enable max-user-number: Specifies that the system limit the number of accessing users in the current ISP domain. max-user-number is the maximum number of accessing users in the current ISP domain. The valid range is from 1 to 1024.

Description

Use the access-limit enable command to set the maximum number of accessing users allowed by an ISP domain.

Use the undo access-limit or access-limit disable command to remove the limitation.

By default, there is no limit to the amount of supplicants in an ISP domain.

As the supplicants may compete for network resources, setting a proper limit to the amount of accessing users helps in providing a reliable system performance.

Examples

# Set a limit of 500 supplicants for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] access-limit enable 500

1.1.2 accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting default command to specify the default accounting scheme for all types of users.

Use the undo accounting default command to restore the default.

By default, the accounting scheme is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The accounting scheme specified with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.

l Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.

l With the access mode of login, accounting is not supported for FTP services.

Related commands: authentication default, authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for all types of users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default radius-scheme rd local

1.1.3 accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

View

ISP domain view

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting lan-access command to specify the accounting scheme for LAN access users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for LAN access users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access radius-scheme rd local

1.1.4 accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting login command to specify the accounting scheme for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for login users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login radius-scheme rd local

1.1.5 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

Note that:

l With the accounting optional command configured, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used when authentication is required but accounting is not.

l If you configure the accounting optional command for a domain, the device does not send real-time accounting updates or stop-accounting requests for users of the domain any more.

Examples

# Enable the accounting optional feature for users in domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] accounting optional

1.1.6 attribute

Syntax

attribute { access-limit max-user-number | idle-cut minute | ip ip-address | location { [ nas-ip ip-address ] port slot-number subslot-number port-number } | mac mac-address | vlan vlan-id } *

undo attribute { access-limit | idle-cut | ip | location | mac |vlan } *

View

Local user view

Parameters

access-limit max-user-number: Specifies the maximum number of concurrent users that can log in using the current username, which ranges from 1 to 1024.

idle-cut minute: Configures the idle cut function. The idle cut period ranges from 1 to 120, in minutes.

ip ip-address: Specifies the IP address of the user. The attribute ip command only applies to authentications that support IP address passing, such as 802.1x. If you configure the command to authentications that do not support IP address passing, such as MAC address authentication, the local authentication will fail.

location: Specifies the port binding attribute of the user.

nas-ip ip-address: Specifies the IP address of the port of the remote access server bound by the user. The default is 127.0.0.1, that is, the device itself. This keyword and argument combination is required only when the user is bound to a remote port.

port slot-number subslot-number port-number: Specifies the port to which the user is bound. The value of slot-number and subslot-number both range from 0 to 15. The value of port-number ranges from 0 to 255. The ports bounded are determined by port number, regardless of port type.

mac mac-address: Specifies the MAC address of the user in the format of H-H-H.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is an integer in the range 1 to 4094.

Description

Use the attribute command to set some of the attributes for a LAN access user.

Use the undo attribute command to remove the configuration.

The idle-cut command in ISP domain view applies to lan-access users only.

Related commands: display local-user.

Examples

# Set the IP address of local user user1 to 10.110.50.1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] attribute ip 10.110.50.1

1.1.7 authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication default command to specify the default authentication scheme for all types of users.

Use the undo authentication default command to restore the default.

By default, the authentication scheme is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authentication scheme specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.

Related commands: authorization default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for all types of users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme rd local

1.1.8 authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

View

ISP domain view

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication lan-access command to specify the authentication scheme for LAN access users.

Use the undo authentication login command to restore the default.

By default, the default authentication scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for LAN access users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access radius-scheme rd local

1.1.9 authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication login command to specify the authentication scheme for login users.

Use the undo authentication login command to restore the default.

By default, the default authentication scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for login users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login radius-scheme rd local

1.1.10 authorization command

Syntax

authorization command hwtacacs-scheme hwtacacs-scheme-name

undo authorization command

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization command command to specify the authorization scheme for command line users.

Use the undo authorization command command to restore the default.

By default, the default authorization scheme is used for command line users.

Note that the HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme.

Examples

# Configure the default ISP domain system to use HWTACACS authorization scheme hw for command line users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization command hwtacacs-scheme hw

1.1.11 authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization default command to specify the authorization scheme for all types of users.

Use the undo authorization default command to restore the default.

By default, the authorization scheme for all types of users is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authorization scheme specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.

l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.

Related commands: authentication default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for all types of users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default radius-scheme rd local

1.1.12 authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

View

ISP domain view

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to specify the authorization scheme for LAN access users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system]authorization lan-access local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for LAN access users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization lan-access radius-scheme rd local

1.1.13 authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to specify the authorization scheme for login users.

Use the undo authorization login command to restore the default.

By default, the default authorization scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for login users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login radius-scheme rd local

1.1.14 cut connection

Syntax

cut connection { access-type { dot1x | mac-authentication } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id }

View

System view

Parameters

access-type: Specifies user connections of an access mode.

l dot1x: Specifies 802.1x authentication user connections.

l mac-authentication: Specifies MAC authentication user connections.

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies all user connections of an interface.

ip ip-address: Specifies a user connection by IP address.

mac mac-address: Specifies a user connection by MAC address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies a user connection by connection index. The value range is from 0 to 4294967295.

user-name user-name: Specifies a user connection by username.

vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.

Description

Use the cut connection command to tear down the specified connecitons forcibly.

At present, this command applies to only LAN access user connections.

Related commands: display connection, service-type.

Examples

# Tear down all connections in ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] cut connection domain aabbcc.net

1.1.15 display connection

Syntax

display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ]

View

Any view

Parameters

access-type { dot1x | mac-authentication }: Specifies user connections of an access mode, that is, 802.1x user connections or MAC authentication user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

interface interface-type interface-number: Specifies all user connections of an interface.

ip ip-address: Specifies all user connections using the specified IP address.

mac mac-address: Specifies all user connections using the specified MAC address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies all user connections using the specified connection index. The value range is from 0 to 4294967295.

user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters.

vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.

Description

Use the display connection command to display information about specified or all AAA user connections.

This command does not apply to FTP user connections.

Related commands: cut connection.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Index=1 ,Username=telnet@system

IP=10.0.0.1

Total 1 connection(s) matched.

Table 1-1 Description on the fields of the display connection command

Field	Description
Index	Index number
Username	Username of the connection, in the format username@domain
IP	IP address of the user
Total 1 connection(s) matched.	Total number of user connections

1.1.16 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

Description

Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains.

Related commands: access-limit, domain, state.

Examples

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain = aabbcc

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius=test, local

Lan-access authorization scheme : hwtacacs=hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut = Disable

Self-service = Disable

1 Domain = system

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Default Domain Name: system

Total 2 domain(s)

Table 1-2 Description on the fields of the display domain command

Field	Description
Domain	Domain name
State	Status of the domain (active or block)
Access-limit	Access limit (disabled or enabled)
Accounting method	Accounting method (either required or optional)
Default authentication scheme	Default authentication scheme
Default authorization scheme	Default authorization scheme
Default accounting scheme	Default accounting scheme
Authentication scheme	Authentication scheme
Authorization scheme	Authentication scheme
Accounting scheme	Accounting scheme
Domain User Template	Template for users in the domain
Idle-cut	Whether idle cut is enabled
Self-service	Whether self service is enabled
Total 2 domain(s).	2 ISP domains in total

1.1.17 display local-user

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

View

Any view

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users of a type.

l ftp refers to users using FTP;

l lan-access refers to users accessing the network through an Ethernet, such as 802.1x users;

l ssh refers to users using SSH;

l telnet refers to users using Telnet;

l terminal refers to users logging in through the console port, AUX port, or Asyn port.

state { active | block }: Specifies all local users in the state of active or block. A local user in the state of active can access network services, while a local user in the state of blocked cannot.

user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters.

vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.

Description

Use the display local-user command to display information about specified or all local users.

Related commands: local-user.

Examples

# Display the information of all local users.

<Sysname> display local-user

The contents of local user abc:

State: Active

ServiceType: ftp

Idle-cut: Disable

Access-limit: Enable Current AccessNum: 0

Bind location: 2.2.2.2/3/2/255 (NAS/SLOT/SUBSLOT/PORT)

Vlan ID: Disable

IP address: Disable

MAC address: Disable

Password-Aging: Enable(90 day(s))

Password-Length: Enable(10 character(s))

Password-Composition: Enable(1 type(s), 1 character(s) per type)

Total 1 local user(s) matched.

Table 1-3 Description on the fields of the display local-user command

Field	Description
State	Status of the local user, active or block
ServiceType	Service types that the user can use (ftp, lan-access, ssh, telnet, terminal)
Idle-cut	Whether idle cut is enabled
Access-limit	Accessing user connection limit
Current AccessNum	Number of users currently accessing network services
Bind location	Whether bound with a port
VLAN ID	VLAN to which the user belongs
IP address	IP address of the user
MAC address	MAC address of the user
Password-Aging	Aging time of the local user password
Password-Length	Minimum length of the local user password
Password-Composition	Password composition policy of the local user
Total 1 local user(s) matched.	1 local user in total

1.1.18 domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), and @.

Description

Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.

Use the domain default command to specify the default ISP domain and enter ISP domain view.

Use the undo domain command to remove an ISP domain.

By default, the system uses the domain of system. You can view its settings by executing the display domain command.

If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related commands: access-limit, state, display domain.

Examples

# Create ISP domain aabbcc.net, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net]

1.1.19 domain default

Syntax

domain default { disable | enable isp-name }

View

System view

Parameters

disable: Disables the configured default ISP domain.

enable: Enables the configured default ISP domain.

isp-name: Name of the ISP, a string of 1 to 24 characters.

Description

Use the domain default command to manually configure the system default ISP domain.

By default, the default domain is named system.

Note that:

l There must be only one default ISP domain.

l When configure a default domain, this domain must have existed.

l The default domain configured cannot be deleted unless you cancel it as a default domain first.

Related commands: state, display domain.

Examples

# Create a new ISP domain named aabbcc.net, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] quit

[Sysname] domain default enable aabbcc.net

1.1.20 idle-cut

Syntax

idle-cut { disable | enable minute }

View

ISP domain view

Parameters

disable: Disables the idle cut function.

enable minute: Enables the idle cut function. The minute argument refers to the allowed idle duration, in the range 1 to 120 minutes.

Description

Use the idle-cut command to enable or disable the idle cut function.

By default, the function is disabled.

Related commands: domain.

Examples

# Enable the idle cut function and set the idle threshold to 50 minutes for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] idle-cut enable 50

1.1.21 level

Syntax

level level

undo level

View

Local user view

Parameters

level: Priority level for the user, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower priority.

Description

Use the level command to set the priority level of a user.

Use the undo level command to restore the default.

By default, the user priority is 0.

Note that:

l If you specify not to perform authentication or use password authentication, the level of the commands that a user can use after logging in depends on the priority of the user interface. For details about the authentication, refer to command authentication-mode in Login Commands.

l If you specify an authentication method that requires the username and password, the level of the commands that a user can use after logging in depends on the priority of the user. For an SSH user using RSA public key authentication, the commands that can be used depend on the level configured on the user interface.

Related commands: local-user.

Examples

# Set the level of user user1 to 3.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] level 3

1.1.22 local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet |terminal } ] }

View

System view

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters. It cannot include the domain name and cannot contain any back slash (\), vertical bar (|), forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) or @. In addition, it cannot be a, al, or all.

all: Specifies all users.

service-type: Specifies the users of a type.

l ftp refers to users using FTP;

l lan-access refers to users accessing the network through an Ethernet, such as 802.1x users;

l ssh refers to users using SSH;

l telnet refers to users using Telnet;

l terminal refers to users logging in through the console port, AUX port, or Asyn port;

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to remove the specified local users.

By default, no local user is configured.

Related commands: display local-user, service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

1.1.23 local-user password-display-mode

Syntax

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

View

System view

Parameters

auto: Displays the password of an accessing user based on the configuration of the user by using the password command.

cipher-force: Displays the passwords of all accessing users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local users.

Use the undo local-user password-d isplay-mode command to restore the default.

The default mode is auto.

With the cipher-force mode configured:

l A local user password is always displayed in cipher text, regardless of the configuration of the password command.

l If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto.

Related commands: display local-user, password.

Examples

# Specify to display the passwords of all accessing users in cipher text.

[Sysname] local-user password-display-mode cipher-force

1.1.24 password

Syntax

password { cipher | simple } password

undo password

View

Local user view

Parameters

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in plain text.

password: Password for the local user.

l In plain text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.

l In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

l With the simple keyword, you must specify the password in plain text. With the cipher keyword, you can specify the password in either plain or cipher text.

Description

Use the password command to configure a password for a local user.

Use the undo password command to delete the password of a local user.

Note that:

l With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.

l With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.

Related commands: display local-user.

Examples

# Set the password of user1 to 123456 and specify to display the password in plain text.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 123456

1.1.25 self-service-url

Syntax

self-service-url { disable | enable url-string }

undo self-service-url

View

ISP domain view

Parameters

disable: Disable the self-service server localization function.

enable url-string: Enable the self-service server localization function. The url-string argument refers to the URL of the self-service server for changing user password. The URL is a string of 1 to 64 characters that starts with http:// and cannot contain any question mark.

Description

Use the self-service-url enable command to enable the self-service server localization function and specify the URL of the self-service server for changing user password.

Use the self-service-url disable command or the undo self-service-url command to disable the self-service server localization function.

By default, the function is disabled.

Note that:

l A self-service RADIUS server, for example, CAMS, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

l After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1x client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.

l Only authenticated users can select [Service/Change Password] from the 802.1x client. The option is gray and unavailable for unauthenticated users.

Examples

# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

1.1.26 service-type

Syntax

service-type { lan-access | { ssh | telnet | terminal } * [ level level ] }

undo service-type { lan-access | { ssh | telnet | terminal } * }

View

Local user view

Parameters

lan-access: Authorizes the user to use the Ethernet to access the network. The user can be, for example, an 802.1x user.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, AUX or Asyn port.

level level: Sets the user level of a Telnet, terminal, or SSH user. The level argument is an integer in the range 0 to 3 and defaults to 0.

Description

Use the service-type command to specify the service types that a user can use.

Use the undo service-type command to delete one or all service types configured for a user.

By default, a user is authorized with no service.

Related commands: service-type ftp.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

1.1.27 service-type ftp

Syntax

service-type ftp

undo service-type ftp

View

Local user view

Parameters

None

Description

Use the service-type ftp command to authorize a user to use the FTP service.

Use the undo service-type ftp command to disable a user from using the FTP service.

By default, no service is authorized to a user and anonymous access to FTP service is not allowed. If you authorize a user to use the FTP service but do not specify a directory that the user can access, the user can access the root directory of the device by default.

Related commands: work-directory, service-type.

Examples

# Authorize user user1 to use the FTP service.

[Sysname-luser-user1] service-type ftp

1.1.28 state

Syntax

state { active | block }

View

ISP domain view, local user view

Parameters

active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.

block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.

Description

Use the state command to configure the status of the current ISP domain or local user.

By default, an ISP domain is active when created. So does a local user.

By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.

By blocking a user, you disable the user from requesting network services. No other users are affected.

Related commands: domain.

Examples

# Place the current ISP domain aabbcc.net to the state of blocked.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] state block

# Place the current user user1 to the state of blocked.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-user-user1] state block

1.1.29 work-directory

Syntax

work-directory directory-name

undo work-directory

View

Local user view

Parameters

directory-name: Name of the directory that FTP/SFTP users are authorized to access, a case-insensitive string of 1 to 135 characters.

Description

Use the work-directory command to specify the directory accessible to FTP/SFTP users.

Use the undo work-directory command to restore the default.

By default, FTP/SFTP users can access the root directory of the device.

Note that:

l The specified directory accessible to users must exist.

l If you use a file system command to delete the specified directory, FTP/SFTP users will no longer access the directory.

Examples

# Specify the directory accessible to FTP/SFTP users.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] work-directory flash:/

1.2 RADIUS Configuration Commands

1.2.1 accounting-on enable

Syntax

accounting-on enable

undo accounting-on enable

View

RADIUS scheme view

Parameters

None

Description

Use the accounting-on enable command to enable the accounting-on function. After doing so, when the device reboots, a message will be sent to the RADIUS server to force the users of the device offline.

Use the undo accounting-on enable command to disable the accounting-on function.

By default, the accounting-on function is disabled.

Note that:

l Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable send.

l If the system has no authentication scheme enabled with the accounting-on function when you execute the accounting-on enable command, you need to save the configuration and restart the device so that the command takes effect. Otherwise, the command takes effect immediately.

Related commands: radius scheme.

Examples

# Enable the accounting-on function for RADIUS authentication scheme rd.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable

1.2.2 accounting-on enable interval

Syntax

accounting-on enable interval seconds

undo accounting-on interval

View

RADIUS scheme view

Parameters

seconds: Time interval to retransmit accounting-on packet in seconds, ranging from 1 to 15.

Description

Use the accounting-on enable interval command to configure the retransmission interval of accounting-on packets.

Use the undo accounting-on enable interval command to restore the default.

By default, the retransmission interval of accounting-on packets is 3 seconds.

Note that:

l Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable. That is, execution of the undo accounting-on enable interval command will not disable the accounting-on function.

l The retransmission interval configured with this command takes effect immediately.

Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the retransmission interval of accounting-on packet to 5 seconds.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable interval 5

1.2.3 accounting-on enable send

Syntax

accounting-on enable send send-times

undo accounting-on send

View

RADIUS scheme view

Parameters

send-times: Maximum number of accounting-on packet retransmission attempts, ranging from 1 to 255.

Description

Use the accounting-on enable send command to set the maximum number of accounting-on packet retransmission attempts.

Use the undo accounting-on enable send command to restore the default.

By default, the maximum number of accounting-on packet retransmission attempts is 5.

Note that:

l The maximum number of accounting-on packet retransmission attempts configured with this command takes effect immediately.

Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the maximum number of accounting-on packet retransmission attempts to 10.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable send 10

1.2.4 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

RADIUS scheme view

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display radius scheme.

Examples

# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

1.2.5 display radius scheme

Syntax

display radius scheme [ radius-scheme-name ]

View

Any view

Parameters

radius-scheme-name: RADIUS scheme name.

Description

Use the display radius scheme command to display the configuration information of a specified RADIUS scheme or all RADIUS schemes.

Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName = radius1

Index = 0 Type=extended

Primary Auth IP = 1.1.1.1 Port = 1812 State = active

Primary Acct IP = 1.1.1.1 Port = 1813 State = active

Second Auth IP = 0.0.0.0 Port = 1812 State = block

Second Acct IP = 0.0.0.0 Port = 1813 State = block

Auth Server Encryption Key = Not configured

Acct Server Encryption Key = Not configured

Accounting-On packet disable, send times = 5 , interval = 3s

Interval for timeout(second) =3

Retransmission times for timeout =3

Interval for realtime accounting(minute) =12

Retransmission times of realtime-accounting packet =5

Retransmission times of stop-accounting packet =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =one

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 1-4 Description on the fields of the display radius scheme command

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS server
Primary Auth IP/ Port/ State	IP address/access port number/current status of the primary authentication server: (active or block)
Primary Acct IP/ Port/ State	IP address/access port number/current status of the primary accounting server: (active or block)
Second Auth IP/ Port/ State	IP address/access port number/current status of the secondary authentication server: (active or block)
Second Acct IP/ Port/ State	IP address/access port number/current status of the secondary accounting server: (active or block)
Auth Server Encryption Key	Shared key of the authentication server
Acct Server Encryption Key	Shared key of the accounting server
Accounting-On packet disable	Whether accounting-on is enabled
send times	Maximum number of accounting-on packet retransmission attempts
interval	Accounting-on packet retransmission interval
Interval for timeout(second)	Timeout time in seconds
Retransmission times for timeout	Times of retransmission in case of timeout
Interval for realtime accounting(minute)	Interval for realtime accounting in minutes
Retransmission times of realtime-accounting packet	Retransmission times of realtime-accounting packet
Retransmission times of stop-accounting packet	Retransmission times of stop-accounting packet
Quiet-interval(min)	Quiet interval for the primary server
Username format	Format of the username
Data flow unit	Unit of data flows
Packet unit	Unit of packets
Total 1 RADIUS scheme(s)	1 RADIUS scheme in total

1.2.6 display radius statistics

Syntax

display radius statistics

View

Any view

Parameters

None

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics

state statistic(total=1024):

DEAD = 1024 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

Received and Sent packets statistic:

Sent PKT total = 0 Received PKT total = 0

RADIUS received packets statistic:

Code = 2 Num = 0 Err = 0

Code = 3 Num = 0 Err = 0

Code = 5 Num = 0 Err = 0

Code = 11 Num = 0 Err = 0

Running statistic:

RADIUS received messages statistic:

Normal auth request Num = 0 Err = 0 Succ = 0

EAP auth request Num = 0 Err = 0 Succ = 0

Account request Num = 0 Err = 0 Succ = 0

Account off request Num = 0 Err = 0 Succ = 0

PKT auth timeout Num = 0 Err = 0 Succ = 0

PKT acct_timeout Num = 0 Err = 0 Succ = 0

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 0 Err = 0 Succ = 0

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 0

Auth reject Num = 0

EAP auth replying Num = 0

Account success Num = 0

Account failure Num = 0

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 0

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 1-5 Description on the fields of display radius statistics command

Field	Description
state statistic(total=1024)	state statistics
DEAD	The state of idle
AuthProc	The state of waiting for authentication
AuthSucc	The state of authenticated
AcctStart	The state of accounting start
RLTSend	The state of sending real-time accounting packets
RLTWait	The state of waiting for real-time accounting
AcctStop	The state of accounting waiting stopped
OnLine	The state of online
Stop	The state of stop
Received and Sent packets statistic	Number of packets sent and received
Sent PKT total	Number of packets sent
Received PKT total	Number of packets received
RADIUS received packets statistic	Statistic of packets received by RADIUS
Code	Type of packet
Num	Total number of packets
Err	Number of error packets
Running statistic	Statistics of running packets
RADIUS received messages statistic	Number of messages received by RADIUS
Normal auth request	Number of normal authentication requests
EAP auth request	Number of EAP authentication requests
Account request	Number of accounting requests
Account off request	Number of stop-accounting requests
PKT auth timeout	Number of authentication timeout packets
PKT acct_timeout	Number of accounting timeout packets
Realtime Account timer	Number of realtime accounting requests
PKT response	Number of PKT responses
Session ctrl pkt	Number of session control packets
Normal author request	Number of normal authorization packets
Succ	Number of successful packets
RADIUS sent messages statistic	Number of messages that have been sent by RAIUDS
Auth accept	Number of accepted authentication packets
Auth reject	Number of rejected authentication packets
EAP auth replying	Number of replying packets of EAP authentication
Account success	Number of accounting succeeded packets
Account failure	Number of accounting failed packets
Server ctrl req	Number of server control requests
RecError_MSG_sum	Number of received packets in error
SndMSG_Fail_sum	Number of packets that failed to be sent out
Timer_Err	Number of timer errors
Alloc_Mem_Err	Number of memory errors
State Mismatch	Number of errors for mismatching status
Other_Error	Number of errors of other types
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory

1.2.7 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name : Specifies a user by the user name, which is a case-sensitive string of 1 to 80 characters.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name, or slot.

Note that if receiving no response after sending a stop-accounting request to a RADIUS server, the device buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

Total find 0 record (0)

1.2.8 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 16 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

Note that:

l You must ensure that the same shared key is set on the device and the RADIUS server.

l If authentication/authorization and accounting are performed on two servers with different shared keys, you must set separate shared key for each on the device.

Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

1.2.9 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. The address of a loopback interface is recommended.

l The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

1.2.10 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535.

Description

Use the primary accounting command to configure the IP address and UDP port of the primary RADIUS accounting server.

Use the undo primary accounting command to restore the defaults.

By default, the default IP address is 0.0.0.0, and the default port number 1813.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

1.2.11 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535.

Description

Use the primary authentication command to configure the IP address and UDP port of the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the defaults.

By default, the default IP address is 0.0.0.0, and the default port number 1812.

Note that:

l After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

1.2.12 radius client

Syntax

radius client enable

undo radius client

View

System view

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.

Use the undo radius client command to disable the listening port of the RADIUS client.

By default, the listening port is enabled.

Note that when the listening port of the RADIUS client is disabled:

l The RADIUS client can either accept authentication, authorization or accounting requests or process timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.

l The end account packets of online users cannot be sent out and buffered. This may cause that the RADIUS server still has the user record after a user goes offline for a period of time.

l The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.

l The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view

[Sysname] radius client enable

1.2.13 radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the radius nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

1.2.14 radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, no RADIUS scheme is defined.

Note that:

l The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

l A RADIUS scheme can be referenced by more than one ISP domain at the same time.

l You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.

Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

1.2.15 radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the function.

By default, the RADIUS trap function is disabled.

Note that:

l If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message; when the NAS transmits the request for the specified maximum number, it sends another trap message.

l If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

1.2.16 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameters

None

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

1.2.17 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user name based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user user0001@aabbcc.net.

<Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

1.2.18 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameters

retry-times: Maximum number of retransmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS retransmission attempts.

Use the undo retry command to restore the default.

The default value for the retry-times argument is 3.

Note that:

l Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response time-out time, it will retransmit the RADIUS request. If the number of retransmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device regards that the authentication fails.

l The maximum number of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

1.2.19 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.

Use the undo retry realtime-accounting command to restore the default.

Note that:

l A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the device generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still receives no response, the device will cut the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname -radius-radius1] retry realtime-accounting 10

1.2.20 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the device receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will temporarily store the request in the device and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the device discard the request.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

1.2.21 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the secondary accounting command to configure the IP address and UDP port of the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the defaults.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary accounting server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

1.2.22 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the secondary authentication command to configure the IP address and UDP port of the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the defaults.

Note that:

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

1.2.23 security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Parameters

ip-address: IP address of a security policy server.

all: All IP addresses

Description

Use the security-policy-server command to configure the IP address of a security policy server.

Use the undo security-policy-server command to remove one or all configured IP addresses.

By default, no IP address is configured for a security policy server.

Examples

# For RADIUS scheme radius1, set the IP address of a security policy server to 10.110.1.2.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

1.2.24 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Parameters

extended: Specifies the extended RADIUS server (generally CAMS), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).

Description

Use the server-type command to specify the RADIUS server type supported by the device.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

1.2.25 state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.

accounting: Sets the status of the RADIUS accounting server.

authentication: Sets the status of the RADIUS authentication/authorization server.

active: Sets the status of the RADIUS server to active, namely the normal operation state.

block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.

Note that:

l When a primary server, authentication/authorization server or accounting server, fails, the device automatically turns to the secondary server.

l Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case, if the secondary server is available, the device triggers the primary server quiet timer. After the quiet timer times out, the status of the primary server is active again and the status of the secondary server remains the same. If the secondary server fails, the device restores the status of the primary server to active immediately.

l If the primary server has resumed, the device turns to use the primary server and stops communicating with the secondary server. After accounting starts, the communication between the client and the secondary server remains unchanged.

l If both the primary server and the secondary server are in the state of active or blocked, the device sends the packets only to the primary server.

l If one server is in the active state while the other is blocked, the switchover will not take place even if the active server is not reachable.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication active

1.2.26 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

1.2.27 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display radius scheme.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

1.2.28 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Parameters

minutes: Real-time accounting interval in minutes, must be a multiple of 3 and in the range 3 to 60, with the default value being 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 1-6 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

1.2.29 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

Note that:

l If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

l A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

l The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

1.2.30 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameters

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

l If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.

Related commands: radius scheme.

Examples

# Specify the device to include the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a HWTACACS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Define HWTACACS scheme hwt1 to send data flows and packets destined for the TACACS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

1.3.2 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name.

statistics: Displays complete statistics about the HWTACACS server.

Description

Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# Display configuration information about HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Domain-included : Yes

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

Table 1-7 Description on the fields of the display hwtacacs command

Field	Description
HWTACACS-server template name	Name of the HWTACACS scheme
Primary-authentication-server	Primary authentication server
Primary-authorization-server	Primary authorization server
Primary-accounting-server	Primary accounting server
Secondary-authentication-server	Secondary authentication server
Secondary-authorization-server	Secondary authorization server
Secondary-accounting-server	Secondary accounting server
Current-authentication-server	Currently used authentication server
Current-authorization-server	Currently used authorization server
Current-accounting-server	Currently used accounting server
NAS-IP-address	NAS-IP address
key authentication	Key for authentication
key authorization	Key for authorization
key accounting	Key for accounting
Quiet-interval	Quiet interval for the primary server
Realtime-accounting-interval	Real-time accounting interval
Response-timeout-interval	Server response timeout period
Acct-stop-PKT retransmit times	Number of stop-accounting packet transmission retries
Domain-included	Whether a user name includes the domain name
Data traffic-unit	Unit for data flows
Packet traffic-unit	Unit for data packets

1.3.3 display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name, or slot.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Total 0 record(s) Matched

1.3.4 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo hwtacacs nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.

l If you configure the command for more than one time, the last configuration takes effect.

l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

1.3.5 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

1.3.6 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Parameters

accounting: Sets the shared key for HWTACACS accounting packets.

authentication: Sets the shared key for HWTACACS authentication packets.

authorization: Sets the shared key for HWTACACS authorization packets.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.

Use the undo key command to remove the configuration.

By default, no shared key is configured.

Related commands: display hwtacacs.

Examples

# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

1.3.7 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: hwtacacs nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

1.3.8 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to specify the primary HWTACACS accounting server.

Use the undo primary accounting command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure the primary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.9 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to specify the primary HWTACACS authentication server.

Use the undo primary authentication command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Set the primary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

1.3.10 primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to specify the primary HWTACACS authorization server.

Use the undo primary authorization command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the primary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

1.3.11 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

View

User view

Parameters

accounting: Clears HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears HWTACACS authentication statistics.

authorization: Clears HWTACACS authorization statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

1.3.12 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

1.3.13 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

1.3.14 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to specify the secondary HWTACACS accounting server.

Use the undo secondary accounting command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure the secondary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accouting 10.163.155.12 49

1.3.15 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to specify the secondary HWTACACS authentication server.

Use the undo secondary authentication command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

1.3.16 secondary authorization

Syntax

secondary authorization ip-address [ por-number t ]

undo secondary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authorization command to specify the secondary HWTACACS authorization server.

Use the undo secondary authorization command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

1.3.17 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

1.3.18 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

1.3.19 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Parameters

minutes: Real-time accounting interval in minutes. It is a multiple of 3 in the range 3 to 60 and defaults to 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 1-8 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

1.3.20 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Parameters

seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5.

Description

Use the timer response-timeout command to set the HWTACACS server response timeout timer.

Use the undo timer command to restore the default.

As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.

Related commands: display hwtacacs.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

1.3.21 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS scheme view

Parameters

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a HWTACACS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a HWTACACS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server.

l If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.

Related commands: hwtacacs scheme.

Examples

# Specify the device to include the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

H3C S5500-EI Series Switches Command Manual-Release 2102(V1.01)

Chapter 1 AAA/RADIUS/HWTACACS Configuration Commands

1.1.1 access-limit

1.1.2 accounting default

1.1.3 accounting lan-access

1.1.4 accounting login

1.1.5 accounting optional

1.1.6 attribute

1.1.7 authentication default

1.1.8 authentication lan-access

1.1.9 authentication login

1.1.10 authorization command

1.1.11 authorization default

1.1.12 authorization lan-access

1.1.13 authorization login

1.1.14 cut connection

1.1.15 display connection

1.1.16 display domain

1.1.17 display local-user

1.1.19 domain default

1.1.21 level

1.1.22 local-user

1.1.24 password

1.1.26 service-type

1.1.27 service-type ftp

1.1.28 state

1.2 RADIUS Configuration Commands

1.2.1 accounting-on enable

1.2.5 display radius scheme

1.2.6 display radius statistics

1.2.7 display stop-accounting-buffer

1.2.8 key

1.2.9 nas-ip

1.2.10 primary accounting

1.2.11 primary authentication

1.2.13 radius nas-ip

1.2.14 radius scheme

1.2.16 reset radius statistics

1.2.18 retry

1.2.19 retry realtime-accounting

1.2.20 retry stop-accounting

1.2.21 secondary accounting

1.2.22 secondary authentication

1.2.23 security-policy-server

1.2.25 state

1.2.26 stop-accounting-buffer enable

1.2.28 timer realtime-accounting

1.2.29 timer response-timeout

1.2.30 user-name-format

1.3.2 display hwtacacs

1.3.3 display stop-accounting-buffer

1.3.4 hwtacacs nas-ip

1.3.5 hwtacacs scheme

1.3.7 nas-ip

1.3.12 reset stop-accounting-buffer

1.3.13 retry stop-accounting

1.3.17 stop-accounting-buffer enable

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us