time for the primary server to restore the active state to 10 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer quiet 10
1.2.24 timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
RADIUS scheme view
Parameter
minutes: Real-time accounting interval. It ranges from 3 minutes to 60 minutes and must be a multiple of 3. By default, this interval is 12 minutes.
Description
Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default real-time accounting interval.
Note that:
l To charge the users in real time, you should set the interval of real-time accounting. After the setting, the switch sends the accounting information of online users to the RADIUS server at regular intervals.
l The setting of the real-time accounting interval depends to some degree on the performance of the switch and the RADIUS server. The higher the performance of the switch and the RADIUS server is, the shorter the interval can be. You are recommended to set the interval as long as possible when the number of users is relatively great (¦1000). lists the numbers of users and the corresponding recommended intervals.
Table 1-4 Numbers of users and corresponding recommended intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 |
|
100 to 499 |
6 |
|
500 to 999 |
12 |
|
¦1000 |
¦15 |
Related command: retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval of the RADIUS scheme radius1 to 51 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer realtime-accounting 51
1.2.25 timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
View
RADIUS scheme view
Parameter
seconds: Response timeout time of RADIUS servers, ranging from 1 second to 10 seconds.
Description
Use the timer response-timeout command to set the response timeout time of RADIUS servers.
Use the undo timer response-timeout command to restore the default response timeout timer of RADIUS servers.
By default, the response timeout time of the RADIUS server is 3 seconds.
Note that:
l If the switch gets no response from the RADIUS server after sending out a RADIUS request (authentication/authorization request or accounting request) and waiting for a time, it should retransmit the packet to ensure that the user can obtain the RADIUS service. This wait time is called response timeout time of RADIUS servers; and the timer in the switch system that is used to control this time is called the response timeout timer of RADIUS servers. You can use the timer response-timeout command to set the timeout time of this timer.
l Appropriately setting the timeout time of this timer according to the network situation can improve the performance of the system.
l The product of the seconds here and the retry-times of the retry command can be greater than 75.
Related command: radius scheme and retry.
Example
# Set the response timeout time in the RADIUS scheme radius1 to five seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] timer response-timeout 5
1.2.26 user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
RADIUS scheme view
Parameter
with-domain: Specifies to include ISP domain names in the user names to be sent to RADIUS servers.
without-domain: Specifies to exclude ISP domain names from the user names to be sent to RADIUS servers.
Description
Use the user-name-format command to set the format of the user names to be sent to RADIUS server
By default, except for the default RADIUS scheme "system", the user names sent to RADIUS servers in any RADIUS scheme carry ISP domain names.
Note that:
l Generally, an access user is named in the userid@isp-name format. Where, isp-name behind the @ character represents the ISP domain name, by which the device determines which ISP domain it should ascribe the user to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names. In this case, it is necessary to remove the domain names carried in the user names before sending the user names to the RADIUS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server.
l For a RADIUS scheme, if you have specified that no ISP domain names are carried in the user names, you should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the user names sent to it are the same).
Related command: radius scheme.
Example
# Specify that the user names sent to a RADIUS server in RADIUS scheme radius1 does not carry ISP domain names.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme radius1
New Radius scheme
[Sysname-radius-radius1] user-name-format without-domain
1.3 HWTACACS Configuration Commands
1.3.1 data-flow-format
Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }
data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }
undo data-flow-format { data | packet }
View
HWTACACS view
Parameter
data: Sets data unit.
byte: Sets 'byte' as the unit of data flow.
giga-byte: Sets 'giga-byte' as the unit of data flow.
kilo-byte: Sets 'kilo-byte' as the unit of data flow.
mega-byte: Sets 'mega-byte' as the unit of data flow.
packet: Sets data packet unit.
giga-packet: Sets 'giga-packet' as the unit of packet flow.
kilo-packet: Sets 'kilo-packet' as the unit of packet flow.
mega-packet: Sets 'mega-packet' as the unit of packet flow.
one-packet: Sets 'one-packet' as the unit of packet flow.
Description
Use the data-flow-format command to configure the unit of data flows sent to the TACACS server.
Use the undo data-flow-format command to restore the default.
By default, the data unit is byte and the data packet unit is one-packet.
Related command: display hwtacacs.
Example
# Set the unit of data flow destined for the HWTACACS server to kilo-byte and the data packet unit to kilo-packet.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte
[Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet
1.3.2 display hwtacacs
Syntax
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]
View
Any view
Parameter
hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.
statistics: Displays complete statistics about the HWTACACS server.
Description
Use the display hwtacacs command to view configuration or statistics information of specified or all HWTACACS schemes.
Related command: hwtacacs scheme.
Example
# View configuration information of HWTACACS scheme gy.
<Sysname> display hwtacacs gy
--------------------------------------------------------------------------
HWTACACS-server template name : gy
Primary-authentication-server : 0.0.0.0:0
Primary-authorization-server : 0.0.0.0:0
Primary-accounting-server : 0.0.0.0:0
Secondary-authentication-server : 0.0.0.0:0
Secondary-authorization-server : 0.0.0.0:0
Secondary-accounting-server : 0.0.0.0:0
Current-authentication-server : 0.0.0.0:0
Current-authorization-server : 0.0.0.0:0
Current-accounting-server : 0.0.0.0:0
Nas-IP address : 0.0.0.0
key authentication : -
key authorization : -
key accounting : -
Quiet-interval(min) : 5
Realtime-accounting-interval(min) : 12
Response-timeout-interval(sec) : 5
Acct-stop-PKT retransmit times : 100
Domain-included : Yes
Data traffic-unit : B
Packet traffic-unit : one-packet
--------------------------------------------------------------------------
Total 1 HWTACACS scheme(s),1 listed
1.3.3 display stop-accounting-buffer
Syntax
display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
Any view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests according to the HWTACACS scheme specified by hwtacacs-scheme-name, the name of HWTACACS scheme, a character string of up to 32 characters.
session-id session-id: Displays information on buffered stop-accounting requests according to the session ID specified by session-id, a character string of up to 50 characters.
time-range start-time stop-time: Displays information on buffered stop-accounting requests according to the request time, where, start-time is the start time of the stop-accounting request; stop-time is the end time of stop-accounting request. This argument is in the format hh:mm:ss - mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd and is used to display the buffered stop-accounting requests from the start time to the end time.
user-name user-name: Displays information on buffered stop-accounting requests according to the user name specified by user-name, a character string of up to 80 characters,
Description
Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the switch.
Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.
Example
# Display the stop-accounting requests buffered in the HWTACACS scheme “hwt1".
<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1
1.3.4 hwtacacs nas-ip
Syntax
hwtacacs nas-ip ip-address
undo hwtacacs nas-ip
View
System view
Parameter
ip-address: Specifies a source IP address for the switch, which cannot be an all-zero address, class D address or loopback address.
Description
Use the hwtacacs nas-ip command to specify the source address of the hwtacacs packet sent from NAS.
Use the undo hwtacacs nas-ip command to restore the default setting.
By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.
Note that:
l By specifying the source address of the hwtacacs packet, you can avoid destination unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.
l This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.
l The nas-ip command in HWTACACS scheme view only takes effect for the current HWTACACS scheme, while that in system view is for all HWTACACS schemes. The former one takes priority in implementation.
Related command: nas-ip.
Example
# Configure the router to send hwtacacs packets from 129.10.10.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs nas-ip 129.10.10.1
1.3.5 hwtacacs scheme
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Parameter
hwtacacs-scheme-name: Specifies an HWTACACS server scheme, with a character string of up to 32 characters.
Description
Use the hwtacacs scheme command to create an HWTACACS scheme and enter its view.
Use the undo hwtacacs scheme command to delete the HWTACACS scheme.
By default, no HWTACACS scheme exists.
Example
# Create an HWTACACS scheme named "hwt1" and enter the relevant HWTACACS view.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
1.3.6 key
Syntax
key { accounting | authentication | authorization } string
undo key { accounting | authentication | authorization }
View
HWTACACS scheme view
Parameter
accounting: Specifies a shared key for the accounting server.
authentication: Specifies a shared key for the authentication server.
authorization: Specifies a shared key for the authorization server.
string: Shared key, a string up to 16 characters.
Description
Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.
Use the undo key command to delete the configuration.
By default, no key is set for any HWTACACS server.
Related command: display hwtacacs.
Example
# Use hello as the shared key for HWTACACS accounting packets.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting hello
1.3.7 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS scheme view
Parameter
ip-address: Specified source IP address which cannot be an all-zero address, class D address or loopback address.
Description
Use the nas-ip command to specify the source address for sending HWTACACS packets.
Use the undo nas-ip command to restore the default setting.
Note that:
l By specifying the source address of the hwtacacs packet, you can avoid destination unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.
l This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.
l The nas-ip command in HWTACACS scheme view only takes effect for the current HWTACACS scheme, while that in system view is for all HWTACACS schemes. The former one takes priority in implementation.
Related command: hwtacacs nas-ip.
Example
# Set the source IP address of the HWTACACS packets to 10.1.1.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
1.3.8 primary accounting
Syntax
primary accounting ip-address [ port ]
undo primary accounting
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the primary accounting server is 0.0.0.0.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Use the primary accounting command to configure a primary HWTACACS accounting server.
Use the undo primary accounting command to delete the configured primary HWTACACS accounting server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a primary accounting server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49
1.3.9 primary authentication
Syntax
primary authentication ip-address [ port ]
undo primary authentication
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the primary authentication server is 0.0.0.0.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Use the primary authentication command to configure a primary HWTACACS authentication server.
Use the undo primary authentication command to delete the configured authentication server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary authentication servers; otherwise, unsuccessful operation is prompted.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure a primary authentication server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49
1.3.10 primary authorization
Syntax
primary authorization ip-address [ port ]
undo primary authorization
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the primary authentication server is 0.0.0.0.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Use the primary authorization command to configure a primary HWTACACS authorization server.
Use the undo primary authorization command to delete the configured primary authorization server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary authorization servers; otherwise, unsuccessful operation is prompted.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.
Related command: display hwtacacs.
Example
# Configure a primary authorization server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49
1.3.11 reset hwtacacs statistics
Syntax
reset hwtacacs statistics { accounting | authentication | authorization | all }
View
User view
Parameter
accounting: Clears all the HWTACACS accounting statistics.
authentication: Clears all the HWTACACS authentication statistics.
authorization: Clears all the HWTACACS authorization statistics.
all: Clears all statistics.
Description
Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.
Related command: display hwtacacs.
Example
# Clear all HWTACACS protocol statistics.
<Sysname> reset hwtacacs statistics all
1.3.12 reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
User view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a character string of up to 32 characters.
session-id session-id: Displays information on buffered stop-accounting requests according to the session ID specified by session-id, a character string of up to 50 characters.
time-range start-time stop-time: Displays information on buffered stop-accounting requests according to the request time, where, start-time is the start time of the stop-accounting request; stop-time is the end time of stop-accounting request. This argument is in the format hh:mm:ss - mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd and is used to display the buffered stop-accounting requests from the start time to the end time.
user-name user-name: Displays information on buffered stop-accounting requests according to the user name specified by user-name, a character string of up to 80 characters,
Description
Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the switch.
Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.
Example
# Delete the buffered stop-accounting requests that are according to the HWTACACS scheme “hwt1”.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1
1.3.13 retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS scheme view
Parameter
retry-times: Maximum number of real-time stop-accounting request attempts. It is in the range 1 to 300 and defaults to 100.
Description
Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.
Use the undo retry stop-accounting command to restore the default setting.
By default, stop-accounting packet retransmission is enabled and has 100 attempts for each request.
Related command: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.
Example
# Enable stop-accounting packet retransmission and allow up to 50 attempts for each request.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 50
1.3.14 secondary accounting
Syntax
secondary accounting ip-address [ port ]
undo secondary accounting
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the secondary accounting server is 0.0.0.0.
port: Port number of the server, which is in the range of 1 to 65535 and defaults to 49.
Description
Use the secondary accounting command to configure a secondary HWTACACS accounting server.
Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an accounting server only when it is not being used by any active TCP connections.
Example
# Configure a secondary accounting server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49
1.3.15 secondary authentication
Syntax
secondary authentication ip-address [ port ]
undo secondary authentication
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the secondary authentication server is 0.0.0.0.
port: Port number of the server, which is in the range of 1 to 65535 and defaults to 49.
Description
Use the secondary authentication command to configure a secondary HWTACACS authentication server.
Use the undo secondary authentication command to delete the configured secondary authentication server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary authentication servers; otherwise, unsuccessful operation is prompted.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an authentication server only when it is not being used by any active TCP connections.
Related command: display hwtacacs.
Example
# Configure a secondary authentication server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49
1.3.16 secondary authorization
Syntax
secondary authorization ip-address [ port ]
undo secondary authorization
View
HWTACACS scheme view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format. By default, the IP address of the secondary authorization server is 0.0.0.0.
port: Port number of the server, in the range of 1 to 65535. By default, it is 49.
Description
Use the secondary authorization command to configure a secondary HWTACACS authorization server.
Use the .undo secondary authorization command to delete the configured secondary authorization server.
Note that:
l You are not allowed to assign the same IP address to both primary and secondary authorization servers.
l If you repeatedly use this command, the latest configuration overwrites the previous one.
l You can remove an authorization server only when it is not being used by any active TCP connections.
Related command: display hwtacacs.
Example
# Configure the secondary authorization server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49
1.3.17 stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
HWTACACS scheme view
Parameter
None
Description
Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that bring no response.
Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that bring no response.
By default, the switch is enabled to buffer the stop-accounting requests that bring no response.
Stop-accounting requests are critical to billing and will eventually affect the charges; they are important for both the users and the ISP. Therefore, the switch should do its best to transmit them to the RADIUS server. If the RADIUS accounting server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).
Related command: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.
Example
# Enable the switch to buffer the stop-accounting requests that bring no response from the servers in HWTACACS scheme hwt1.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable
1.3.18 timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
HWTACACS scheme view
Parameter
minutes: Length of the timer in minutes, in the range of 1 to 255. By default, the primary server must wait five minutes before it resumes the active state.
Description
Use the timer quiet command to set the duration that a primary server must wait before it can resume the active state.
Use the undo timer quiet command to restore the default (five minutes).
Related command: display hwtacac.
Example
# Set the quiet timer for the primary server to ten minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
1.3.19 timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS scheme view
Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.
Description
Use the timer realtime-accounting command to configure a real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default interval.
By default, the real-time accounting interval is 12 minutes.
Note that:
l Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the switch transmits the accounting information of online users to the TACACS accounting server at intervals of this value.
l The setting of real-time accounting interval depends somewhat on the performance of the switch and the TACACS server: A shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the real-time accounting intervals for different numbers of users.
Table 1-5 Recommended intervals for different numbers of users
|
Number of users |
Real-time accounting interval (minute) |
|
1 – 99 |
3 |
|
100 – 499 |
6 |
|
500 – 999 |
12 |
|
≥1000 |
≥15 |
Example
# Set the real-time accounting interval in the HWTACACS scheme “hwt1” to 51 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
1.3.20 timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS scheme view
Parameter
seconds: Length of the response timer in seconds. It ranges from 1 to 300 and defaults to 5.
Description
Use the timer response-timeout command to set the response timeout timer of the TACACS server.
Use the undo timer response-timeout command to restore the default (five seconds).
As the HWTACACS is based on TCP, either the server response timeout and/or the TCP timeout may cause disconnection to the TACACS server.
Related command: display hwtacacs.
Example
# Set the response timeout time of the TACACS server to 30 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
1.3.21 user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
HWTACACS scheme view
Parameter
with-domain: Specifies to send the username with a domain name to the TACACS server.
without-domain: Specifies to send the username without any domain name to the TACACS server.
Description
Use the user-name-format command to configure the username format sent to the TACACS server.
By default, an HWTACACS scheme acknowledges that the username sent to it includes an ISP domain name.
Note that:
l The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the switch assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including an ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the switch provides this command to decide whether the username sent to the TACACS server carries an ISP domain name or not.
l If a HWTACACS scheme is configured to reject usernames including ISP domain names, the TACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username. (excluding their respective domain names.)
Related command: hwtacacs scheme.
Example
# Specify to send the username without any domain name to the HWTACACS scheme "hwt1".
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
