enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain. The value of max-user-number ranges from 1 to 4,120.

Description

Use the access-limit command to set the maximum number of access users that can be contained in current ISP domain.

Use the undo access-limit command to restore the default setting.

By default, the number of access users that can be contained in current ISP domain is not limited.

Because resource contention may occur between access users, there is a need to properly limit the number of access users in an ISP domain to provide reliable performance for the users in the ISP domain.

Examples

# Allow ISP domain aabbcc.net to contain up to 500 access users.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] access-limit enable 500

1.1.2 attribute

Syntax

attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlan-id | location { nas-ip ip-address port port-number | port port-number } }*

undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

View

Local user view

Parameters

ip: Sets the IP address to which the user is bound.

mac: Sets the MAC address to which the user is bound. mac-address is in dash-delimited hexadecimal notation, that is, in the H-H-H format.

idle-cut second: Allows/disallows the enabling of the idle-cut function by the local user (The data for idle-cut operation depends on the configuration in the ISP domain). The second argument is the idle time (in seconds) before cutting down. It ranges from 60 to 7,200.

access-limit max-user-number: Sets the maximum number of users who can access the switch with current user name. The value of max-user-number ranges from 1 to 4,096.

vlan vlan-id: Sets the VLAN to which the user is bound; that is, sets which VLAN the user belongs to. vlan-id is an integer ranging from 1 to 4,094.

location: Sets the port binding attribute of the user.

nas-ip ip-address: Sets the IP address of the access server to which the user is bound to. ip-address is in dotted decimal notation and is 127.0.0.1 (representing this device) by default.

port port-number: Sets the port that is bound to the user. port-number is in the format of "slot number subslot number port number". If the bound port has no subslot number, just input 0 for this argument.

Description

Use the attribute command to set the attributes of a local user.

Use the undo attribute command to cancel attribute settings of the local user.

Note that, if the user is bound to a remote port, make sure you specify the nas-ip keyword. If the user is bound to a local port, you need not specify the nas-ip keyword.

& Note:

If the accounting optional switch is turned on (with the accounting optional command) in the ISP domain to which the local user belongs or the RADIUS scheme referenced by the ISP, you cannot limit the number of accesses by the local user. That is, in such a case, the attribute access-limit command does not take effect.

Related commands: display local-user.

Examples

# Set the IP address of aabbcc to 10.110.50.1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc] attribute ip 10.110.50.1

1.1.3 cut connection

Syntax

cut connection { all | access-type dot1x | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name }

View

System view

Parameters

all: Cuts down all user connections

access-type dot1x: Cuts down all 802.1x user connections.

domain isp-name: Cuts down all user connections in the specified ISP domain. isp-name is the name of an ISP domain. It is a string of up to 24 characters. You can only specify an existing ISP domain.

interface interface-type interface-number: Cuts down all user connections to the specified port.

ip ip-address: Cuts down the connection of the user with the specified IP address.

mac mac-address: Cuts down the user connection with the specified MAC address. mac-address is in dash-delimited hexadecimal notation, that is, in the H-H-H format.

radius-scheme radius-scheme-name: Cuts down all user connections using the specified RADIUS scheme. radius-scheme-name is a character string of up to 32 characters.

vlan vlan-id: Cuts down all user connections of the specified VLAN. vlan-id ranges from 1 to 4,094.

ucibindex ucib-index: Cuts down the user connection with the specified connection index. The value of ucib-index ranges from 0 to 4,119.

user-name user-name: Cuts down the user connection of the specified user. user-name is a character string of up to 80 characters. The string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) can contain no more than 55 characters.

Description

Use the cut connection command to cut down one user connection or one type of user connections.

This command is available for 802.1x users only. You cannot use this command to cur down the connections of Telnet, FTP or SFTP users.

Related commands: display connection.

Examples

# Cut down all the 802.1x user connections in the ISP domain named aabbcc.net.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] cut connection domain aabbcc.net

1.1.4 display connection

Syntax

View

Any view

Parameters

access-type dot1x: Displays all the 802.1x user connections.

domain isp-name: Displays all user connections in the specified ISP domain. isp-name is the name of an ISP domain, a character string of up to 24 characters. You can only specify an existing ISP domain.

interface interface-type interface-number: Displays all user connections on the specified port.

ip ip-address: Displays all user connections with the specified IP address.

mac mac-address: Displays the connection of the user with the specified MAC address. mac-address is in dash-delimited hexadecimal notation (in the form of H-H-H).

radius-scheme radius-scheme-name: Displays all user connections using the specified RADIUS scheme. radius-scheme-name is a character string of up to 32 characters.

vlan vlan-id: Displays all user connections of the specified VLAN. The value of vlan-id ranges from 1 to 4,094.

ucibindex ucib-index: Displays the user connection with the specified connection index.

user-name user-name: Displays the user connection with the specified user name. user-name is a character string of up to 32 characters. The string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) can contain no more than 24 characters.

Description

Use the display connection command to display information about the specified user connection or all user connections, so as to troubleshoot user connections.

If you execute this command without specifying any argument, all user connections will be displayed.

You cannot use this command to display the connection information about FTP or SFTP users.

Related commands: cut connection.

Examples

# Display information about all 802.1x user connections.

<H3C> display connection

Total 0 connections matched ,0 listed.

1.1.5 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameters

isp-name: Name of an ISP domain, a character string of up to 24 characters. This must be the name of an existing ISP domain.

Description

Use the display domain command to display the configuration information about one specific or all the ISP domains.

If you execute this command without specifying any argument, the configuration of all the ISP domains will be displayed.

The output information helps with ISP domain diagnosis and troubleshooting

Related commands: access-limit, domain, radius-scheme, user-template, state, display domain.

Examples

# Display the configuration information about all the ISP domains.

<H3C> display domain

0 Domain = system

State = Active

Scheme = LOCAL

Access-limit = Disable

Vlan-assignment-mode = Integer

accounting-mode = time

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Messenger Time = Disable

Default Domain Name: system

Total 1 domain(s).1 listed.

Table 1-1 describes the fields shown in the display.

Table 1-1 Description on the fields of the display domain command

Field	Description
0 Domain	ISP domain index…Domain name
State	State
Scheme	AAA scheme used by the domain: LOCAL (local authentication), NONE (no authentication), or RADIUS scheme name
Access-limit	Limit on the number of access users
Vlan-assignment-mode	Dynamic VLAN assignment mode: integer or string
accounting-mode	Accounting mode: time (time-based accounting) and traffic (traffic-based accounting)
Domain User Template	Domain user template
Idle-cut	Sets the idle-cut function. Disable means the idle-cut function is disabled; enable means the function is enabled.
Self-service	URL of the self-service server. Disable means the self-service server location function is disabled. After the self-service server location function is enabled, the URL of the configured self-service server is displayed.
Messenger Time	State of the messenger time service. Disable means the messenger time service is disabled. After the messenger time service is configured, the time and interval of the prompt messages are displayed.

1.1.6 display local-user

Syntax

display local-user [ domain isp-name | idle-cut { enable | disable } | service-type { telnet | ftp | ssh | terminal | lan-access } | state { active | block } | user-name user-name | vlan vlan-id ]

View

Any view

Parameters

domain isp-name: Displays all the local users who belong to the specified ISP domain. isp-name is the name of an ISP domain, a character string of up to 24 characters. You can only specify an existing ISP domain.

idle-cut: Displays the local users who are inhibited from enabling the idle-cut function, or the local users who are allowed to enable the idle-cut function. disable specifies the inhibited local users and enable specifies the allowed local users. This keyword only applies to the users configured with lan-access service. For users configured with any other type of service, the display local-user idle-cut enable and display local-user idle-cut disable commands do not output any user information.

service-type: Displays the local users of the specified type. You can specify one of the following user types: telnet, ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, terminal (this type of users are terminal users who log into the switch through the Console port).

state { active | block }: Displays the local users in the specified state. active represents the users allowed to request network services, and block represents the users inhibited to request network services.

user-name user-name: Displays the local user who has the specified user name. user-name is a character string of up to 80 characters. The string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) can contain no more than 55 characters.

vlan vlan-id: Displays the local users belonging to the specified VLAN. The value of vlan-id ranges from 1 to 4,094.

Description

Use the display local-user command to display information about a specific or all local users, so as to troubleshoot local user configuration.

By default, this command displays the information about all local users.

Related commands: local-user, service-type.

Examples

# Display information about all the local users.

<H3C> display local-user

The contents of local user user1:

State: Active ServiceType Mask: T

Idle-cut: Disable

Access-limit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

User Privilege: 0

Total 1 local user(s) Matched, 1 listed.

Table 1-2 describes the fields in the above display output.

Table 1-2 Description on the fields of the display local-user command

Field	Description
State	State of the local user
ServiceType Mask	Service type mark of local user: T: Telnet S: SSH C: Terminal service LM: lan-access F: FTP None: No service type is set.
Idle Cut	State of the idle-cut function
Access-limit	Limit on the number of access users
Bind location	Whether or not bound to a port
VLAN ID	VLAN of the user
IP address	IP address of the user
MAC address	MAC address of the user
User Privilege	User privilege

1.1.7 domain

Syntax

domain { isp-name | default { disable | enable isp-name } }

undo domain isp-name

View

System view

Parameters

isp-name: Name of a ISP domain, a character string of up to than 24 characters. This string cannot contain the following characters: /:*?<>.

default enable isp-name: Specifies the default ISP domain.

disable: Restores the default ISP domain system.

Description

Use the domain command to create an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to delete a specified ISP domain.

The default ISP domain is system

An ISP domain is an ISP user group comprising the users of the same ISP. Normally, in a username (such as [email protected]) in the userid@isp-name format, isp-name (such as aabbcc.net in the above example) after "@" is the name of the ISP domain. When implementing access control, for ISP users with the name format userid@isp-name, an H3C series Ethernet switch uses userid as the username for authentication and uses isp-name as domain name.

ISP domains are intended to support a multi-ISP application environment where an access device may be accessed by users of different ISPs. The user attributes, such as username/password composition and service type/privilege, of ISP users may vary. Therefore, it is necessary to distinguish between them by setting ISP domains. You can configure a complete set of independent ISP domain attributes, including AAA schemes (such as the RADIUS scheme used), for each ISP domain in ISP domain view.

For the switch, each access user belongs to an ISP domain.

You can configure up to 16 ISP domains in the system. If the specified ISP domain does not exist when you issue this command, the system creates a new ISP domain. An ISP domain is active immediately after being created.

Related commands: access-limit, scheme, state, display domain

Examples

# Create an ISP domain named aabbcc.net and enter its view.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net]

1.1.8 idle-cut

Syntax

idle-cut { disable | enable minute flow }

View

ISP domain view

Parameters

disable: Inhibits users from enabling the idle-cut function.

enable: Allows users to enable the idle-cut function.

minute: Maximum idle time, ranging from 1 minute to 120 minutes.

flow: Minimum data flow, ranging from 1 byte to 10,240,000 bytes (10 M).

Description

Use the idle-cut command to set the user idle-cut function in current ISP domain.

By default, after an ISP domain is created, the idle-cut function in its user template is disabled.

A user template is a set of default user attributes. If a user requesting for a network service does not possess a required attribute, the attribute in the specified user template is used as the user's default attribute. If neither the user nor the RADIUS server specifies whether its idle-cut function is enabled, the idle-cut function state of the user template is specified as that of the user.

A user template applies to only one ISP domain. Therefore, you need to configure different user template attributes for users in different ISP domains.

Related commands: domain.

Examples

# Allow users in ISP domain aabbcc.net to enable the idle-cut attribute in user template (that is, allow the user to use the idle-cut function), with the maximum idle time of 50 minutes and the minimum data flow of 500 bytes.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] idle-cut enable 50 500

1.1.9 level

Syntax

level level

undo level

View

Local user view

Parameters

level: Priority level of the user. It is an integer ranging from 0 to 3 and defaulting to 0.

Description

Use the level command to set the priority level of the user.

Use the undo level command to restore the default priority level of the user.

& Note:

The commands that a user can access after login are determined by the priority level of the user and the level set on the user interface. If the two levels are different:

l The command level that a user passing AAA/RADIUS authentication can access is determined by the priority level of the user. For example, if the priority level of a user is 3 and the command level set on the VTY 0 user interface is 1, the user can access the commands under level 3 after logging in to the system from VTY 0.

l The command level that a user passing RSA authentication can access is determined by the level set on the user interface.

Examples

# Set the user level to 3.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc] level 3

1.1.10 local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { telnet | ftp | lan-access | ssh | terminal } ] }

View

System view

Parameters

user-name: Name of a local user, a character string of up to 80 characters. This string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure user name (user ID, that is, the part before @) cannot be longer than 55 characters. The local user name is case insensitive; for example, the system considers UserA and usera as the same user.

service-type: Specifies the local users of the specified type. You can specify one of the following user types: telnet, ftp, and lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, and terminal (this type of users are terminal users who log into the switch through the Console port).

all: Specifies all the local users.

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to delete one or more specified local users.

By default, there is no local user in the system.

Related commands: display local-user, service-type.

Examples

# Add a local user named aabbcc.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc]

1.1.11 local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameters

cipher-force: Adopts the forcible cipher mode; that is, the passwords of all the local users must be displayed in cipher text.

auto: Adopts the automatic mode; that is, the passwords of local users are displayed in the modes set with the password command.

Description

Use the local-user password-display-mode command to set the password display mode of all the local users

Use the undo local-user password-display-mode command to restore the default password display mode of all the local users.

When the cipher-force mode is adopted, all passwords will be displayed in cipher text even through some users have specified to display their passwords in plain text by using the password command with the simple keyword.

By default, the password display mode of all access users is auto.

Related commands: display local-user, password.

Examples

# Specify to display all the local user passwords in cipher text.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user password-display-mode cipher-force

1.1.12 messenger

Syntax

messenger time { enable limit interval | disable }

undo messenger time

View

ISP domain view

Parameters

limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit.

interval: Interval at which to send prompt messages (in minutes). This argument ranges from 5 to 60 and must be a multiple of 5.

Description

Use the messenger time enable command to enable the messenger function and set the related parameters.

Use the messenger time disable command to disable the messenger function.

Use the undo messenger time command to restore the messenger function to its default state.

By default, the messenger function is disabled on the switch.

The purpose of this function is to remind online users of their remaining online time through clients in the form of message dialog.

The messenger function is implemented as follows:

l You can use messenger time enable command to set a remaining online time limit and the interval to send prompt messages.

l After that, the switch regularly sends prompt messages at the set interval to the clients of the users whose remaining online time is less than the set limit.

l The clients inform the users of their remaining online time in the form of message dialog.

Examples

# Enable the switch to send prompt messages every five minutes to users after their remaining online time is less than 30 minutes.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain system

New Domain added.

[H3C-isp-system] messenger time enable 30 5

1.1.13 name

Syntax

name string

undo name

View

VLAN view

Parameters

string: VLAN name for VLAN assignment, a character string of up to 32 characters.

Description

Use the name command to set a VLAN name, which will be used for VLAN assignment.

Use the undo name command to cancel the VLAN name.

By default, a VLAN uses its VLAN ID (like VLAN 0001) as its name.

This command is used for the dynamic VLAN assignment function. For details about this function, refer to the vlan-assignment-mode command.

Related commands: dot1x guest-vlan, vlan-assignment-mode.

Examples

# Set the name of VLAN 100 to test.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 100

[H3C-vlan100] name test

1.1.14 password

Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameters

simple: Specifies to display the password in plain text.

cipher: Specifies to display the password in cipher text.

password: Password you want to set, a character string.

l For simple mode, the password must be in plain text.

l For cipher mode, the password can be either in cipher text or in plain text, depending on your input.

A password in plain text can be a string with of up to 16 consecutive characters, for example, aabbcc918. A password in cipher text must be 24 characters in length, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

Description

Use the password command to set a password for the local user.

Use the undo password command to cancel the password configured.

Note that, after the local-user password-display-mode cipher-force command is executed, the password will be displayed in cipher text even if you use the password command to set the password to be displayed in plain text, that is, in the simple mode.

Related commands: display local-user.

Examples

# Set the password of a user named aabbcc to 20030422 and specify to display the password in plain text.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc] password simple 20030422

1.1.15 radius-scheme

Syntax

radius-scheme radius-scheme-name

View

ISP domain view

Parameters

radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32 characters.

Description

Use the radius-scheme command to specify the RADIUS scheme to be used by current ISP domain.

Once an ISP domain is created, it uses the local AAA scheme instead of any RADIUS scheme by default.

The RADIUS scheme you specified in the radius-scheme command must be an existing scheme. This command is equivalent to the scheme command.

Related commands: radius scheme, display radius.

Examples

# Specify the scheme scheme1 as the RADIUS scheme to be used by current ISP domain aabbcc.net.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] radius-scheme scheme1

1.1.16 scheme

Syntax

scheme { radius-scheme radius-scheme-name [ local ] | local | none }

undo scheme [ radius-scheme | none ]

View

ISP domain view

Parameters

radius-scheme-name: Name of a RADIUS scheme referenced, a character string of up to 32 characters.

local: Specifies to use local authentication.

none: Specifies not to perform authentication.

Description

Use the scheme command to specify the AAA scheme used by current ISP domain.

Use the undo scheme command to restore the default AAA scheme used by the ISP domain.

By default, the ISP domain uses the local AAA scheme.

If you execute the scheme radius-scheme radius-scheme-name local command, the local scheme becomes the secondary scheme in case the RADIUS server does not respond normally. That is, if the communication between the switch and the RADIUS server is normal, no local authentication is performed; otherwise, local authentication is performed. If you configure a RADIUS scheme but configure no local authentication, local authentication does not work after the authentication fails.

If the AAA scheme is specified as local, the system uses local authentication only but not RADIUS authentication. This is also true of the none and local AAA schemes.

You can also configure the RADIUS scheme used by the ISP domain by using the radius-scheme command.

Related commands: radius scheme, display radius

Examples

# Specify the RADIUS scheme scheme1 as the AAA scheme referenced by the ISP domain aabbcc.net.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] scheme radius-scheme scheme1

1.1.17 self-service-url

Syntax

self-service-url enable url-string

self-service-url disable

View

ISP domain view

Parameters

url-string: URL of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string can contain no question mark "?". If the actual URL of the self-service server contains any question mark, you need to change the question mark to the "|" character before entering the URL at the command line.

Description

Use the self-service-url enable command to enable the self-service server location function

Use the self-service-url disable command to disable the self-service server location function

By default, this function is disabled on the switch.

This command must be used with in cooperation with a self-service-supported RADIUS server (such as CAMS). Through self-service, users can manage and control their accounts or card numbers by themselves. A server installed with the self-service software is called a self-service server.

After this command is executed on the switch, users can locate the self-service server by performing the following steps:

l Choose [change user password] on the 802.1x client.

l The client opens the default browser (for example, IE or Netscape) and locates the specified URL page used to change user password on the self-service server.

l Then, the user can change the password.

A user can choose the [change user password] option on the client only after passing the authentication. If the user fails the authentication, this option is grayed out and is unavailable.

Examples

# Under the default ISP domain system, set the URL of the web page used to modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain system

[H3C-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

1.1.18 service-type

Syntax

service-type { ftp [ ftp-directory directory ] | lan-access | { ssh | telnet | terminal }* [ level level ] }

undo service-type { ftp [ ftp-directory ] | lan-access | { ssh | telnet | terminal }* }

View

Local user view

Parameters

ftp: Specifies that this is an FTP user.

ftp-directory directory: Specifies the path for FTP users. directory is a string of up to 64 characters.

lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for example, 802.1x user).

ssh: Specifies that this is an SSH user.

telnet: Specifies that this is a Telnet user.

terminal: Authorizes the user to access the terminal service (that is, allows the user to log into the switch through the Console port).

level level: Specifies the level of the Telnet, terminal or SSH user. level is an integer ranging from 0 to 3 and defaulting to 0.

Description

Use the service-type command to authorize the user to access the specified type(s) of service(s).

Use the undo service-type command to inhibit the user from accessing the specified type(s) of service(s).

Examples

# Authorize aabbcc to access lan-access service.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc] service-type lan-access

1.1.19 state

Syntax

state { active | block }

View

ISP domain view or local user view

Parameters

active: Activates the current ISP domain (in ISP domain view) or current user (in local user view), to allow users in current ISP domain or current user to access the network.

block: Blocks the current ISP domain (in ISP domain view) or current user (in local user view), to inhibit users in current ISP domain or current user from accessing the network.

Description

Use the state command to set the status of current ISP domain or the status of the local user.

By default, an ISP domain is in the active state once it is created (in ISP domain view), and a local user is in the active state once the user is created (in local user view).

In ISP domain view, each ISP domain can be in one of two states: active and block. Users in an active ISP domain are allowed to access the network. After an ISP domain is set to the block state, except the online users, the users under this domain are not allowed to access the network.

Related commands: domain.

Examples

# Set the ISP domain aabbcc.net to the block state so that all its offline users cannot access the network.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] state block

# Set aabbcc to the block state.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user aabbcc

[H3C-luser-aabbcc] state block

1.1.20 vlan-assignment-mode

Syntax

vlan-assignment-mode { integer | string }

View

ISP domain name

Parameters

integer: Sets the VLAN assignment mode to integer.

string: Sets the VLAN assignment mode to string.

Description

Use the vlan-assignment-mode command to set the VLAN assignment mode (integer or string) on the switch.

By default, the VLAN assignment mode is integer; that is, the switch supports its RADIUS authentication server to assign integer VLAN IDs.

The dynamic VLAN assignment feature enables a switch to dynamically add the ports with successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. In actual applications, to use this feature together with Guest VLAN, you should better set port control to port-based mode.

Currently, the switch supports the RADIUS authentication server to assign the following two types of VLAN IDs: integer and string.

l Integer: Upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN.

l String: Upon receiving a string ID assigned by the RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails and the user cannot pass the authentication.

The two dynamic VLAN assignment modes, integer and string, supported by the switch are set according to the authentication server. Different authentication servers adopt different dynamic VLAN assignment modes, you are recommended to configure the device according to the dynamic VLAN assignment mode in use.

Table 1-3 lists some common dynamic VLAN assignment modes.

Table 1-3 Common dynamic VLAN assignment modes

Server type	Dynamic VLAN assignment mode
CAMS	Integer (the mode of the latest version is determined by the attribute)
ACS	String
FreeRADIUS	Determined by the attribute (100 for integer; “100” for string)
Shiva Access Manager	String
Steel-Belted Radius Administrator	String

Caution:

l You are recommended to configure the VLAN assignment mode for the switch the same as that of the assignment attribute value of the RADIUS authentication server. Configure the correct assignment mode with the vlan-assignment-mode command so that the switch correctly identifies the dynamic VLAN assigned by the server. If the assignment modes are different, the expected configuration may not take effect.

l In string mode, the VLAN to be assigned must exist on the switch and must have been configured with a VLAN name. This is not required in integer mode.

l In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the value as the VLAN ID (VLAN 1024, for example).

Related commands: name, dot1x guest-vlan

Examples

# Set the VLAN assignment mode to string.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] domain aabbcc.net

New Domain added.

[H3C-isp-aabbcc.net] vlan-assignment-mode string

1.2 RADIUS Configuration Commands

1.2.1 accounting-on enable

Syntax

accounting-on enable [ send times | interval interval ]

undo accounting-on { enable | send | interval }

View

RADIUS scheme view

Parameters

times: Maximum number of attempts to send Accounting-On packets, ranging from 1 to 256 and defaulting to 40.

interval: Interval at which Accounting-On packets are sent, ranging from 1 to 30 and defaulting to 3 seconds.

Description

Use the accounting-on enable command to enable the user re-authentication upon device restart.

Use the undo accounting-on enable command to disable the user re-authentication upon device restart and restore the default interval and maximum number of attempts to transmit Accounting-On packets.

Use the undo accounting-on send command to restore the default maximum number of attempts to transmit Accounting-On packets.

Use the undo accounting-on interval command to restore the default interval to transmit Accounting-On packets.

By default, this function is disabled.

The purpose of this function is to resolve this problem: users cannot re-log into the switch after the switch restarts. After this function is enabled, every time the switch restarts:

l The switch generates an Accounting-On packet, which mainly contains the following information: NAS-ID, NAS-IP address (source IP address), and session ID.

l The switch sends the Accounting-On packet to CAMS at regular intervals.

l Once the CAMS receives the Accounting-On packet, it sends a response to the switch. At the same time, it finds and deletes the original online information of the users who accessed the network through the switch before the restart according to the information contained in this packet (NAS-ID, NAS-IP address and session ID), and ends the accounting of the users based on the last accounting update packet.

l Once the switch receives the response from the CAMS, it stops sending other Accounting-On packets.

l If the switch does not receive any response from the CAMS after the times it transmit Accounting-On packet reaches the configured maximum times, it stops sending any more Accounting-On packets.

& Note:

The switch can automatically generate the main attributes (NAS-ID, NAS-IP address and session ID) in the Accounting-On packets. You can also manually configure the NAS-IP address with the nas-ip command. If you choose to manually configure this attribute, be sure to configure an appropriate and legal IP address. If this attribute is not configured, the switch will automatically use the IP address of the VLAN interface as the NAS-IP address.

Related commands: nas-ip.

Examples

# Enable the user re-authentication upon device restart function for the RADIUS scheme named CAMS.

<H3C> system-view

[H3C] radius scheme CAMS

[H3C-radius-CAMS] accounting-on enable

1.2.2 accounting optional

Syntax

accounting optional

undo accounting optional

View

RADIUS scheme view/ISP domain view

Parameters

None

Description

Use the accounting optional command to enable the accounting-optional function.

Use the undo accounting optional command to disable the accounting-optional function so that users are charged forcibly.

By default, once an ISP domain is created, the accounting-optional function is disabled.

When the system charges an online user but it does not find any available RADIUS accounting server or fails to communicate with any RADIUS accounting server, the user can continue the access to network resources if the accounting optional command has been used.

After the accounting optional command is used for a RADIUS scheme, the system will no longer send real-time accounting update packets and stop-accounting packets for any user who adopts the RADIUS scheme.

This configuration takes effect only on the accounting using this RADIUS scheme.

Examples

# Enable the accounting-optional function for the RADIUS scheme named CAMS.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme CAMS

[H3C-radius-cams] accounting optional

1.2.3 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS scheme view

Parameters

data: Sets the unit of measure for data.

byte: Specifies to measure data in bytes.

giga-byte: Specifies to measure data in gigabytes.

kilo-byte: Specifies to measure data in kilobytes.

mega-byte: Specifies to measure data in megabytes.

packet: Sets the unit of measure for packets.

giga-packet: Specifies to measure packets in giga-packets.

kilo-packet: Specifies to measure packets in kilo-packets.

mega-packet: Specifies to measure packets in mega-packets.

one-packet: Specifies to measure packets in packets.

Description

Use the data-flow-format command to set the units of measure for data flows sent to RADIUS servers.

Use the undo data-flow-format command to restore the default units of measure.

By default, the unit of measure for data is byte and that for packets is one-packet.

Related commands: display radius.

Examples

# Specify to measure data and packets in data flows sent to RADIUS server in kilo-bytes and kilo-packets, respectively.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

1.2.4 display local-server statistics

Syntax

display local-server statistics

View

Any view

Parameters

None

Description

Use the display local-server statistics command to display the statistics about all local RADIUS authentication servers.

Related commands: local-server.

Examples

# Display the statistics about local RADIUS authentication server.

<H3C> display local-server statistics

The localserver packet statistics:

Receive: 30 Send: 30

Discard: 0 Receive Packet Error: 0

Auth Receive: 10 Auth Send: 10

Acct Receive: 20 Acct Send: 20

1.2.5 display radius

Syntax

display radius [ radius-scheme-name ]

View

Any view

Parameters

radius-scheme-name: Name of a RADIUS scheme, a character string of up to 32 characters. If this argument is not specified, this command displays the configuration information about all RADIUS schemes.

Description

Use the display radius command to display the configuration information about one specific or all RADIUS schemes.

By default, this command displays the configuration information about all RADIUS schemes.

Related commands: radius scheme.

Examples

# Display the configuration information about all RADIUS schemes.

<H3C> display radius

------------------------------------------------------------------

SchemeName =system Index=0 Type=extended

Primary Auth IP =127.0.0.1 Port=1645 State=active

Primary Acct IP =127.0.0.1 Port=1646 State=active

Second Auth IP =0.0.0.0 Port=1812 State=block

Second Acct IP =0.0.0.0 Port=1813 State=block

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

Accounting method = required

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Source-IP-address =0.0.0.0

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =1

------------------------------------------------------------------

Total 1 RADIUS scheme(s). 1 listed

Table 1-4 Description on the fields of the display radius command

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS servers
Primary Auth IP/ Port/ State	IP address/access port number/state of the primary authentication server
Primary Acct IP/ Port/ State	IP address/access port number/state of the primary accounting server
Second Auth IP/ Port/ State	IP address/access port number/state of the secondary authentication server
Second Acct IP/ Port/ State	IP address/access port number/state of the secondary accounting server
Auth Server Encryption Key	Login password for the authentication servers
Acct Server Encryption Key	Login password for the accounting servers
TimeOutValue (seconds)	RADIUS server response timeout time
RetryTimes	Maximum number of transmission attempts
Permitted send realtime PKT failed counts	Maximum allowed number of continuous no-response real-time accounting requests
Retry sending times of non-response acct-stop-PKT	Maximum number of transmission attempts of the buffered stop-accounting requests
Username format	User name format
Data flow unit	Unit of measure for data in data flows
Packet unit	Unit of measure for packets

1.2.6 display radius statistics

Syntax

display radius statistics

View

Any view

Parameters

None

Description

Use the display radius statistics command to display the statistics about RADIUS packets, so as to troubleshoot RADIUS configuration.

Related commands: radius scheme.

Examples

# Display the statistics about RADIUS packets.

<H3C> display radius statistics

state statistic(total=4120):

DEAD=4120 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=0

AcctStop=0 OnLine=0 Stop=0

StateErr=0

Received and Sent packets statistic:

Sent PKT total :0 Received PKT total:0

RADIUS received packets statistic:

Code= 2,Num=0 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=0 ,Err=0

Code=11,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=0 , Err=0 , Succ=0

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=0 , Err=0 , Succ=0

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=0 , Err=0 , Succ=0

PKT acct_timeout , Num=0 , Err=0 , Succ=0

(The following display is omitted.)

1.2.7 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

radius-scheme radius-scheme-name: Displays the buffered stop-accounting requests of the specified RADIUS scheme. radius-scheme-name is a character string of up to 32 characters.

session-id session-id: Displays the buffered stop-accounting requests of the specified session ID. session-id is a character string of up to 50 characters.

time-range start-time stop-time: Displays the buffered stop-accounting requests in the specified request time range. start-time is the start time of the request time range, stop-time is the end time of the request time range, and both are in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. With this argument specified, this command displays the buffered stop-accounting requests from the start time to the end time.

user-name user-name: Displays the buffered stop-accounting requests of the specified user. user-name is a character string of up to 32 characters.

Description

Use the display stop-accounting-buffer command to display the no-response stop-accounting request packets buffered in the switch.

l You can choose to display the buffered stop-accounting packets of a specified RADIUS scheme, session ID, or user name. You can also specify a time range to display those sent within the specified time range. The displayed packet information helps diagnose and resolve RADIUS-related problems.

l When the switch sends out a stop-accounting packet but gets no response from the RADIUS server, it first buffers the packet and then retransmits it until the maximum number of retransmission attempts (set by the retry stop-accounting command) is reached.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable , retry stop-accounting.

Examples

# Display the buffered stop-accounting requests from 0:0:0 08/31/2003 to 23:59:59 08/31/2003.

<H3C> display stop-accounting-buffer time-range 0:0:0-2003/08/31 23:59:59-2003/08/31

Total find 0 record

1.2.8 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameters

accounting: Sets a shared key for the RADIUS accounting packets.

authentication: Sets a shared key for the RADIUS authentication/authorization packets.

string: Shared key, a character string of up to 16 characters.

Description

Use the key command to set a shared key for the RADIUS authentication/authorization packets or accounting packets.

Use the undo key command to restore the corresponding default shared key.

The RADIUS client (that is, the switch) and server adopt MD5 algorithm to encrypt the RADIUS packets exchanged with each other. The two parties verify the validity of the exchanged packets by using the encrypted keys that have been set on them, and can accept and respond to the packets sent from each other only if both of them have the same encrypted keys. If the authentication/authorization server and the accounting server are two separate devices and the two servers have different encrypted keys, make sure you set the encrypted keys for authentication/authorization packets and accounting packets respectively on the switch.

Related commands: primary accounting, primary authentication, radius scheme.

Examples

# Set the encrypted key for the RADIUS authentication/authorization packets in RADIUS scheme radius1 to hello.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] key authentication hello

# Set the encrypted key for the RADIUS accounting packets in RADIUS scheme radius1 to ok.

[H3C-radius-radius1] key accounting ok

1.2.9 local-server

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameters

nas-ip ip-address: Specifies the NAS-IP address of the local RADIUS server. ip-address is in dotted decimal notation.

key password: Specifies the shared key of the authentication server and access server. password is a character string of up to 16 characters.

Description

Use the local-server command to create a local RADIUS authentication server (that is, set the related parameters of the server).

Use the undo local-server command to delete the specified local RADIUS authentication server.

By default, a local RADIUS authentication server is used, whose default NAS-IP is 127.0.0.1. That is, the local device serves as a RADIUS authentication server and a network access server, and all authentications are performed locally.

Note that:

l The switch not only supports the traditional RADIUS client service to accomplish user AAA management through foreign authentication/authorization server and accounting server, but also provides a simple local RADIUS server function for authentication and authorization. This function is called local RADIUS authentication server function.

l When you use the local RADIUS authentication server function, the UDP port number for the authentication/authorization service must be 1645 and the UDP port number for the accounting service must be 1646.

l The packet encryption key set by the local-server command with the key password parameter must be identical with the authentication/authorization packet encryption key set by the key authentication command in RADIUS scheme view.

l The switch supports at most 16 IP addresses and shared keys of the network access server (including the default local RADIUS authentication server); that is, when the switch serves as a RADIUS authentication server, it can support at most 16 network access servers simultaneously to provide authentication.

l When serving as a local RADIUS authentication server, the switch does not support EAP authentication.

Related commands: radius scheme, state.

Examples

# Create a network access server permitted by the RADIUS authentication server with an IP address of 10.110.1.2 and a shared key of aabbcc.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-server nas-ip 10.110.1.2 key aabbcc

1.2.10 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameters

ip-address: Source IP address for RADIUS packets, an IP address of this device. This address can neither be an all-zero address nor be a Class-D address.

Description

Use the nas-ip command to set the source IP address used by the switch to send RADIUS packets.

Use the undo nas-ip command to remove the source IP address setting.

& Note:

The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the priority of configuration in RADIUS scheme view is higher than in system view.

You can specify the source address used to send RADIUS packets to prevent the unreachability of the packets returned from the server due to physical interface trouble. It is recommended to use the loopback interface address as the source IP address.

By default, the IP address of the outbound interface is used as the source IP address of the packet.

Related commands: display radius, radius nas-ip.

Examples

# Set the source IP address used by the switch to send the RADIUS packets to 10.1.1.1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme test1

[H3C-radius-test1] nas-ip 10.1.1.1

1.2.11 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal notation.

port-number: UDP port number, ranging from 1 to 65,535.

Description

Use the primary accounting command to set the IP address and port number of the primary RADIUS accounting server.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server.

The IP address and UDP port number of the primary accounting server used by the default RADIUS scheme system are 127.0.0.1 and 1646. The IP address and the UDP port number of the primary accounting server used by a newly created RADIUS scheme are 0.0.0.0 and 1813.

After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each kind of server, you can configure two servers in a RADIUS scheme: primary and secondary servers.

In an actual network environment, you can configure the above parameters as required. But you should configure at least one authentication/authorization server and one accounting server. At the same time, you should keep the RADIUS service port settings on the switch consistent with those on the RADIUS servers.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the primary accounting server of the RADIUS scheme radius1 to 10.110.1.2 and 1813.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] primary accounting 10.110.1.2 1813

1.2.12 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal notation.

port-number: UDP port number, ranging from 1 to 65,535.

Description

Use the primary authentication command to set the IP address and port number of the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server.

The IP address and UDP port number of the primary authentication server used by the default RADIUS scheme system are 127.0.0.1 and 1645. The IP address and UDP port number of the secondary authentication server is 0.0.0.0 and 1812. The IP address and the UDP port number of the primary/secondary authentication server used by a newly created RADIUS scheme are 0.0.0.0 and 1812.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the primary authentication/authorization server used by the RADIUS scheme radius1 to 10.110.1.1 and 1812.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] primary authentication 10.110.1.1 1812

1.2.13 radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Parameters

ip-address: Source IP address, in dotted decimal notation.

Description

Use the radius nas-ip command to set the source address used by the NAS to send RADIUS packets.

Use the undo radius nas-ip command to restore the default setting.

By default, no source address is specified, and the address of the outbound interface is used as the source address of the packet.

& Note:

Note that:

l You can specify the source IP address used to send RADIUS packet to prevent the unreachability of the packets returned from the server due to a physical interface fault. It is recommended to use the loopback interface address as the source IP address.

l You can specify only one source IP address by using this command. When you use this command again, the newly specified source IP address will overwrite the old one.

Related commands: nas-ip.

Examples

# Set the source address used by the switch to send the RADIUS packets to 129.10.10.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] radius nas-ip 129.10.10.1

1.2.14 radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameters

radius-scheme-name: Name of the RADIUS scheme, a character string of up to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, a RADIUS scheme named system has already been created in the system. All attributes of the scheme take the default values.

The RADIUS protocol configuration is performed on a RADIUS scheme basis. For each RADIUS scheme, you should specify at least the IP addresses and UDP port numbers of the RADIUS authentication/authorization and accounting servers, and the parameters required for the RADIUS client (that is, the switch) to interact with the RADIUS servers. Therefore, you should first create a RADIUS scheme and enter its view before performing other RADIUS protocol configurations.

A RADIUS scheme can be referenced by multiple ISP domains simultaneously. You can configure up to 16 RADIUS schemes, including the default scheme system.

The undo radius scheme command cannot be used to delete the default RADIUS scheme. Note that you cannot delete a RADIUS scheme which is being used by an online user.

Related commands: key, retry realtime-accounting, radius-scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter its view.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1]

1.2.15 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameters

None

Description

Use the reset radius statistics command to clear the statistics about the RADIUS protocol.

Related commands: display radius.

Examples

# Clear the statistics about the RADIUS protocol.

<H3C> reset radius statistics

1.2.16 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

radius-scheme radius-scheme-name: Deletes the buffered stop-accounting requests depending on the specified RADIUS scheme. radius-scheme-name is the name of a RADIUS scheme. This name is a character string of up to 32 characters.

session-id session-id: Deletes the buffered stop-accounting requests depending on the specified session ID. session-id is a character string of up to 50 characters.

time-range start-time stop-time: Deletes the buffered stop-accounting requests depending on the time of the stop-accounting request. start-time is the start time of the request period, the stop-time is the end time of the request period, and both are in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. With this argument specified, this command displays the buffered stop-accounting requests from the start time to the end time.

user-name user-name: Deletes the buffered stop-accounting request packets depending on the specified user name. user-name is a character string of up to 32 characters.

Description

Use the reset stop-accounting-buffer command to delete the buffered no-response stop-accounting request packets.

When the switch sends out a stop-accounting packet but gets no response from the RADIUS server, it first buffers the packet and then retransmits it until the maximum number of retransmission attempts (set by the retry stop-accounting command) is reached.

The reset stop-accounting-buffer command is used to delete the stop-accounting request packets buffered in the switch. You can choose to delete the buffered stop-accounting packets of a specified RADIUS scheme, session ID, or user name. You can also specify a time range to delete the stop-accounting packets sent within the specified time range.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Delete the stop-accounting request packets buffered in the system for the user [email protected].

<H3C> reset stop-accounting-buffer user-name [email protected]

# Delete the stop-accounting request packets buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002 in the system.

<H3C> reset stop-accounting-buffer time-range 0:0:0-2002/08/31 23:59:59-2002/08/31

1.2.17 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameters

retry-times: Maximum number of transmission attempts, ranging from 1 to 20 and defaulting to 3.

Description

Use the retry command to set the maximum number of transmission attempts of RADIUS requests.

Use the undo retry command to restore the default maximum number of transmission attempts.

Note that:

l The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires. If the maximum number of transmission attempts is reached but the switch still receives no response, the switch considers that the request fails.

l Appropriately setting this maximum number of transmission attempts according to the network situation can improve the response speed of the system.

Related commands: radius scheme.

Examples

# Set the maximum transmission times of RADIUS requests in the RADIUS scheme radius1 to five.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] retry 5

1.2.18 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum number of real-time accounting request attempts, ranging from 1 to 255.

Description

Use the retry realtime-accounting command to set the maximum number of real-time accounting request attempts.

Use the undo retry realtime-accounting command to restore the default maximum number of real-time accounting request attempts.

By default, the system can allow five real-time accounting request attempts at most.

Note that:

l Generally, the RADIUS server uses the connection timeout timer to determine whether a user is online or not. If the RADIUS server receives no real-time accounting packet for a specified period of time, it will consider that the line or the switch is faulty and stop the accounting of the user. To make the switch cooperate with this feature on the RADIUS server, it is necessary to cut down the user connection on the switch as soon as possible after the RADIUS server terminates the charging and connection of the user in the case of an unforeseen fault. For this purpose, you can limit the number of continuous real-time no-response accounting requests, and the switch will cut down the user connection if it sends out the maximum number of real-time accounting requests but does not receive any response.

l A real-time account request may be sent multiple times (set by the retry command in RADIUS scheme view) for an accounting attempt. If no response is received even after the number of transmission attempts reaches the maximum, the accounting attempt fails. Suppose that the response timeout time of the RADIUS server is three seconds (set by the timer response-timeout command), that the maximum number of transmission attempts (set by the retry command) is 3, and that the real-time accounting interval is 12 minutes (set by the timer realtime-accounting command), the maximum number of real-time accounting request attempts is 5 (set by the retry realtime-accounting command). In this case, the switch sends an accounting request every 12 minutes; if the switch does not receive a response within 3 seconds after it sends out an accounting request, it resends the request; if the switch continuously sends the accounting request for three times but does not receive any response, it considers this real-time accounting a failure. Then, the switch sends the accounting request every 12 minutes; if the number of accounting failures exceeds five, the user connection is cut down.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Allow the switch to continuously send at most 10 real-time accounting requests for the RADIUS scheme radius1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] retry realtime-accounting 10

1.2.19 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum number of transmission attempts of the buffered stop-accounting requests, ranging from 10 to 65,535 and defaulting to 500.

Description

Use the retry stop-accounting command to set the maximum number of transmission attempts of the stop-accounting requests buffered due to no response.

Use the undo retry stop-accounting command to restore the default maximum number of transmission attempts of the buffered stop-accounting requests.

Stop-accounting requests are critical to billing and will eventually affect the charges of the users; they are important for both the users and the ISP. Therefore, the NAS should do its best to transmit them to the RADIUS accounting server. If the RADIUS server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# For RADIUS scheme radius1, specify that the switch can transmit a buffered stop-accounting request at most 1,000 times

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] retry stop-accounting 1000

1.2.20 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal notation. By default, the IP address of the secondary accounting server is 0.0.0.0.

port-number: UDP port number, ranging from 1 to 65,535. By default, the UDP port number of the secondary accounting service is 1813.

Description

Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the default IP address and port number of the secondary RADIUS accounting server.

See the description on the primary accounting command for details.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the secondary accounting server of the RADIUS scheme radius1 to 10.110.1.1 and 1813.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] secondary accounting 10.110.1.1 1813

1.2.21 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal notation. By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.

port-number: UDP port number, ranging from 1 to 65,535. By default, the UDP port number of the secondary authentication/authorization service is 1812.

Description

Use the secondary authentication command to set the IP address and port number of the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the default IP address and port number of the secondary RADIUS authentication/authorization server.

See the description on the primary authentication command for details.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the secondary authentication/authorization server used by the RADIUS scheme radius1 to 10.110.1.2 and 1812.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] secondary authentication 10.110.1.2 1812

1.2.22 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Parameters

extended: Specifies that the switch supports H3C's RADIUS server (generally the CAMS). That is, it is required that the RADIUS client (on the switch) and the RADIUS server interact with each other by using H3C's proprietary RADIUS protocol (such as the procedure and packet format)

standard: Specifies to use the standard RADIUS protocol. That is, it is required that the RADIUS client (on the switch) and the RADIUS server interact with each other following the procedure and packet format of the standard RADIUS protocol (defined in RFC2865/2866 or above).

Description

Use the server-type command to specify the RADIUS server type supported by the switch.

Use the undo server-type command to restore the default RADIUS server type supported by the switch.

By default, the RADIUS server type of a new RADIUS scheme is standard. The type of RADIUS server in the default RADIUS scheme system is extended.

Related commands: radius scheme.

Examples

# Set the RADIUS server type in RADIUS scheme radius1 to extended.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] server-type extended

1.2.23 state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS scheme view

Parameters

primary: Specifies the server to be set is a primary RADIUS server.

secondary: Specifies the server to be set is a secondary RADIUS server.

accounting: Specifies the server to be set is a RADIUS accounting server.

authentication: Specifies the server to be set is a RADIUS authentication/authorization server.

block: Sets the status of the specified RADIUS server to block (that is, the down state).

active: Sets the status of the specified RADIUS server to active (that is, the normal working state).

Description

Use the state command to set the status of a RADIUS server.

By default, the primary and secondary servers in a RADIUS scheme are in the block state.

For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme, note that:

l When the NAS fails to communicate with the primary server due to some server trouble, the NAS will actively exchange packets with the secondary server.

l After the primary server recovers, the NAS does not immediately restore the communication with the primary server, but keeps communicating with the secondary server unit the secondary server also fails. In order for the NAS to quickly restore the communication with the recovered primary server, you need to manually set the state of the primary server to active by using the state command.

l When both the primary and secondary servers are in the active state or block state, the NAS sends packets to the primary server only.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary authentication server in RADIUS scheme radius1 to active.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] state secondary authentication active

1.2.24 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that bring no response.

Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that bring no response.

By default, the switch is enabled to buffer the stop-accounting requests that bring no response.

Stop-accounting requests are critical to billing and will eventually affect the charges; they are important for both the users and the ISP. Therefore, the NAS should do its best to transmit them to the RADIUS accounting server. If the RADIUS accounting server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Enable the switch to buffer the stop-accounting requests that bring no response from the servers in RADIUS scheme radius1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] stop-accounting-buffer enable

1.2.25 timer

Syntax

timer seconds

undo timer

View

RADIUS scheme view

Parameters

seconds: Response timeout time of RADIUS server, ranging from 1 second to 10 seconds. By default, the response timeout time of the RADIUS server is three seconds.

Description

Use the timer command to set the response timeout time of RADIUS server.

Use the undo timer command to restore the default response timeout time of RADIUS server.

Note that:

l If the switch gets no response from the RADIUS server after sending out a RADIUS request (authentication/authorization request or accounting request) and waiting for a time, it should retransmit the packet to ensure that the user can obtain the RADIUS service. This wait time is called response timeout time of RADIUS server; and the timer in the switch system that is used to control this time is called the response timeout timer of RADIUS server. You can use the timer command to set the timeout time of this timer.

l Appropriately setting the timeout time of this timer according to the network situation can improve the performance of the system.

l The timer command achieves the same result as the timer response-timeout command does.

Related commands: radius scheme, retry.

Examples

# Set the timeout time of the response timeout timer for the RADIUS scheme radius1 to 5 seconds.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] timer 5

1.2.26 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameters

minutes: Wait time, ranging from 1 minute to 255 minutes. By default, it is 5 minutes.

Description

Use the timer quiet command to set the wait time for the primary server to restore the active state.

Use the undo timer quiet command to restore the default wait time.

Wait time works as follows:

1) The switch sends a RADIUS packet to the primary RADIUS server.

2) After confirming that no response will be received from the primary server, the switch starts to send RADIUS packets to the secondary RADIUS server.

3) At the interval of wait time, the switch sets the state of the primary server to active and sends RADIUS packets to the primary server.

Examples

# Set the wait time for the RADIUS scheme radius1 to 3 minutes.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] timer quiet 3

1.2.27 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Parameters

minutes: Real-time accounting interval. It ranges from 3 minutes to 60 minutes and must be a multiple of 3. By default, this interval is 12 minutes.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default real-time accounting interval.

Note that:

l To charge the users in real time, you should set the interval of real-time accounting. After the setting, the NAS sends the accounting information of online users to the RADIUS server at regular intervals.

l The setting of the real-time accounting interval depends to some degree on the performance of the NAS and the RADIUS server. The higher the performance of the NAS and the RADIUS server is, the shorter the interval can be. You are recommended to set the interval as long as possible when the number of users is relatively great (¦1000). Table 1-5 lists the numbers of users and the corresponding recommended intervals.

Table 1-5 Numbers of users and corresponding recommended intervals

Number of users	Real-time accounting interval
1 to 99	3
100 to 499	6
500 to 999	12
¦1000	¦15

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval of the RADIUS scheme radius1 to 51 minutes.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] timer realtime-accounting 51

1.2.28 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameters

seconds: Response timeout time of RADIUS servers, ranging from 1 second to 10 seconds. By default, the response timeout time of the RADIUS server is three seconds.

Description

Use the timer response-timeout command to set the response timeout time of RADIUS servers.

Use the undo timer response-timeout command to restore the default response timeout timer of RADIUS servers.

Note that:

l If the switch gets no response from the RADIUS server after sending out a RADIUS request (authentication/authorization request or accounting request) and waiting for a time, it should retransmit the packet to ensure that the user can obtain the RADIUS service. This wait time is called response timeout time of RADIUS servers; and the timer in the switch system that is used to control this time is called the response timeout timer of RADIUS servers. You can use the timer response-timeout command to set the timeout time of this timer.

l Appropriately setting the timeout time of this timer according to the network situation can improve the performance of the system.

l This command achieves the same result as the timer command does.

Related commands: radius scheme, retry.

Examples

# Set the response timeout time in the RADIUS scheme radius1 to five seconds.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] timer response-timeout 5

1.2.29 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameters

with-domain: Specifies to include ISP domain names in the user names to be sent to RADIUS servers.

without-domain: Specifies to exclude ISP domain names from the user names to be sent to RADIUS servers.

Description

Use the user-name-format command to set the format of the user names to be sent to RADIUS server

By default, except for the default RADIUS scheme system, the user names sent to RADIUS servers in any RADIUS scheme carry ISP domain names.

Generally, an access user is named in the userid@isp-name format. isp-name behind the @ character represents the ISP domain name, by which the device determines which ISP domain it should ascribe the user to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names. In this case, it is necessary to remove the domain names carried in the user names before sending the user names to the RADIUS server. For this reason, the user-name-format command is available for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server.

& Note:

For a RADIUS scheme, if you have specified that no ISP domain names are carried in the user names, you should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the user names sent to it are the same).

Related commands: radius scheme.

Examples

# Specify that the user names sent to a RADIUS server in RADIUS scheme radius1 does not carry ISP domain names.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme radius1

[H3C-radius-radius1] user-name-format without-domain

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Parameters

data: Sets the unit of measure for data.

byte: Specifies to measure data in bytes.

giga-byte: Specifies to measure data in gigabytes.

kilo-byte: Specifies to measure data in kilobytes.

mega-byte: Specifies to measure data in megabytes.

packet: Sets the unit of measure for packets.

giga-packet: Specifies to measure packets in giga-packets. This means each giga-packet contains 1 G packets.

kilo-packet: Specifies to measure packets in kilo-packets. This means each kilo-packet contains 1 K packets.

mega-packet: Specifies to measure packets in mega-packets. This means each mega-packet contains 1 M packets.

one-packet: Specifies to measure packets in packets. This means each one-packet contains one packet.

Description

Use the data-flow-format command to set the units of measure for data flows sent to the TACACS server.

Use the undo data-flow-format command to restore the default units of measure.

By default, the unit of measure for data is byte and that for packets is one-packet.

Related commands: display hwtacacs.

Examples

# Specify to measure data and packets in data flows sent to the TACACS server in kilo-bytes and kilo-packets, respectively.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C- hwtacacs-test1] data-flow-format data kilo-byte

[H3C- hwtacacs-test1] data-flow-format packet kilo-packet

1.3.2 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.

statistics: Displays complete statistics about the HWTACACS scheme.

Description

Use the display hwtacacs command to display the configuration or statistics of the specified or all HWTACACS schemes.

By default, this command displays the configuration of all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# Display configuration information of HWTACACS scheme gy.

<H3C> display hwtacacs gy

-------------------------------------------------------------------- HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

Source-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Response-timeout-Interval(sec) : 5

Domain-included : No

Traffic-unit : B

Packet traffic-unit : one-packet

-------------------------------------------------------------

Total 1,1 printed

1.3.3 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests according to the HWTACACS scheme specified by hwtacacs-scheme-name, the name of HWTACACS scheme, a character string of up to 32 characters.

session-id session-id: Displays information on buffered stop-accounting requests according to the session ID specified by session-id, a character string of up to 50 characters.

time-range start-time stop-time: Displays information on buffered stop-accounting requests according to the request time, where, start-time is the start time of the stop-accounting request; stop-time is the end time of stop-accounting request. This argument is in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd and is used to display the buffered stop-accounting requests from the start time to the end time.

user-name user-name: Displays information on buffered stop-accounting requests according to the user name specified by user-name, a character string of up to 32 characters.

Description

Use the display stop-accounting-buffer command to display information on the stop-accounting requests buffered in the switch.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display the stop-accounting requests buffered in the HWTACACS scheme abc.

<H3C> display stop-accounting-buffer hwtacacs-scheme abc

1.3.4 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameters

ip-address: Specifies a source IP address for the switch, which cannot be an all-zero address, class D address, class A, B, and C broadcast address, or 127 network segment address.

Description

Use the hwtacacs nas-ip command to specify the source address of the hwtacacs packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

Note that:

l By specifying the source address of the hwtacacs packet, you can avoid destination unreachable packets returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

l When you configure the source address for the NAS to send HWTACACS packets, the priority of HWTACACS scheme view is higher than that of system view.

l By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

l This command specifies only one source address; therefore, the newly configured source address will overwrite the original one.

Examples

# Configure the switch to send hwtacacs packets from 129.10.10.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs nas-ip 129.10.10.1

1.3.5 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme name, with a character string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to enter HWTACACS scheme view and create the specified HWTACACS scheme if it does not exist.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

Examples

# Create an HWTACACS scheme named test1 and enter the relevant HWTACACS scheme view.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

Create a new HWTACACS-server scheme

[H3C-hwtacacs-test1]

1.3.6 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Parameters

accounting: Specifies a shared key for the accounting server.

authentication: Specifies a shared key for the authentication server.

authorization: Specifies a shared key for the authorization server.

string: Shared key, a string containing 0 to 16 characters.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting server.

Use the undo key command to delete the configuration.

By default, no key is set for any TACACS server.

The TACACS client (on the switch) and the TACACS server use the MD5 algorithm to encrypt the HWTACACS packets communicated between them. They authenticate packets by using shared keys. Either of them receives and responds to the packet sent from the other party only when their shared keys are the same. Therefore, the shared key set on the switch and that on the TACACS server must be the same.

If the authentication/authorization server and the accounting server are different and the shared keys for the two servers are different, a shared key must be set for authentication/authorization packets and accounting packets.

Related commands: display hwtacacs.

Examples

# Use hello as the shared key for TACACS accounting server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] key accounting hello

1.3.7 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Parameters

ip-address: Specified source IP address, in dotted decimal notation.

Description

Use the nas-ip command to specify the source address for sending HWTACACS packets so that all packets sent to the TACACS server carry the same source IP address.

Use the undo nas-ip command to remove the configuration.

By specifying the source address of the HWTACACS packet, you can avoid destination unreachable packets returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

By default, the source IP address of the packets is the IP address of the sending interface.

Related commands: display hwtacacs, hwtacacs nas-ip.

Examples

# Set the source IP address of the HWTACACS packets sent by the NAS (switch) to 10.1.1.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] nas-ip 10.1.1.1

1.3.8 primary accounting

Syntax

primary accounting ip-address [ port ]

undo primary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format. port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, the IP address of TACACS accounting server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Examples

# Configure a primary accounting server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.9 primary authentication

Syntax

primary authentication ip-address [ port ]

undo primary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format. port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary authentication command to configure a TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, the IP address of TACACS authentication server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary authentication servers; otherwise, unsuccessful operation is prompted.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Related commands: display hwtacacs.

Examples

# Configure a primary authentication server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authentication 10.163.155.13 49

1.3.10 primary authorization

Syntax

primary authorization ip-address [ port ]

undo primary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format. port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.

By default, the IP address of TACACS authorization server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary authorization servers; otherwise, unsuccessful operation is prompted.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Related commands: display hwtacacs.

Examples

# Configure a primary authorization server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authorization 10.163.155.13 49

1.3.11 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameters

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS protocol statistics.

<H3C> reset hwtacacs statistics all

1.3.12 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a character string of up to 32 characters, excluding question marks (?).

session-id session-id: Displays information on buffered stop-accounting requests according to the session ID specified by session-id, a character string of up to 50 characters.

user-name user-name: Displays information on buffered stop-accounting requests according to the user name specified by user-name, a character string of up to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the switch.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Delete the buffered stop-accounting requests that are according to the HWTACACS scheme abc.

<H3C> reset stop-accounting-buffer hwtacacs-scheme abc

1.3.13 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Parameters

retry-times: Maximum number of real-time stop-accounting request attempts. It is in the range 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and has 100 attempts for each request.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Enable stop-accounting packet transmission and allow up to 50 attempts for each request.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] retry stop-accounting 50

1.3.14 secondary accounting

Syntax

secondary accounting ip-address [ port ]

undo secondary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. port: Port number of the server, which is in the range of 1 to 65,535 and defaults to 49.

Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, the IP address of TACACS accounting server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary accounting servers; otherwise, unsuccessful operation is prompted.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an accounting server only when it is not being used by any active TCP connections.

Examples

# Configure a secondary accounting server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary accounting 10.163.155.12 49

1.3.15 secondary authentication

Syntax

secondary authentication ip-address [ port ]

undo secondary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format. port: Port number of the server, which is in the range of 1 to 65,535 and defaults to 49.

Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary server.

By default, the IP address of TACACS authentication server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary authentication servers; otherwise, unsuccessful operation is prompted.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an authentication server only when it is not being used by any active TCP connections.

Related commands: display hwtacacs.

Examples

# Configure a secondary server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authentication 10.163.155.13 49

1.3.16 secondary authorization

Syntax

secondary authorization ip-address [ port ]

undo secondary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format. port: Port number of the server, in the range of 1 to 65,535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, the IP address of TACACS authorization server is 0.0.0.0.

Note that:

l You cannot assign the same IP address to both primary and secondary authorization servers.

l If you repeatedly use this command, the latest configuration overwrites the previous one.

l You can remove an authorization server only when it is not being used by any active TCP connections.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authorization 10.163.155.13 49

1.3.17 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that bring no response.

Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that bring no response.

By default, the switch is enabled to buffer the stop-accounting requests that bring no response.

Stop-accounting requests are critical to billing and will eventually affect the charges; they are important for both the users and the ISP. Therefore, the switch should do its best to transmit them to the HWTACACS accounting server. If the HWTACACS accounting server does not respond to such a request, the switch should first buffer the request on itself, and then retransmit the request to the HWTACACS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Enable the switch to buffer the stop-accounting requests that bring no response from the servers in HWTACACS scheme test1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] stop-accounting-buffer enable

1.3.18 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Parameters

minutes: Length of the timer in minutes, in the range of 1 to 255. By default, the primary server must wait five minutes before it resumes the active state.

Description

Use the timer quiet command to set the duration that a primary server must wait before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).

With the timer quiet command configured, the switch stops processing the request packets from users when the communication between the switch and the server is interrupted. The switch does not send user request packets to the server until the wait time of the switch is equal to or greater than the time configured with the timer quiet command.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer quiet 10

1.3.19 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Parameters

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes. By default, the real-time accounting interval is 12 minutes.

Description

Use the timer realtime-accounting command to configure a real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

Note that:

l Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the switch transmits the accounting information of online users to the TACACS accounting server at intervals of this value.

l The setting of real-time accounting interval depends somewhat on the performance of the switch and the TACACS server: A shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). Table 1-6 recommends the real-time accounting intervals for different numbers of users.

Table 1-6 Recommended intervals for different numbers of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
¦1000	¦15

Examples

# Set the real-time accounting interval in the HWTACACS scheme test1 to 51 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test11] timer realtime-accounting 51

1.3.20 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Parameters

seconds: Length of the response timer in seconds. It ranges from 1 to 300 and defaults to 5.

Description

Use the timer response-timeout command to set the response timeout timer of the TACACS server.

Use the undo timer response-timeout command to restore the default (five seconds).

& Note:

As the HWTACACS is based on TCP, either the server response timeout and/or the TCP timeout may cause disconnection to the TACACS server.

Related commands: display hwtacacs.

Examples

# Set the response timeout time of the TACACS server to 30 seconds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer response-timeout 30

1.3.21 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS scheme view

Parameters

with-domain: Specifies to send the username with a domain name to the TACACS server.

without-domain: Specifies to send the username without any domain name to the TACACS server.

Description

Use the user-name-format command to configure the username format sent to the TACACS server.

By default, an HWTACACS scheme acknowledges that the username sent to it includes an ISP domain name.

Note that:

l The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the switch assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including an ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the switch provides this command to decide whether the username sent to the TACACS server carries an ISP domain name or not.

l If a HWTACACS scheme is configured to reject usernames including ISP domain names, the TACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username. (excluding their respective domain names.)

Related commands: hwtacacs scheme.

Examples

# Specify to send the username without any domain name to the HWTACACS scheme test1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] user-name-format without-domain

Chapter 2 EAD Configuration Commands

2.1 EAD Configuration Commands

2.1.1 security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server [ ip-address | all ]

View

RADIUS scheme view

Parameters

ip-address: IP address of the security policy server.

all: All IP addresses of security policy servers.

Description

Use the security-policy-server command to specify an IP address for a security policy server.

Use the undo security-policy-server command to delete the specified IP address.

You may specify up to eight security policy servers in a RADIUS scheme.

Each RADIUS scheme supports at most eight IP addresses of security policy servers. The switch only responds to the session control packets coming from the authentication server and security policy server.

Examples

# Set the IP address of the security policy server to 192.168.0.1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] radius scheme abc

[H3C-radius-abc] security-policy-server 192.168.0.1

[H3C-radius-abc] display current-configuration

…

radius scheme abc

primary authentication 1.1.11.29 1812

secondary authentication 127.0.0.1 1645

security-policy-server 192.168.0.1

user-name-format without-domain

…

H3C S7500 Series Command Manual(Release 3100 Series)-(V1.04)

Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands

1.1.1 access-limit

1.1.12 messenger

1.1.19 state

1.2 RADIUS Configuration Commands

1.2.2 accounting optional

1.2.4 display local-server statistics

1.2.11 primary accounting

1.2.15 reset radius statistics

1.2.25 timer

1.2.28 timer response-timeout

1.3.2 display hwtacacs

1.3.3 display stop-accounting-buffer

1.3.5 hwtacacs scheme

1.3.15 secondary authentication

1.3.16 secondary authorization

1.3.17 stop-accounting-buffer enable

1.3.21 user-name-format

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us