interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to command parameters in the “Port” section in the manual for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.

sessions: Configures to display the session connection information of 802.1x.

statistics: Configures to display the relevant statistics information of 802.1x.

Description

Use display dot1x command to view the relevant information of 802.1x, including configuration information, running state (session connection information) and relevant statistics information.

By default, all the relevant 802.1x information about each interface will be displayed.

This command can be used to display the following information on the specified interface: 802.1x configuration, state or statistics. If no port is specified when executing this command, the system will display all 802.1x related information. For example, 802.1x configuration of all ports, 802.1x session connection information, and 802.1x data statistical information. The output information of this command can help the user to verify the current 802.1x configurations so as to troubleshoot 802.1x.

Related command: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Example

# Display the configuration information of 802.1x.

<H3C> display dot1x

Equipment 802.1X protocol is enabled

CHAP authentication is enabled

DHCP-launch is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 30 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

The maximal retransmitting times 2

Total maximum 802.1x user resource number is 2048

Total current used 802.1x resource number is 0

Ethernet3/1/1 is link-down

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

The port is a(n) authenticator

Authenticate Mode is auto

Port Control Type is Mac-based

Max on-line user number is 1024

… (Omitted)

Table 1-1 Description of 802.1x configuration information

Field	Description
Equipment 802.1X protocol is enabled	802.1X protocol is enabled on the switch.
CHAP authentication is enabled	CHAP authentication is enabled
DHCP-launch is disabled	If any user configures a static IP without authorization in DHCP environment, the switch will trigger authentication on the user.
Proxy trap checker is disabled	The system does not check the access of users who log on through a proxy.
Proxy logoff checker is disabled
Transmit Period	Transmit interval timer
Handshake Period	The interval of sending handshake packets of 802.1x
Quiet Period	Quiet period set by Quiet timer
Quiet Period Timer is disable	Quiet Period Timer is disable
Supp Timeout	Timeout timer for Supplicant authentication
Server Timeout	Timeout timer for Authentication Server
The maximal retransmitting times	The maximal times for the Ethernet switch to retransmit authentication request frames to access user
Total maximum 802.1x user resource number	The maximum number of access users allowed
Total current used 802.1x resource number	Number of access users currently on line
Ethernet3/1/1 is link-up	The state of Ethernet 2/1/1 is Up.
802.1X protocol is disabled	802.1X protocol is disabled on the port
Proxy trap checker is disabled	The port prohibits the access of users who log on through a proxy
Proxy logoff checker is disabled
The port is a(n) authenticator	The port acts as authenticator
Authenticate Mode is auto	The authentication mode of the port is Auto
Port Control Type is Mac-based	The port control type is Mac-based, namely, authentication of access users is implemented based on the MAC address.
Max on-line user number	The maximum number of on-line users
…	Omitted

1.1.3 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameter

Description

Use the dot1x command to enable 802.1x on the specified port or globally (i.e., on the current device).

Use the undo dot1x command to disable the 802.1x on the specified port or globally.

By default, 802.1x is disabled on all the ports and globally on the device.

When the dot1x command is used in system view, if the parameter interface-list is not specified, 802.1x will be globally enabled. If the parameter interface-list is specified, 802.1x will be enabled on the specified port. When this command is used in Ethernet port view, the parameter interface-list cannot be input and 802.1x can only be enabled on the current port.

The configuration command can be used to configure the global or port 802.1x performance parameters before or after 802.1x is enabled. Before 802.1x is enabled globally, if the parameters are not configured globally or for a specified port, they will maintain the default values.

After the global 802.1x performance is enabled, only when port 802.1x performance is enabled will the configuration of 802.1x become effective on the port.

If 802.1x is enabled on a port, you cannot configure the maximum number of learned MAC addresses (by using the mac-address max-mac-count command). and vice versa.

Related command: display dot1x.

Example

# Enable 802.1x on Ethernet 3/1/1.

[H3C] dot1x interface Ethernet 3/1/1

# Enable the 802.1x globally.

[H3C] dot1x

1.1.4 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap md5-challenge }

undo dot1x authentication-method

View

System view

Parameter

chap: Uses CHAP authentication method.

pap: Uses PAP authentication method.

eap: Uses EAP authentication method. By now, only MD5 encryption method is available.

Description

Use the dot1x authentication-method command to configure the authentication method for 802.1x user.

Use the undo dot1x authentication-method command to restore the default authentication method of 802.1x user.

By default, CHAP authentication is used for 802.1x user authentication.

Password Authentication Protocol (PAP) is a kind of authentication protocol with two handshakes. It sends password in the form of simple text.

Challenge Handshake Authentication Protocol (CHAP) is a kind of authentication protocol with three handshakes. It only transmits username but not password. CHAP is more secure and reliable.

In the process of EAP authentication, switch directly sends authentication information of 802.1x user to RADIUS server in the form of EAP packet. It is not necessary to transfer the EAP packet to standard RADIUS packet first and then send it to RADIUS server.

Please note: To realize PAP, CHAP or EAP authentication, RADIUS server should support PAP, CHAP or EAP authentication respectively.

Related command: display dot1x.

Example

# Configure 802.1x user to use PAP authentication

[H3C] dot1x authentication-method pap

1.1.5 dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameter

None

Description

Use the dot1x dhcp-launch command to set 802.1x to disable the switch to trigger the user ID authentication over the users who configure static IP addresses in DHCP environment.

Use the undo dot1x dhcp-launch command to set 802.1x to enable the switch to trigger the authentication over them.

By default, the switch can trigger the user ID authentication over the users who configure static IP addresses in DHCP environment.

Related command: dot1x.

Example

# Disable the switch to trigger the authentication over the users who configure static IP addresses in DHCP environment.

[H3C] dot1x dhcp-launch

1.1.6 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan vlan-id [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

vlan-id: ID of the VLAN specified as the Guest VLAN. It ranges from 1 to 4094.

interface-list: List of Guest VLAN-enabled ports expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to command parameters in the “Port” section in the manual for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.

Description

Use the dot1x guest-vlan command to enable Guest VLAN on a specific port.

Use the undo dot1x guest-vlan command to disable Guest VLAN.

If you execute the dot1x guest-vlan command in system view and do not provide the interface-list argument, Guest VLAN is enabled on all ports. However, if you provide the interface-list argument, Guest VLAN is enabled on the ports specified by this argument.

If you execute the dot1x guest-vlan command in Ethernet interface view, this command does not accept the interface-list argument and Guest VLAN is enabled only on the current port.

Example

# Specify to perform port-based authentications.

[H3C] dot1x port-method portbased

# Enable Guest VLAN on all ports.

[H3C] dot1x guest-vlan 1

1.1.7 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameter

user-number: Specifies the limit to the amount of supplicants on the port, ranging from 1 to 1024.

By default, the maximum user number is 1024. And a switch can accommodate a total of 2048 users.

interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to command parameters in the “Port” section in the manual for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.

Description

Use the dot1x max-user command to configure a limit to the amount of supplicants on the specified interface of 802.1x.

Use the undo dot1x max-user command to restore the default value.

This command is used for setting a limit to the amount of supplicants that 802.1x can hold on the specified interface. This command has effect on the interface specified by the parameter interface-list when executed in system view. It has effect on all the interfaces when no interface is specified. The parameter interface-list cannot be input when the command is executed in Ethernet interface view and it has effect only on the current interface.

Related command: display dot1x.

Example

# Configure the interface Ethernet 3/1/1 to hold no more than 32 users.

[H3C] dot1x max-user 32 interface Ethernet 3/1/1

1.1.8 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

auto: Automatic identification mode, showing that the initial state of the interface is unauthorized. The user is only allowed to receive or transmit EAPoL packets but not to access the network resources. If the user passes the authentication flow, the interface will switch over to the authorized state and then the user is allowed to access the network resources. This is the most common case.

authorized-force: Forced authorized mode, showing that the interface to always stay in authorized state and the user is allowed to access the network resources without authentication/authorization.

unauthorized-force: Forced unauthorized mode, showing that the interface to always stay in non-authorized mode, the switch does not respond to authentication requests and the user is not allowed to access the network resources.

Description

Use the dot1x port-control command to configure the mode for 802.1x to perform access control on the specified interface.

Use the undo dot1x port-control command to restore the default access control mode.

By default, the access control mode is auto.

This command is used to set the mode, or the interface state, for 802.1x to perform access control on the specified interface. This command has effect on the interface specified by the parameter interface-list when executed in system view. It has effect on all the interfaces when no interface is specified. The parameter interface-list cannot be input when the command is executed in Ethernet port view and it has effect only on the current interface.

Related command: display dot1x.

Example

# Configure the interface Ethernet 3/1/1 to be in unauthorized-force state.

[H3C] dot1x port-control unauthorized-force interface ethernet 3/1/1

1.1.9 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

macbased: Configures the 802.1x authentication system to perform authentication on the supplicant based on MAC address.

portbased: Configures the 802.1x authentication system to perform authentication on the supplicant based on interface number.

Description

Use the dot1x port-method command to configure the base for 802.1x to perform access control on the specified interface.

Use the undo dot1x port-method command to restore the default access control base.

By default, the value is macbased.

This command is used to set the base for 802.1x to perform access control, namely authenticate the users, on the specified interface. When macbased is adopted, the user access this interface must be authenticated independently, and if one successful authentication user is to finish network service, the other accessed users can still use network service. When portbased is adopted, if only the first access user by this interface can be authenticated successfully, the other access users followed can be considered authenticated successfully automatically, but if the first one finish the network service, the other accessed users’ network service will be rejected . .

This command has effect on the interface specified by the parameter interface-list when executed in system view. It has effect on all the interfaces when no interface is specified. The parameter interface-list cannot be input when the command is executed in Ethernet interface view and it has effect only on the current interface.

Related command: display dot1x.

Example

# Authenticate the supplicant based on the interface number on Ethernet 3/1/1.

[H3C] dot1x port-method portbased interface ethernet 3/1/1

1.1.10 dot1x quiet-period

Command

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameter

None

Description

Use the dot1x quiet-period command to enable the Quiet-period timer.

Use the undo dot1x quiet-period command to disable this timer.

If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.

By default, Quiet-period timer is disabled.

Related command: display dot1x , dot1x timer.

Example

# Enable quiet-period timer.

[H3C] dot1x quiet-period

1.1.11 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameter

max-retry-value: Specifies the maximum times an Ethernet switch can retransmit the authentication request frame to the supplicant, ranging from 1 to 10.

By default, the value is 2, that is, the switch can retransmit the authentication request frame to the supplicant for 2 times.

Description

Use the dot1x retry command to configure the maximum times an Ethernet switch can retransmit the authentication request frame to the supplicant.

Use the undo dot1x retry command to restore the default maximum retransmission time.

After the switch has transmitted authentication request frame to the user for the first time, if no user response is received during the specified time-range, the switch will re-transmit authentication request to the user. This command is used for specifying how many times the switch can re-transmit the authentication request frame to the supplicant. When the time is 1, the switch is configured to transmit authentication request frame only once. 2 indicates that the switch is configured to transmit authentication request frame once again when no response is received for the first time and so on. This command has effect on all the port after configuration.

Related command: display dot1x.

Example

# Configure the current device to transmit authentication request frame to the user for no more than 9 times.

[H3C] dot1x retry 9

1.1.12 dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

logoff: Cuts network connection to a user upon detecting the use of proxy.

trap: Sends trap message upon detecting a user using proxy to access the switch.

Description

Use the dot1x supp-proxy-check command to configure the control method for 802.1x access users via proxy logon the specified interface.

Use the undo dot1x supp-proxy-check command to cancel the control method set for the 802.1x access users via proxy.

Note that when performing this function, the user logging on via proxy need to run 802.1x client program,( 802.1x client program version V1.29 or above is needed).

This command is used to set on the specified interface when executed in system view. The parameter interface-list cannot be input when the command is executed in Ethernet Port view and it has effect only on the current interface. After globally enabling proxy user detection and control in system view, only if you enable this feature on a specific port can this configuration take effects on the port.

Related command: display dot1x.

Example

# Configure the switch cut network connection to a user upon detecting the use of proxy on Ethernet 2/1/1 ~ Ethernet 2/1/8.

[H3C] dot1x supp-proxy-check logoff

[H3C] dot1x supp-proxy-check logoff interface Ethernet 2/1/1 to Ethernet 2/1/8

# Configure the switch to send trap message upon detecting the use of proxy on Ethernet 2/1/9.

[H3C] dot1x supp-proxy-check trap

[H3C] dot1x supp-proxy-check trap interface Ethernet 2/1/9

[H3C] dot1x supp-proxy-check trap

[H3C] interface Ethernet 2/1/9

[H3C-GigabitEthernet2/1/9] dot1x supp-proxy-check trap

1.1.13 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }

undo dot1x timer { handshake-period | quiet-period | tx-period | supp-timeout | server-timeout }

View

System view

Parameter

handshake-period: This timer begins after the user has passed the authentication. After setting handshake-period, system will send the handshake packet by the period. Suppose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response from user for consecutive N times.

handshake-period-value: Handshake period. The value ranges from 1 to 1024 in units of second and defaults to 30.

quiet-period: Specifies the quiet timer. If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.

quiet-period-value: Specifies how long the quiet period is. The value ranges from 10 to 120 in units of second and defaults to 60.

server-timeout: Specifies the timeout timer of an Authentication Server. If an Authentication Server has not responded before the specified period expires, the Authenticator will resend the authentication request.

server-timeout-value: Specifies how long the duration of a timeout timer of an Authentication Server is. The value ranges from 100 to 300 in units of second and defaults to 100 seconds.

supp-timeout: Specifies the authentication timeout timer of a Supplicant. After the Authenticator sends Request/Challenge request packet which requests the MD5 encrypted text, the supp-timeout timer of the Authenticator begins to run. If the Supplicant does not respond back successfully within the time range set by this timer, the Authenticator will resend the above packet.

supp-timeout-value: Specifies how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second and defaults to 30.

tx-period: Specifies the transmission timeout timer. After the Authenticator sends the Request/Identity request packet which requests the user name or user name and password together, the tx-period timer of the Authenticator begins to run. If the Supplicant does not respond back with authentication reply packet successfully, then the Authenticator will resend the authentication request packet.

tx-period-value: Specifies how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second and defaults to 30.

& Note:

It is recommended to configure different handshake period value and handshake timeout times according to the number of users:

l When the number of users is 2048, the handshake period value should be no smaller than 2 minutes, and the handshake timeout times should be no less than 3 times;

l When the number of users is 1024, the handshake period value should be no smaller than 1 minutes, and the handshake timeout times should be no less than 3 times

l When the number of users is 512, the handshake period value should be no smaller than 30 seconds, and the handshake timeout times should be no less than 2 times.

Description

Use the dot1x timer command to configure the 802.1x timers.

Use the undo dot1x timer command to restore the default values.

When it is run, 802.1x enables many timers to control the rational and orderly interacting of the Supplicant, the Authenticator and the Authenticator Server. This command can set some of the timers (while other timers cannot be set) to adapt the interaction process. It could be necessary for some special and hard network environment. Generally, the user should keep the default values of the timers.

Related command: display dot1x.

Example

# Set the Authentication Server timeout timer is 150s.

[H3C] dot1x timer server-timeout 150

1.1.14 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameter

interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type; interface-number is the interface number. Refer to command parameters in the “Port” section in the manual for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.

Description

Use the reset dot1x statistics command to reset the statistics of 802.1x.

This command can be used to re-perform information statistics if the user wants to delete the former statistics of 802.1x.

When the original statistics is cleared, if no port type or port number is specified, the global 802.1x statistics of the switch and 802.1x statistics on all the ports will be cleared. If the port type and port number are specified, the 802.1x statistics on the specified port will be cleared.

Related command: display dot1x.

Example

# Clear the 802.1x statistics on Ethernet 3/1/2.

<H3C> reset dot1x statistics interface Ethernet 3/1/2

Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Commands

2.1 AAA Configuration Commands

2.1.1 access-limit

Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameter

disable: No limit to the supplicant number in the current ISP domain.

enable max-user-number: Specifies the maximum supplicant number in the current ISP domain, ranging from 1 to 2312.

Description

Use the access-limit command to configure a limit to the amount of supplicants in the current ISP domain.

Use the undo access-limit command to restore the limit to the default setting.

By default, there is no limit to the amount of supplicants in the current ISP domain.

This command limits the amount of supplicants contained in the current ISP domain. The supplicants may contend with each other for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance for the existing supplicants.

Example

# Set a limit of 500 supplicants for the ISP domain, H3C.net.

[H3C-isp-H3C.net] access-limit enable 500

2.1.2 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameter

None

Description

Use the accounting optional command to enable accounting to be optional.

Use the undo accounting optional command to disable accounting to be optional.

By default, accounting is not optional. By executing the accounting optional command, you can enable users to utilize the network resources even when no accounting server is available or the switch fails to communicate with the accounting server. Users are denied if you do not execute this command under the same circumstance. This command is used when you want the server to authenticate without charging.

Example

# Enable accounting option for domain user named H3C.net.

[H3C] domain H3C.net

[H3C-isp-H3C.net] accounting optional

2.1.3 attribute

Syntax

attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum }*

undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

View

Local user view

Parameter

ip: Specifies the IP address of a user.

mac mac-address: Specifies the MAC address of a user. Where, mac-address takes on the hexadecimal format of X-X-X.

idle-cut second: Allows/Disallows the local users to enable the idle-cut function. (The specific data for this function depends on the configuration of the ISP domain where the users locate.) The argument minute defines the idle-cut time, which is in the range of 60 to 7200 seconds.

access-limit max-user-number: Specifies the maximum number who access the device by using the current user name. The argument max-user-number is in the range of 1 to 2048.

vlan vlanid: Sets the VLAN attribute of user, in other words, the VLAN to which a user belong. The argument vlanid is an integer in the range of 1 to 4094.

location: Sets the port binding attribute of user.

nas-ip ip-address: IP address of the access server in the event of binding a remote port with a user. The argument ip-address is an IP address in dotted decimal format and defaults to 127.0.0.1 (which represents the local machine).

port portnum: Sets the port with which a user is bound. The argument portnum is represented by “SlotNumber SubSlotNumber PortNumber”. If the bound port has no SubSlotNumber, the value 0 can be used as the SubSlotNumber.

Description

Use the attribute command to configure some attributes for specified local user.

Use the undo attribute command to cancel the attributes that have been defined for this local user.

As for attributes of the users that are of local LAN service type, user IP address and MAC address attribute are valid only when the ISP domain authentication scheme is a local authentication scheme, or the ISP domain authentication scheme is a RADIUS authentication scheme and the type of the RADIUS scheme is extended.

It should be noted that the argument nas-ip must be defined for a user bound with a remote port, which is unnecessary, however, in the event of a user bound with a local port.

Related command: display local-user.

Example

# Configure the IP address 10.110.50.1 to the user test1.

[H3C-luser-test1] attribute ip 10.110.50.1

2.1.4 cut connection

Syntax

cut connection { all | access-type { dot1x | gcm | mac-authentication } | domain domain-name | interface interface-type interface-num | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

View

System view

Parameter

all : Configures to disconnect all connection.

access-type dot1x: Configures to disconnect the user connections that are of specified access category.

dot1x: Specifies 802.1x users.

gcm: Specifies GCM users.

mac-authentication: Specifies users authenticated by MAC addresses.

domain domain-name: Configures to cut the connection according to ISP domain. domain-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

mac mac-address: Configures to cut the connection of the supplicant whose MAC address is mac-address. The argument mac-address is in the hexadecimal format (x-x-x).

radius-scheme radius-server-name: Configures to cut the connection according to RADIUS scheme name. radius-server-name specifies the RADIUS server name with a character string not exceeding 32 characters.

interface interface-type interface-num: Configures to cut the connection according to the port.

ip ip-address: Configures to cut the connection according to IP address.

vlan vlanid: Configures to cut the connection according to VLAN ID. Here, vlanid ranges from 1 to 4094.

ucibindex ucib-index: Configures to cut the connection according to ucib-index. Here, ucib-index ranges from 0 to 2311.

user-name user-name: Configures to cut the connection according to user name . user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 55 characters.

Description

Use the cut connection command to disconnect a user or a category of users by force.

Related command: display connection.

Example

# Cut all the connections in the ISP domain, H3C.net.

[H3C] cut connection domain H3C.net

2.1.5 display connection

Syntax

display connection [ access-type { dot1x | gcm } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameter

access-type dot1x: Configures to display the user connections that are of the specified access category.

dot1x: Specifies 802.1x access mode.

gcm: Specifies GCM access mode.

domain domain-name: Configures to display all the users in an ISP domain. domain-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

mac mac-address: Configures to display the supplicant whose MAC address is mac-address. The argument mac-address is in the hexadecimal format (x-x-x).

radius-scheme radius-server-name: Configures to display the supplicant according to RADIUS server name. radius-server-name specifies the RADIUS server name with a character string not exceeding 32 characters.

interface interface-type interface-number: Configures to display the supplicant according the port.

ip ip-address: Configures to display the user specified with IP address.

vlan vlanid: Configures to display the user specified with VLAN ID. Here, vlanid ranges from 1 to 4094.

ucibindex ucib-index: Configures to display the user specified with ucib-index. Here, ucib-index ranges from 0 to 2311.

user-name user-name: Configures to display a user specifies with user-name. user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the display connection command to view the relevant information of all the supplicants or the specified one(s). The output can help you with the user connection diagnosis and troubleshooting.

If no parameter is specified, this command displays the related information about all connected users.

Related command: cut connection.

Example

# Display the relevant information of all the users.

<H3C> display connection

Total 0 connections matched ,0 listed.

2.1.6 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameter

isp-name: Specifies the ISP domain name, with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

Description

Use the display domain command to view the configuration of a specified ISP domain or display the summary information of all ISP domains.

By default, this command displays the summary information about all the ISP domains in the system.

This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting.

Related command: access-limit, domain, radius scheme, user-template, state, display domain.

Example

# Display the summary information of all ISP domains of the system.

<H3C> display domain

0 Domain = system

State = Active

Scheme = LOCAL Access-limit = Disable

Vlan-assignment-mode = Integer

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Default Domain Name: system

Total 1 domain(s).1 listed.

2.1.7 display local-user

Syntax

display local-user [ domain isp-name | idle-cut { enable | disable } | service-type { ftp | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlanid ]

View

Any view

Parameter

domain isp-name: Configures to display all the local users in the specified ISP domain. isp-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

idle-cut: Configures to display the local users according to the state of idle-cut function. disable means that the user disables the idle-cut function and enable means the user enables the function. This parameter only takes effect on the users configured as Lan-access type. For other types of users, the display local-user idle-cut enable and display local-user idle-cut disable commands will not display any information.

service-type: Configures to display local user of a specified type.

ftp means that the specified user type is FTP.

lan-access means that the specified user type is Lan-access which mainly refers to Ethernet accessing users, 802.1x supplicants for example.

ppp: Specifies PPP users.

ssh: Specifies SSH users.

telnet: Specifies Telnet users.

terminal: Specifies terminal users.

state { active | block }: Configures to display the local users in the specified state. active means that the system allows the user requesting network service and block means the system does not allow the user requesting network service.

user-name user-name: Configures to display a local user specified with user-name . user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 55 characters.

vlan vlanid: Configures to display the local users belonged to specified VLAN. vlanid is the integer, ranging from 1 to 4094.

Description

Use the display local-user command to view the relevant information about all the local users or the specified one(s).

The output can help you with the fault diagnosis and troubleshooting related to local user.

By default, this command displays the relevant information about all the local users.

Related command: local-user.

Example

# Display the relevant information of all the local users.

<H3C> display local-user

The contents of local user user1:

State: Active ServiceType Mask: None

Idle Cut: Disable

AccessLimit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

Total 1 local user(s) Matched,1 listed.

Table 2-1 Description of output information of the display local-user command

Field	Description
State	State
Idle Cut	Idle cut switch
AccessLimit	Limit on the number of access connections
Bind location	Whether to be bound with port
VLAN ID	VLAN that the user belongs to
IP address	IP address of the user
MAC address	MAC address of the user

2.1.8 domain

Syntax

domain { isp-name | default { disable | enable isp-name } }

undo domain isp-name

View

System view

Parameter

isp-name: Specifies an ISP domain name. The name is expressed with a character string not exceeding 24 characters, excluding “/”, “: ”, “*”, “? ”, “<”, and “>”.

default enable isp-name: Enables the default ISP domain specified by isp-name.

default disable: Disables the configuration of the default ISP. Restores the default ISP domain to “system”.

Description

Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to cancel a specified ISP domain.

By default, a domain named as system has been created in the system. The attributes of system are all default values.

ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking [email protected] as an example, the isp-name (i.e.H3C.net) following the @ is the ISP domain name. When H3C Series Switches control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name.

The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes for each ISP domain, which includes AAA schemes ( RADIUS scheme group applied and so forth.)

For a switch, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains.

When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related command: access-limit, radius scheme, state, display domain.

Example

# Create a new ISP domain, H3C.net, and enters its view.

[H3C] domain H3C.net

New Domain added.

[H3C-isp-H3C.net]

2.1.9 idle-cut

Syntax

idle-cut { disable | enable minute flow }

View

ISP domain view

Parameter

disable: means disabling the user to use idle-cut function.

enable: means enabling the user to use idle-cut function.

minute: Specifies the maximum idle time, ranging from 1 to 120 and measured in minutes.

flow: Minimum data traffic, ranging from 1 to 10,240,000 and measured in bytes.

Description

Use the idle-cut command to configure the user template in the current ISP domain.

By default, after an ISP domain is created, this attribute in user template is disable, that is, the user Idle-cut is disabled.

The user template is a set of default user attributes. If a user requesting for the network service does not have some required attributes, the corresponding attributes in the template will be endeavored to him as default ones. The user template of the switch you are using may only provide user Idle-cut settings. After a user is authenticated, if the Idle-cut is configured to enable or disable by neither the user nor the RADIUS server, the user will adopt the Idle-cut state in the template.

Because a user template only works in one ISP domain, it is necessary to configure user template attributes for users from different ISP domain respectively.

Related command: domain.

Example

# Enable the user in the current ISP domain, H3C.net, to use the Idle-cut attribute specified in the user template (that is, enabling the user to use the Idle-cut function). The maximum idle time is 50 minutes and the minimum data traffic is 500 bytes.

[H3C-isp-H3C.net] idle-cut enable 50 500

2.1.10 ip pool

Syntax

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

View

System view, ISP domain view

Parameter

pool-number: Address pool number ranging from 0 to 99.

low-ip-address and high-ip-address: Two ends of the IP address pool. The number of IP addresses in an address pool cannot exceed 1024. If you do not provide the high-ip-address argument, then the address pool only contains the one specified by the low-ip-address argument.

Description

Use the ip pool command to create a local IP address pool for PPP users.

Use the undo ip pool command to remove a specified local address pool.

By default, no local IP address pool is created.

After creating an IP address pool in system view, you can use the remote address command to assign IP addresses in it to PPP users.

The IP addresses in an IP address pool created in ISP domain view are mainly for PPP users of the ISP domain. This kind of IP address pools is suitable for ports with many PPP users connected to them and the available IP address these ports provide are not sufficient. For example, a PPPoE-enabled Ethernet port can accommodate up to 4095 users, but its Virtual Template can have only one IP address pool configured, which contains up to only 1024 IP address. By configuring an ISP domain address pool for the Ethernet port, PPP users of the ISP can obtain their IP addresses from the IP address pool, through which the tension of the port address pool can be eased.

Related command: remote address.

Example

# Create a local IP address pool ranging from 129.102.0.1 to 129.102.0.10.

[H3C] domain H3C.net

[H3C-isp-H3C.net] ip pool 0 129.102.0.1 129.102.0.10

2.1.11 level

Syntax

level level

undo level

View

Local user view

Parameter

level: User priority, an integer ranging from 0 to 3.

Description

Use the level command to set user priority.

Use the undo level command to restore the default user priority.

By default, the user priority is 0.

Related command: local user.

& Note:

If you specify not to authenticate or to authenticate by passwords, the levels of the commands available to an authenticated user are determined by the priority of the user interface. If a user needs to provide user name and password to pass the authentication, the levels of the commands available to an authenticated user are determined by the priority of the user.

Example

# Set the user priority to 3.

[H3C-luser-test1] level 3

2.1.12 local-user

Syntax

local-user { username | multicast [ domain domain-name ] ipaddress | password-display-mode { auto | cipher-force } }

undo local-user { username | all [ service-type { ftp | lan-access | telnet | ppp | ssh | terminal } ] | multicast [ domain domain-name ] ipaddress | password-display-mode }

View

System view

Parameter

username : Name of the user.

all [ service-type { ftp | lan-access | telnet | ppp | ssh | terminal } ]: Deletes all local users. ftp means deleting all local FTP users, lan-access means deleting all local Lan-access users, telnet means deleting all local Telnet users, ppp means deleting all local PPP views, ssh means deleting all local SSH views, and terminal means deleting all the terminals.

all: All users.

multicast [ domain domain-name ]: Add or delete multicast addresses according to the domain.

ipaddress: IP address of multicast.

password-display-mode { auto | cipher-force }: Specifies the password display mode. auto means displaying the password in user-specified mode; cipher-force means displaying password in cipher text by force.

Description

Use the local-user command to configure a local user and enter the local user view.

Use the undo local-user command to cancel a specified local user.

By default, the user database of the system is empty. If the client user wants to access FTP Server through FTP, this configuration is required.

Related commands: display local-user, service-type.

Example

# Add a local user named test1.

<H3C> system-view

[H3C] local-user test1

[H3C-luser-test1]

2.1.13 local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameter

cipher-force: Forced Cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text.

auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode.

Description

Use the local-user password-display-mode command to configure the password display mode of all the accessing users.

Use the undo local-user password-display-mode command to cancel the password display mode that has been set for all the accessing users.

If cipher-force has been adopted, the user efforts of specifying to display passwords in simple text will render useless.

The default password display mode for all the access users is auto.

Related command: display local-user , password.

Example

# Force all the accessing users to display passwords in cipher text.

[H3C] local-user password-display-mode cipher-force

2.1.14 name

Syntax

name string

undo name

View

VLAN view

Parameter

string: Name of the delivered VLAN. The name can contain up to 32 characters.

Description

Use the name command to configure the name of a delivered VLAN.

Use the undo name command to remove the name configured for a delivered VLAN.

By default, a delivered VLAN has no name.

The name command works with the function of dynamic VLAN delivering. For information about dynamic VLAN delivering, refer to the vlan-assignment-mode command.

Related command: dot1x guest-vlan, vlan-assignment-mode.

Example

# Set the name of VLAN 100 to test.

[H3C] vlan 100

[H3C-vlan100] name test

2.1.15 password

Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameter

simple: Specifies to display passwords in simple text.

cipher: Specifies to display passwords in cipher text.

password: Defines a password, which is a character string of up to 16 characters if it is in simple text and of up to 24 characters if it is in cipher text.

Description

Use the password command to configure a password display mode for local users.

Use the undo password command to cancel the specified password display mode.

If local-user password-display-mode cipher-force has been adopted, the user efforts of using the password command to set the password display mode to simple text (simple) will render useless.

Related command: display local-user.

Example

# Set the user test1 to display the password in simple text, given the password is 20030422.

[H3C-luser-test1] password simple 20030422

2.1.16 scheme

Syntax

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo scheme { radius-scheme | hwtacacs-scheme | none }

View

ISP domain view

Parameter

radius-scheme-name: RADIUS scheme name, a string no longer than 32 characters in length.

hwtacacs-scheme-name: HWTACACS scheme name, a string no longer than 32 characters in length.

local: Specifies to perform local authentications.

none: Specifies not to perform authentications.

Description

Use the scheme command to configure the AAA scheme used in the current ISP domain.

Use the undo scheme command to restore the default domain AAA scheme.

By default, an AAA scheme specifies to perform local authentications.

The scheme command specifies a RADIUS/HWTACACS scheme for the current ISP domain. The specified scheme must be an existing scheme.

You can use the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command to specify to perform local authentications in case the Radius Server or the Tacacs Server fails to respond properly. That is, local authentications are performed only when the Radius Server or the Tacas Server fails.

If you specify local authentications to be the primary scheme, then only local authentications are performed and you cannot adopt RADIUS and HWTACACS scheme simultaneously. In this case, the none and local keywords act the same.

Related command: radius scheme, hwtacacs scheme.

Example

# With H3C.net as the current ISP domain, specify to adopt the RADIUS scheme named test.

[H3C-isp-H3C.net] scheme radius-scheme test

# Specify the ISP domain named H3C to adopt the Scheme named rd, with Local authentication as the secondary authentication Scheme.

[H3C-isp-H3C] scheme radius-scheme rd local

# Specify the ISP domain named H3C to adopt hwtacacs-scheme hwtac Scheme, with Local authentication as the secondary authentication Scheme.

[H3C-isp-H3C] scheme hwtacacs-scheme hwtac local

2.1.17 radius-scheme

Syntax

radius-scheme radius-scheme-name

View

ISP domain view

Parameter

radius-scheme-name: Name of the RADIUS scheme to be referenced. It is a string of up to 32 characters.

Description

Use the radius-scheme command to specify a RADIUS scheme to be referenced by the current ISP domain. The RADIUS scheme specified to be referenced must have been configured. Alternatively, you can use the scheme command to specify the RADIUS scheme to be referenced.

By default, after an ISP domain is created, the AAA scheme it references is local authentication (local), instead of a RADIUS scheme.

Related command: radius scheme, display radius.

Example

# Specify RADIUS scheme "test" to be referenced by the current ISP domain H3C.net.

[H3C-isp-H3C.net] radius-scheme test

2.1.18 self-service-url

Syntax

self-service-url enable url-string

self-service-url disable

View

ISP domain view

Parameter

url-string: The URL (uniform resource locator) of the Web page on a self-service server. The Web page is used to modify passwords. This argument is a string that is of 1 to 64 characters in length. Do not provide character of “?” in this argument. If an URL contains "?", replace it with "|" when inputting the URL in the command line.

Description

Use the self-service-url enable command to configure self-service server uniform resource locator (URL).

Use the self-service-url disable command to remove the configuration of self-service server URL.

By default, self-service server URL is not configured on a switch.

This command must be incorporated with a RADIUS server (such as a CAMS server) that supports self-service. Self-service means that users can manage their accounts and card numbers by themselves. And a server with the self-service software installed is called a self-service server.

Once this function is enabled on a switch, users can locate the self-service server through the following operations:

l Select "Change user password" on the 802.1x client.

l After the client opens the default explorer (IE or NetScape), it locates the specified URL page used to change the user password on the self-service server.

l Change user password on this page.

The "Change user password" option is available only when the user passes the authentication; otherwise, this option is in grey and unavailable.

Example

# Specify the URL of the Web page used to change password on the self-service server to be http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.

[H3C] domain system

[H3C-isp-system] self-service-url enable http://10.153.89.94/selfservice/modP

asswd1x.jsp|userName

2.1.19 service-type

Syntax

service-type { ftp [ ftp-directory directory ] | lan-access | ppp [call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] }

undo service-type { ftp [ ftp-directory directory ] | lan-access | ppp [call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] }

View

Local user view

Parameter

ftp: Specifies user types as FTP.

ftp-directory directory: Specifies the directory of FTP users, directory is a character string of up to 64 characters.

lan-access: Specifies user type to Lan-access, which mainly refers to Ethernet accessing users, 802.1x supplicants for example.

ppp: Specifies PPP users.

call-number: Sets the phone number of the caller.

callback-nocheck: Specifies nocheck when the Modem calls back.

callback-number: Sets the callback number for callback user.

ssh: Specifies SSH users.

telnet: Specifies user type as Telnet.

level level: Specifies the level of Telnet users. The argument level is an integer in the range of 0 to 3 and defaults to 0.

terminal: Specifies user type as Terminal.

Description

Use the service-type command to configure a service type for a particular user.

Use the undo service-type command to cancel the specified service type for the user.

Example

# Set to provide the Lan-access service for the user test1.

[H3C-luser-test1] service-type lan-access

2.1.20 state

Syntax

state { active | block }

View

ISP domain view, Local user view

Parameter

active: Configures the current ISP domain (ISP domain view)/current user (local user view) as being in active state, that is, the system allows the users in the domain (ISP domain view) or the current user (local user view) to request network service.

block: Configures the current ISP domain (ISP domain view)/current user (local user view) as being in block state, that is, the system does not allow the users in the domain (ISP domain view) or the current user (local user view) to request network service.

Description

Use the state command to configure the state of the current ISP domain/ current user.

By default, after an ISP domain is created, it is in the active state (in ISP domain view).

A local user will be active (in local user view) upon its creation.

In ISP domain view, every ISP can either be in Active or Block state. If an ISP domain is configured to be Active, the users in it can request for network service, while in Block state, its users cannot request for any network service, which will not affect the users currently online.

Related command: domain.

Example

# Set the current ISP domain H3C.net to be in the block state. The supplicants in this domain cannot request for the network service.

[H3C-isp-H3C.net] state block

# Set the user test1 to be in the block state.

[H3C-luser-test1] state block

2.1.21 vlan-assignment-mode

Syntax

vlan-assignment-mode { integer | string }

View

ISP domain view

Parameter

integer: Specify the VLAN delivery mode to be integer.

string: Specify the VLAN delivery mode to be string.

Description

Use the vlan-assignment-mode command to specify the VLAN delivery mode (integer or string).

By default, the integer mode is used, that is, the switch supports the RADIUS server delivering VLAN IDs in integer form.

Dynamic VLAN delivering aims to control the network resources available to a user. With this function enabled, a switch adds the ports connecting to authenticated users to specified VLANs according to the attribute values delivered by the RADIUS server. In actual use, ports are usually set to operate in port-based mode in order to work together with Guest VLAN. A port operating in MAC address-based mode can only have one host connected to it. Currently, the VLAN IDs delivered by RADIUS servers can be of integer or string type.

l As for a VLAN ID that is of integer type, a switch adds the port to the corresponding VLAN according to the VLAN ID delivered by the RADIUS authentication server. If the VLAN does not exist, the switch creates the VLAN first and then adds the port to the VLAN.

l As for a VLAN ID that is of string type, a switch compares the VLAN ID delivered by the RADIUS authentication server with the names of the VLANs existing on the switch. If a matching entry is found, the switch adds the port into the corresponding VLAN. Otherwise, the delivery fails and the user fails to pass the authentication.

& Note:

l When configuring a VLAN delivering mode, keep the mode configured on the switch consistent with the mode configured on the Radius Server.

l For the string delivery mode, the value range of the VLAN name supported by the switch is 1-32 characters. If the name configured on the Radius Server exceeds 32 characters, the delivery will fail.

l For the string delivery mode, a string that contains numerals only is first interpreted as a number. That is, if the VLAN name delivered by the RADIUS server contains only numerals (such as “1024”), and the equivalent integer is within the range 1 to 4,094, the switch takes the VLAN name as an integer and add the authenticated port to the VLAN identified by the integer (In this case, the switch will add the port to VLAN 1024). If the equivalent integer is not within the range 1 to 4,094 (such as string “12345”), the RADIUS server fails to deliver the VALN name; if the all-numeral string contains space, such as “ 12 345”, the first block of non-spaced numbers in the string will be converted into its equivalent integer, namely, integer 12 in this example.

Related command: name, dot1x guest-vlan.

Example

# Specify the dynamic VLAN delivery mode to be string.

[H3C-isp-H3C.net] vlan-assignment-mode string

2.2 RADIUS Protocol Configuration Commands

2.2.1 accounting optional

Syntax

accounting optional

undo accounting optional

View

RADIUS scheme view

Parameter

None

Description

Use the accounting optional command to enable the RADIUS accounting option.

Use the undo accounting optional command to disable the RADIUS accounting option.

By default, selection of RADIUS accounting option is disabled.

If no RADIUS server is available or if RADIUS accounting server fails when the accounting optional is configured, the user can still use the network resource, otherwise, the user will be disconnected.

The user configured with accounting optional command in RADIUS scheme will no longer send real-time accounting update packet or stop accounting packet.

The accounting optional command in RADIUS scheme view is only effective on the accounting that uses this RADIUS scheme.

Example

# Enable the selection of RADIUS accounting of the RADIUS scheme named as CAMS.

[H3C-radius-cams] accounting optional

2.2.2 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-byte | kilo-byte | mega-byte | one-packet }

undo data-flow-format

View

RADIUS scheme view

Parameter

data: Sets data unit.

byte: Sets 'byte' as the unit of data flow.

giga-byte: Sets 'giga-byte' as the unit of data flow.

kilo-byte: Sets 'kilo-byte' as the unit of data flow.

mega-byte: Sets 'mega-byte' as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets 'giga-packet' as the unit of packet flow.

kilo-packet: Sets 'kilo-packet' as the unit of packet flow.

mega-packet: Sets 'mega-packet' as the unit of packet flow.

one-packet: Sets 'one-packet' as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flow that send to RADIUS Server.

Use the undo data-flow-format command to restore the unit to the default setting.

By default, the data unit is byte and the data packet unit is one-packet.

Related command, see display radius.

Example

# Set the unit of data flow that send to RADIUS Server test is kilo-byte and the data packet unit is kilo-packet.

[H3C-radius-test] data-flow-format data kilo-byte packet kilo-packet

2.2.3 debugging radius

Syntax

debugging radius packet

undo debugging radius packet

View

User view

Parameter

packet: Enable packet debugging

Description

Use the debugging radius command to enable RADIUS packet debugging.

Use the undo debugging radius command to disable RADIUS packet debugging.

By default, RADIUS packet debugging is disabled.

Example:

# Enable RADIUS packet debugging.

<H3C> debugging radius packet

2.2.4 display local-server

Syntax

display local-server { statistics | nas-ip }

View

Any view

Parameter

None

Description

Use the display local-server statistics command to view the statistics of local RADIUS scheme.

Use the display local-server nas-ip command to view the Nas-ip that is allowed to access the Local-server.

Related command: local-server.

Example

# Display the statistics of local RADIUS scheme.

<H3C> display local-server statistics

The localserver packet statistics:

Receive: 0 Send: 0

Discard: 0 Receive Packet Error: 0

Auth Reveive: 0 Auth Send: 0

Acct Receive: 0 Acct Send: 0

2.2.5 display radius

Syntax

display radius [ radius-server-name ]

View

Any view

Parameter

radius-server-name: Specifies the RADIUS scheme name with a character string not exceeding 32 characters. Display all RADIUS scheme when the parameter is not set.

Description

Use the display radius command to view the configuration information of all RADIUS scheme or a specified one.

By default, This command outputs the configuration information about the specified or all the RADIUS scheme.

Related command: radius scheme.

Example

# Display the configuration information of all the RADIUS scheme.

<H3C> display radius

------------------------------------------------------------------

SchemeName =system Index=0 Type=extended

Primary Auth IP =127.0.0.1 Port=1645 State=active

Primary Acct IP =127.0.0.1 Port=1646 State=active

Second Auth IP =0.0.0.0 Port=1812 State=block

Second Acct IP =0.0.0.0 Port=1813 State=block

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Username format =without-domain

Data flow unit =Byte

Packet unit =1

------------------------------------------------------------------

Total 1 RADIUS scheme(s). 1 listed

Table 2-2 Description of output information of the display radius command

Field	Description
SchemeName	The name of Radius Scheme
Index	The index of Radius Scheme
Type	The type of Radius Scheme
Primary Auth IP/ Port/ State	The IP address of the primary authentication server/the number of the access port/the current state of the server
Primary Acct IP/ Port/ State	The IP address of the primary accounting server/the number of the access port/the current state of the server
Second Auth IP/ Port/ State	The IP address of the secondary authentication server/the number of the access port/the current state of the server
Second Acct IP/ Port/ State	The IP address of the secondary accounting server/the number of the access port/the current state of the server
Auth Server Encryption Key	The login password of the authentication server
Acct Server Encryption Key	The login password of the accounting server
TimeOutValue (seconds)	Response timeout value of the RADIUS server
Retry Times	The maximum transmitting times of RADIUS request packet.
Permitted send realtime PKT failed counts	The maximum times of sending real-time no-response accounting packet
Retry sending times of noresponse acct-stop-PKT	The maximum retry times of buffered no-response accounting stop packet
Username format	The format of the username
Data flow unit	The unit of data flow
Packet unit	The unit of packets

2.2.6 display radius nas-ip

Syntax

display radius nas-ip

View

Any view

Parameter

None

Description

Use the display radius nas-ip command to display all the global NAS-IP information configured in system view, including the global NAS-IP information of public network and private network. When the NAS-IP information of global private network is displayed, the name of the VPN that the NAS-IP belongs to is also displayed.

Related command: radius nas-ip.

Example

# Display all NAS-IP information.

<H3C> display radius nas-ip

Radius VPN nas-ip: 192.168.1.1 vpn-instance:vpn1

Radius VPN nas-ip: 192.168.2.1 vpn-instance:vpn2

Radius global nas-ip: 192.168.3.1

2.2.7 display radius statistics

Syntax

display radius statistics

View

Any view

Parameter

None

Description

Use the display radius statistics command to view the statistics information of RADIUS packet.

The displayed packet information can help with RADIUS diagnosis and troubleshooting.

Related command: radius scheme.

Example

# Display the statistics information of RADIUS packets.

<H3C> display radius statistics

state statistic(total=4120):

DEAD=4120 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=0

AcctStop=0 OnLine=0 Stop=0

StateErr=0

Receive and Send packets statistic:

Send PKT total :0 Receive PKT total:0

RADIUS received packets statistic:

Code= 2,Num=0 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=0 ,Err=0

Code=11,Num=0 ,Err=0

Code=22,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request ,Num=0 ,Err=0 ,Succ=0

EAP auth request ,Num=0 ,Err=0 ,Succ=0

Account request ,Num=0 ,Err=0 ,Succ=0

Account off request ,Num=0 ,Err=0 ,Succ=0

Leaving request ,Num=0 ,Err=0 ,Succ=0

PKT auth timeout ,Num=0 ,Err=0 ,Succ=0

PKT acct_timeout ,Num=0 ,Err=0 ,Succ=0

Realtime Account ,Num=2317 ,Err=0 ,Succ=2317

PKT response ,Num=0 ,Err=0 ,Succ=0

EAP reauth_request ,Num=0 ,Err=0 ,Succ=0

PORTAL access ,Num=0 ,Err=0 ,Succ=0

Update ack ,Num=0 ,Err=0 ,Succ=0

PORTAL access ack ,Num=0 ,Err=0 ,Succ=0

Session ctrl pkt ,Num=0 ,Err=0 ,Succ=0

RADIUS send messages statistic:

Normal auth accept ,Num=0

Normal auth reject ,Num=0

EAP auth accept ,Num=0

EAP auth reject ,Num=0

EAP auth replying ,Num=0

EAP reauth accept ,Num=0

EAP_reauth_reject ,Num=0

Account success ,Num=0

Account failure ,Num=0

Account off ack ,Num=0

Update request ,Num=0

Leaving ack ,Num=0

Cut req ,Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

No-response-acct-stop packet=0

Discarded No-response-acct-stop packet=0

2.2.8 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameter

radius-scheme radius-server-name: Configures to display the saved stopping accounting requests according to RADIUS scheme name. radius-server-name specifies the RADIUS scheme name with a character string not exceeding 32 characters.

session-id session-id: Configures to display the saved stopping accounting requests according to the Session ID. session-id specifies the Session ID with a character string not exceeding 50 characters.

time-range start-time stop-time: Configures to display the saved stopping accounting requests according to the saving time. start-time specifies the start time of the saving time range and stop-time specifies the stop time of the saving time range. The time is expressed in the format hh:mm:ss-yyyy/mm/dd. When this parameter is specified, all the stopping accounting requests saved in the time range since start-time to stop-time will be displayed.

user-name user-name: Configures to display the saved stopping accounting requests according to the username. User-name specifies the username, a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the display stop-accounting-buffer command to view the stopping accounting requests, which have not been responded and saved in the buffer. You can select to display the packets sent to a certain RADIUS scheme, or display the packets according to user Session ID or username. You may also display the request packets saved during a specified time range. The displayed packet information can help with diagnosis and troubleshooting.

After transmitting the stopping accounting requests, if there is no response from the RADIUS scheme, the switch will save the packet in the buffer and retransmit it for several times, which is set through the retry stop-accounting command.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Example

# Display the stopping accounting requests saved in the system buffer since 0:0:0 to 23:59:59 on August 31, 2002.

<H3C> display stop-accounting-buffer time-range 0:0:0-2002/08/31 23:59:59-2002/08/31

Total find 0 record

2.2.9 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameter

accounting: Configures to set the encryption key for RADIUS accounting packet.

authentication: Configures to set the encryption key for RADIUS authentication/authorization packet.

string: Specifies the key with a character string not exceeding 16 characters. By default, the key is null.

Description

Use the key command to configure encryption key for RADIUS authentication/authorization or accounting packet.

Use the undo key command, you can restore the default key.

RADIUS client (switch system) and RADIUS scheme use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key. Only when the keys are identical can both ends accept the packets from each other and give responses. So it is necessary to ensure that the keys set on the switch and the RADIUS scheme are identical. If the authentication/authorization and accounting are performed on two different servers with different encryption keys, you are supposed to set two encryption keys respectively.

Related command: primary accounting, primary authentication, radius scheme.

Example

# Set the authentication/authorization key of the RADIUS scheme, test, to hello.

[H3C-radius-test] key authentication hello

# Set the accounting packet key of the RADIUS scheme,test, to ok.

[H3C-radius-test] key accounting ok

2.2.10 local-server

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address: Sets Nas-IP address of access server. ip-address is expressed in the format of dotted decimal. By default, there is a local server with the NAS-IP address of 127.0.0.1.

key password: Sets password of logon user. password is a character string containing up to 16 characters. By default, the key is null.

Description

Use the local-server command to configure the parameters of local RADIUS server. Using undo local-server command, you can cancel a local RADIUS server.

RADIUS service, which adopts authentication/authorization/accounting servers to manage users, is widely used in H3C series switches. Besides, local authentication/authorization service is also used in these products and it is called local RADIUS function, i.e. realize basic RADIUS function on the switch.

Caution:

l When using local RADIUS server function of H3C, remember the number of UDP port used for authentication is 1645 and that for accounting is 1646.

l The password configured by this command must be the same as that of the RADIUS authentication/authorization packet configured by the command key authentication in RADIUS scheme view.

l When operating as a local RADIUS server, a H3C S9500 Series Routing Switch supports CHAP and PAP authentications but not EAP MD5-challenge authentication.

H3C series switches support up to 16 local RADIUS scheme.

Related command: radius scheme, state.

Example

# Set the IP address of local RADIUS scheme to 10.110.1.2 and the password to test.

[H3C] local-server nas-ip 10.110.1.2 key test

2.2.11 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameter

ip-address: Source IP address which is expressed in the format of dotted decimal notation.

Description

Use the nas-ip command to configure the source IP address which NAS switch uses to send RADIUS packets. In this case, all the packets sent to Radius server carry the same source IP address.

Use the undo nas-ip command to undo the configuration.

By specifying the source IP address used in sending Radius packets, you can avoid unreachability of packets back from the server when the physical interface fails. It is recommended to use the Loopback interface address.

By default, the source IP address of packets is the IP address of the VLAN interface to which the port connecting with the server belongs.

Related commands: display radius, radius nas-ip

Example

# Configure the IP address that NAS (switch) uses to send RADIUS packets as 10.1.1.1.

[H3C] radius scheme test1

[H3C-radius-test1] nas-ip 10.1.1.1

2.2.12 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal format.

port-number: Specifies UDP port number. ranging from 1 to 65535.

Description

Use the primary accounting command to configure the IP address and port number for the primary accounting server.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server. By default, the primary accounting server of the RADIUS scheme created by the system, whose name is “system”, uses IP address of 127.0.0.1 and UDP port of 1646. The primary accounting server of a newly created RADIUS scheme uses IP address of 0.0.0.0 and UDP port of 1813.

After creating a new RADIUS scheme, you need to set the IP address and the UDP port for the RADIUS servers the scheme contains, such as authentication/authorization server and accounting server. Besides, you can set primary and secondary server for each kind of server. Although, in actual use, these settings depend on specific demands, at least one authentication/authorization server and one accounting server is required. Make sure the port settings on the switch about RADIUS service are identical to those on the RADIUS servers.

Related command: key, radius scheme, state.

Example

# Set the IP address of the primary accounting server of RADIUS scheme, “test”, to 10.110.1.2 and the UDP port 1813 to provide RADIUS accounting service.

[H3C-radius-test] primary accounting 10.110.1.2 1813

2.2.13 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal format.

port-number: Specifies UDP port number. ranging from 1 to 65535.

Description

Use the primary authentication command to configure the IP address and port number for the primary RADIUS authentication/authorization.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization.

By default, the primary authentication server of the RADIUS scheme created by the system, whose name is “system”, uses IP address of 127.0.0.1 and UDP port of 1645. The secondary authentication server uses IP address of 0.0.0.0 and UDP port of 1812. The primary and secondary authentication server of a newly created RADIUS scheme uses IP address of 0.0.0.0 and UDP port of 1812.

After creating a RADIUS scheme, you are supposed to set IP addresses and UDP port numbers for the RADIUS servers, including primary/secondary authentication/authorization servers and accounting servers. In real networking environments, the above parameters shall be set according to the specific requirements. However, at least you have to set one authentication/authorization server and an accounting server. Besides, ensure that the RADIUS service port settings on the switch is consistent with the port settings on the RADIUS server.

Related command: key, radius scheme , state.

Example

# Set the IP address of the primary authentication/authorization server of RADIUS scheme, “test”, to 10.110.1.1 and the UDP port 1812 to provide RADIUS authentication/authorization service.

[H3C-radius-test] primary authentication auth 10.110.1.1 1812

2.2.14 radius nas-ip

Syntax

radius nas-ip ip-address [ vpn-instance vpn-instance-name ]

undo radius nas-ip [ vpn-instance vpn-instance-name ]

View

System view

Parameter

ip-address: Source IP address expressed in the format of dotted decimal notation. It must be a legal unicast address.

vpn-instance-name: The name of VPN instances, which is a string ranging of 1 to 19 characters.

Description

Use the radius nas-ip command to configure the nas-ip of the global public network. Only one public network nas-ip can be configured globally. Use the radius nas-ip ip-address vpn-instance command to configure the nas-ip of the global private network. Only one nas-ip can be configured for each private network and a maximum of 16 private networks can be configured.

Use the undo radius nas-ip command to cancel the nas-ip configuration for global public network. Use the undo radius nas-ip vpn-instance command to cancel the nas-ip configuration for a private network.

Related command: display radius nas-ip.

Example

# Configure the source IP address that the switch uses to send RADIUS packets as 129.10.10.1.

<H3C>system-view

[H3C] radius nas-ip 129.10.10.1

2.2.15 radius scheme

Syntax

radius scheme radius-server-name

undo radius scheme radius-server-name

View

System view

Parameter

radius-server-name: Specifies the RADIUS scheme name with a character string not exceeding 32 characters.

Description

Use the radius scheme command to configure a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, RADIUS scheme named as system has been created in the system. The attributes of system are all default values.

RADIUS protocol configuration is performed on a per-RADIUS-scheme basis. Every RADIUS scheme shall at least have the specified IP address and UDP port number of the RADIUS authentication/authorization/accounting server and some necessary parameters exchanged with the RADIUS client end (switch system). So it is necessary to create the RADIUS scheme and enter its view before performing other RADIUS protocol configurations.

A RADIUS scheme can be used by several ISP domains at the same time. You can configure up to 16 RADIUS schemes, including the default scheme named as system.

Although undo radius scheme can remove a specified RADIUS scheme. However, the default one cannot be removed. Note that a scheme currently in use by the online user cannot be removed.

Related command: key, retry realtime-accounting, radius-scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius, display radius statistics.

Example

# Create a RADIUS scheme named “test” and enters its view.

[H3C] radius scheme test

[H3C-radius-test]

2.2.16 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameter

None

Description

Use the reset radius statistics command to clear the statistic information related to the RADIUS protocol.

Related command: display radius.

Example

# Clear the RADIUS protocol statistics.

<H3C> reset radius statistics

2.2.17 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameter

radius-scheme radius-server-name: Configures to delete the stopping accounting requests from the buffer according to the specified RADIUS scheme. radius-server-name specifies the RADIUS scheme name with a character string not exceeding 32 characters.

session-id session-id: Configures to delete the stopping accounting requests from the buffer according to the specified session ID. session-id specifies the Session ID with a character string not exceeding 50 characters.

time-range start-time stop-time: Configures to delete the stopping accounting requests from the buffer according to the saving time. Start-time specifies the start time of the saving time range and stop-time specifies the stop time of the saving time range. The time is expressed in the format hh:mm:ss-yyyy/mm/dd. When this parameter is set, all the stopping accounting requests saved since start-time to stop-time will be deleted.

user-name user-name: Configures to delete the stopping accounting requests from the buffer according to the username. User-name specifies the username, a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the reset stop-accounting-buffer command to reset the stopping accounting requests, which are saved in the buffer and have not been responded.

This command is used to delete the stopping accounting requests from the switch buffer. You can select to delete the packets transmitted to a specified RADIUS scheme, or according to the Session-id or username, or delete the packets transmitted during the specified time-range.

Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Example

# Delete the stopping accounting requests saved in the system buffer by the user, [email protected].

<H3C> reset stop-accounting-buffer user-name [email protected]

# Delete the stopping accounting requests saved in the system buffer since 0:0:0 to 23:59:59 on August 31, 2002.

<H3C> reset stop-accounting-buffer time-range 0:0:0-2002/08/31 23:59:59-2002/08/31

2.2.18 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameter

retry-times: Specifies the maximum times of retransmission, ranging from 1 to 20. By default, the value is 3.

Description

Use the retry command to configure retransmission times of RADIUS request packet.

Use the undo retry command to restore the retransmission times to default value.

Because RADIUS protocol uses UDP packets to carry the data, its communication process is not reliable. If the RADIUS server has not responded NAS until timeout, NAS has to retransmit RADIUS request packet. Suppose the maximum retransmission times is N. If the accumulative transmission times is more than N-[N/2] but the primary RADIUS server still gives no answer, the NAS will consider that it has lost the communication with the current RADIUS server and then turn to transmit the request to another RADIUS server.

Setting a suitable retry-time according to the network situation can speed up the system response.

Related command: radius scheme.

Example

# Set to retransmit the RADIUS request packet no more than 5 times in the RADIUS scheme “test”.

[H3C-radius-test] retry 5

2.2.19 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameter

retry-times: Specifies the maximum times of real-time accounting request failing to be responded, ranging from 1 to 255. By default, the accounting request can fail to be responded up to 5 times.

Description

Use the retry realtime-accounting command to configure the maximum times of real-time accounting request failing to be responded.

Use the undo retry realtime-accounting command to restore the maximum times of real-time accounting request failing to be responded to the default value.

RADIUS server usually checks if a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS, it will consider that there is line or device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unexpected failure occurs. H3C Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

How to calculate the value of count? Suppose RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t.

Related command: radius scheme, timer realtime-accounting.

Example

# Configure the real-time accounting request failing to be responded for up to 10 times in the RADIUS scheme named "test".

[H3C-radius-test] retry realtime-accounting 10

2.2.20 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameter

retry-times: Maximal retransmission times of a buffered stop-accounting request, ranging from 10 to 65535. By default, the value is 500.

Description

Use the retry stop-accounting command to configure the maximal retransmission times after a stop-accounting request is saved into the buffer due to getting no response.

Use the undo retry stop-accounting command to restore the retransmission times to the default value.

Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the user and ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the switch to RADIUS accounting server has not been responded, the switch shall save it in the local buffer and retransmit it until the server responds or discard the messages after transmitting for specified times.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Example

#Perform the following configuration such that the switch can retransmit a buffered stop-accounting request to the server configured for the RADIUS scheme “test” for up to 1000 times

[H3C-radius-test] retry stop-accounting 1000

2.2.21 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal format. By default, the IP addresses of secondary accounting server is at 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the accounting service is provided via UDP 1813.

Description

Use the secondary accounting command to configure the IP address and port number for the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the IP address and port number to default values.

For detailed information, read the description of the primary accounting command.

Related command: key, radius scheme, state.

Example

# Set the IP address of the secondary accounting server of RADIUS scheme, test, to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.

[H3C-radius-test] secondary accounting 10.110.1.1 1813

2.2.22 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal format. By default, the IP address of secondary authentication/authorization server is 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the authentication/authorization service is provided via UDP 1812.

Description

Use the secondary authentication command to configure the IP address and port number for the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the IP address and port number to default values.

For detailed information, read the description of the primary authentication command.

Related command: key, radius scheme, state.

Example

# Set the IP address of the secondary authentication/authorization server of RADIUS scheme, “test”, to 10.110.1.2 and the UDP port 1812 to provide RADIUS authentication/authorization service.

[H3C-radius-test] secondary authentication 10.110.1.2 1812

2.2.23 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Parameter

extended: Configures the switch system to support the RADIUS scheme of extended type, which requires the RADIUS client end (switch system) and RADIUS server to interact according to the private RADIUS protocol regulation and packet format of H3C Technologies Co., Ltd.

standard: Configures the switch system to support the RADIUS server of Standard type, which requires the RADIUS client end (switch system) and RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).

Description

Use the server-type command to configure the RADIUS scheme type supported by the switch.

Use the undo server-type command to restore the RADIUS scheme type to the default value.

The default RADIUS server type of a newly created RADIUS scheme is standard. The RADIUS server type of the default RADIUS scheme (with a name of “system”), which is created by the system, is extended.

H3C S9500 Series Routing Switches support standard RADIUS protocol and the extended RADIUS service platform IP Hotel, 201+ and Portal etc independently developed by H3C. This command is used to select the supported RADIUS scheme type.

Related command: radius scheme.

Example

# Set RADIUS scheme type of RADIUS scheme “test”, to extended.

[H3C-radius-test] server-type extended

2.2.24 state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS scheme view

Parameter

primary: Configures to set the state of the primary RADIUS server.

secondary: Configures to set the state of the secondary RADIUS server.

accounting: Configures to set the state of RADIUS accounting server.

authentication: Configures to set the state of RADIUS authentication/authorization.

block: Configures the RADIUS server to be in the state of block.

active: Configures the RADIUS server to be active, namely the normal operation state.

Description

Use the state command to configure the state of RADIUS server.

By default, all the RADIUS servers in every RADIUS scheme are in the state of active.

For the primary and secondary servers (no matter an authentication/authorization or an accounting server), if the primary server is disconnected to NAS for some fault, NAS will automatically turn to exchange packets with the secondary server. However, after the primary one recovers, NAS will not resume the communication with it at once, instead, it continues communicating with the secondary one. When the secondary one fails to communicate, NAS will turn to the primary one again. This command is used to set the primary server to be active manually, in order that NAS can communicate with it right after the troubleshooting.

When the primary and secondary servers are all active or block, NAS will send the packets to the primary server only.

Related command: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Example

# Set the secondary authentication server of RADIUS scheme, “test”, to be Active.

[H3C-radius-test] state secondary authentication active

2.2.25 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameter

None

Description

Use the stop-accounting-buffer enable command to configure to save the stopping accounting requests without response in the switch system buffer.

Use the undo stop-accounting-buffer enable command to cancel the function of saving the stopping accounting requests without response in the switch system buffer.

By default, enable to save the stopping accounting requests in the buffer.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Example

# ,Enable the switch to buffer the stop-accounting requests that get no answer from the server configured for the RADIUS scheme "test".

[H3C-radius-test] stop-accounting-buffer enable

2.2.26 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameter

minutes: The parameter ranges from 1 to 255 in minutes. By default, the primary server waits for 5 minutes before it resumes the Active state.

Description

Use the timer quiet command to configure the time that the primary server takes to resume the Active state.

Use the undo timer quiet command to restore the default configuration.

This command is designed to inhibit the switch from processing user request packets for a period of time when the communication between the switch and the server is interrupted. After the switch has waited for a period of time that is equal to or greater than the time set by this command, it restarts sending user request packets to the server.

Related command: display radius

Example

# Set the quiet timer of the primary server to 10 minutes.

[H3C] radius scheme test1

[H3C-radius-test1] timer quiet 10

2.2.27 timer realtime-accounting

Syntax

timer realtime-accounting minute

undo timer realtime-accounting

View

RADIUS scheme view

Parameter

minute: Real-time accounting interval, ranging from 3 to 60 and measured in minutes. It must be a multiple of 3.By default, the value is 12.

Description

Use the timer realtime-accounting command to configure the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

To implement real-time accounting, it is necessary to set a real-time accounting interval. After the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly.

The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the requirement for NAS and RADIUS server is. When there are a large amount of users (more than 1000, inclusive), we suggest a larger value. The following table recommends the ratio of minute value to number of users.

Table 2-3 Recommended ratio of minute to number of users

Number of users	Real-time accounting interval (in minutes)
1 to 99	3
100 to 499	6
500 to 999	12
≥1000	≥15

Related command: retry realtime-accounting , radius scheme.

Example

# Set the real-time accounting interval of RADIUS scheme, “test”, to 51 minutes.

[H3C-radius-test] timer realtime-accounting 51

2.2.28 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameter

seconds: The value range is 1 to 10 in seconds. The default response timeout value of the RADIUS server is 3 seconds.

Description

Use the timer response-timeout command to set the response-timeout value of RADIUS server.

Use the undo timer response-timeout command to restore the default configuration.

Related command: display radius.

Example

# Set the response timeout value of the RADIUS server to 5 seconds.

[H3C] radius scheme test1

[H3C-radius-test1] timer response-timeout 5

2.2.29 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameter

with-domain: Specifies to send the username with domain name to RADIUS server.

without-domain: Specifies to send the username without domain name to RADIUS server.

Description

Use the user-name-format command to configure the username format sent to RADIUS server.

By default, as for the newly created RADIUS scheme, the username sent to RADIUS servers includes an ISP domain name; as for the "system" RADIUS scheme created by the system, the username sent to RADIUS servers excludes the ISP domain name.

The supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. The switch will put the users into certain ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, the username will be sent to the RADIUS server after its domain name is removed. Accordingly, the switch provides this command to decide whether the username to be sent to RADIUS server carries ISP domain name or not.

& Note:

If a RADIUS scheme is configured to reject usernames including ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

Related command: radius scheme.

Example

# Specify to send the username without domain name to RADIUS scheme "test".

[H3C-radius-test] user-name-format without-domain

2.2.30 vpn-instance

Syntax

vpn-instance vpn-name

View

RADIUS scheme view

Parameter

vpn-name: The name of the VPN instance, which is a string of 1 to 19 characters.

Description

Use the vpn-instance command to configure the VPN that the RADIUS scheme belongs to.

Use the undo vpn-instance command to cancel the configuration for VPN.

The VPN in this command must exist and must be assigned with an RD. One RADIUS scheme can only be bound to one VPN.

& Note:

The nas-ip configured must belong to the VLAN bound to the specified VPN after a VPN is specified by the RADIUS scheme; otherwise the packets cannot be sent. Also pay attention to this point when configuring global RADIUS nas-ip.

Related command: radius scheme.

Example

# Specify the VPN to which the RADIUS server belongs in the RADIUS scheme “test” as vpn1.

[H3C-radius-test] vpn-instance vpn1

2.3 HWTACACS Configuration Commands

2.3.1 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } } | { packet { giga-packet | kilo-packet | mega-packet | one-packet } }

undo data-flow-format { data | packet }

View

HWTACACS view

Parameter

data: Sets data unit.

byte: Sets 'byte' as the unit of data flow.

giga-byte: Sets 'giga-byte' as the unit of data flow.

kilo-byte: Sets 'kilo-byte' as the unit of data flow.

mega-byte: Sets 'mega-byte' as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets 'giga-packet' as the unit of packet flow.

kilo-packet: Sets 'kilo-packet' as the unit of packet flow.

mega-packet: Sets 'mega-packet' as the unit of packet flow.

one-packet: Sets 'one-packet' as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flow sent to TACACS Server.

Use the undo data-flow-format command to restore the unit to the default setting.

By default, the data unit is byte and the data packet unit is one-packet.

Related command: display hwtacacs.

Example

# Set the unit of data flow sent to TACACS Server test to kilo-byte and the data packet unit to kilo-packet.

[H3C-hwtacacs-test] data-flow-format data kilo-byte packet kilo-packet

2.3.2 debugging hwtacacs

Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

View

User view

Parameter

all: Enables all HWTACACS debugging.

error: Enables error debugging.

event: Enables event debugging.

message: Enables message debugging.

receive-packet: Enables incoming packet debugging.

send-packet: Enables outgoing packet debugging.

Description

Use the debugging hwtacacs command to enable HWTACACS debugging.

Use the undo debugging hwtacacs command to disable HWTACACS debugging.

By default, HWTACACS debugging is disabled.

Example

# Enable the event debugging of HWTACACS.

<H3C> debugging hwtacacs event

2.3.3 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name]

View

Any view

Parameter

hwtacacs-scheme-name: Scheme name of the HWTACACS server, a string of 1 to 32 case-insensitive characters, excluding "?". If this argument is null, configuration information of all HWTACACS schemes are displayed.

Description

Use the display hwtacacs command to view configuration information of one or all HWTACACS schemes.

By default, configuration information of all HWTACACS schemes is displayed.

Related command: hwtacacs scheme.

Example

# Display the configuration information of the HWTACACS scheme gy.

<H3C> display hwtacacs gy

-------------------------------------------------------------------- HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

Source-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Response-timeout-Interval(sec) : 5

Domain-included : No

Traffic-unit : B

Packet traffic-unit : one-packet

2.3.4 display stop-accounting-buffer hwtacacs-scheme

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests related to the HWTACACS scheme specified by hwtacacs-scheme-name, a character string not exceeding 32 characters, excluding “?”.

Description

Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the switch.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Example

# Display information on the buffered stop-accounting requests related to the HWTACACS scheme “test".

<H3C> display stop-accounting-buffer hwtacacs-scheme test

%No accounting stop packet exists.

2.3.5 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameter

ip-address: IP address of a specified source, which is that of the local host and cannot be a broadcast address of class A, B or C, a class D address, an all-zero address, or an address begins with 127.

Description

Use the hwtacacs nas-ip command to specify the source address of the HWTACACS packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

By specifying the source address of the HWTACACS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

For the hwtacacs nas-ip command, the HWTACACS view takes precedence over the system view.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.

Example

# Configure the switch to send hwtacacs packets from 129.10.10.1.

[H3C] hwtacacs nas-ip 129.10.10.1

2.3.6 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameter

hwtacacs-scheme-name: Name of a HWTACACS scheme, a character string not exceeding 32 characters.

Description

Use the hwtacacs scheme command to enter the HWTACACS view. If you specified a nonexistent scheme, a new HWTACACS scheme will be created.

Use the undo hwtacacs scheme command to delete a HWTACACS scheme.

Example

# Create a HWTACACS scheme named test1 and enter the HWTACACS view.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1]

2.3.7 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS view

Parameter

accounting: Shared key of the accounting server.

authentication: Shared key of the authentication server.

authorization: Shared key of the authorization server.

string: Shared key, a string up to 16 characters excluding the characters “?”.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.

Use the undo key command to delete the configuration.

By default, no key is set.

The HWTACACS client (the switch system) and HWTACACS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. So it is necessary to ensure that the same key is set on the switch and the HWTACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

Related command: display hwtacacs.

Example

# Use “hello” as the shared key for HWTACACS accounting.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] key accounting hello

2.3.8 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS view

Parameter

ip-address: Source IP address, in dotted decimal format.

Description

Use the nas-ip command to set the source IP address for HWTACACS packets sent from the NAS (switch), such that all the packets sent to the TACACS server carry the same source IP address.

Use the undo nas-ip command to delete the configuration.

Specifying the source address for sending HWTACACS packet avoids the unreachability of packet returned from the server when the physical interface fails. Generally, the Loopback interface address is recommended.

By default, the source IP address of the packets is the IP address of the interface of the VLAN to which the port connecting the server belongs.

Related command: display hwtacacs and hwtacacs nas-ip.

Example

# Configure the source IP address for HWTACACS packets sent from the NAS (switch) to 10.1.1.1.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] nas-ip 10.1.1.1

2.3.9 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, the IP address of the TACACS accounting server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme accounting server only when no Active TCP connection used to send accounting packets is now using the server, and the removal impacts only packets forwarded afterwards.

Example

# Configure a primary accounting server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary accounting 10.163.155.12 49

2.3.10 primary authentication

Syntax

primary authentication ip-address [ port-number]

undo primary authentication

View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to configure a primary TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, the IP address of the TACACS authentication server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authentication server only when no Active TCP connection used to send authentication packets uses the server., and the removal impacts only packets forwarded afterwards.

Related command: display hwtacacs.

Example

# Configure a primary authentication server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authentication 10.163.155.13 49

2.3.11 primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.

By default, the IP address of the TACACS authorization server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authorization server only when no Active TCP connection used to send authorization packets is now using the server, and the removal impacts only packets forwarded afterwards.

Related command: display hwtacacs.

Example

# Configure a primary authorization server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authorization 10.163.155.13 49

2.3.12 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameter

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.

Related command: display hwtacacs.

Example

# Clear all HWTACACS protocol statistics.

<H3C> reset hwtacacs statistics

2.3.13 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a character string not exceeding 32 characters, excluding“?”.

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the switch.

Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Example

# Delete the buffered stop-accounting requests that are related to the HWTACACS scheme “test”.

<H3C> reset stop-accounting-buffer hwtacacs-scheme test

2.3.14 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS view

Parameter

retry-times: The maximum number of stop-accounting request attempts. It is in the range 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request.

Related command: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Example

# Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.

[H3C] retry stop-accounting 50

2.3.15 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, IP address of TACACS accounting server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme accounting server only when no Active TCP connection used to send accounting packets is now using the server, and the removal impacts only packets forwarded afterwards.

Example

# Configure a secondary accounting server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary accounting 10.163.155.12 49

2.3.16 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary authentication server.

By default, IP address of TACACS authentication server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authentication server only when no Active TCP connection used to send authentication packets is now using the server, and the removal impacts only packets forwarded afterwards.

Related command: display hwtacacs.

Example

# Configure a secondary authentication server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authentication 10.163.155.13 49

2.3.17 secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View

HWTACACS view

Parameter

ip-address: IP address of the server, a legal unicast address in dotted decimal format.

port-number: Port number of the server, ranging from 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, IP address of TACACS authorization server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

Related command: display hwtacacs.

Example

# Configure the secondary authorization server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authorization 10.163.155.13 49

2.3.18 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS view

Parameter

minutes: Ranges from 1 to 255 minutes. By default, the primary server must wait five minutes before it resumes the active state.

Description

Use the timer quiet command to set the waiting time before the primary server resumes the active state.

Use the undo timer quiet command to restore the default configuration.

This command is designed to inhibit the switch from processing user request packets for a time when the communication between the switch and the server is interrupted. After the switch waits for a time that is equal or greater than the time set by this command, it re-attempts to send packets to the server.

Related command: display hwtacac.

Example

# Set the quiet timer for the primary server to ten minutes.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer quiet 10

2.3.19 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS view

Parameter

minutes: Real-time accounting interval, which is in the range of 3 to 60 minutes and must be a multiple of 3. By defaults, it is 12 minutes.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

The setting of real-time accounting interval is necessary for real-time accounting. After an interval is set, the NAS transmits the accounting information of online users to the TACACS accounting server periodically.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the numbers of users and the recommended intervals.

Table 2-4 Number of users and recommended interval

Number of users	Real-time accounting interval ( in minutes)
1 – 99	3
100 – 499	6
500 – 999	12
¦1000	¦15

Example

# Set the real-time accounting interval of the HWTACACS scheme test to 51 minutes.

[H3C-hwtacacs-test] timer realtime-accounting 51

2.3.20 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS view

Parameter

seconds: TACACS server response timeout time, which is in the range of 1 to 300 seconds and defaults to 5 seconds.

Description

Use the timer response-timeout command to set the TACACS server response timeout time.

Use the undo timer response-timeout command to restore the default setting.

& Note:

Since HWTACACS is implemented based on TCP, so server response timeout or TCP timeout may terminate the connection to the TACACS server.

Related command: display hwtacacs.

Example

# Set the TACACS server response timeout time to 30 seconds.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer response-timeout 30

2.3.21 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS view

Parameter

with-domain: Specifies that the domain name is taken along with the username that will be sent to the TACACS server.

without-domain: Specifies that no domain name is taken along with the username that will be sent to the TACACS server.

Description

Use the user-name-format command to set the username format acceptable to the TACACS server.

For a HWTACACS scheme, each username sent to a TACACS server contains a domain name by default.

Username is usually in the “userid@isp-name” format, with the ISP domain name following “@”. The switch uses domain names to group users to different ISP domains. While some earlier TACACS servers do not accept the username with domain name. In this case, you must remove the domain name before sending a username to the server.

& Note:

When you specify that no ISP domain name is contained in usernames for a HWTACACS scheme, this scheme cannot be used in two or more ISP domains at the same time; otherwise, errors may occur because the TACACS server considers users in different ISP domains but with the same name as one user.

Related command: hwtacacs scheme.

Example

# Specify that no domain name is taken along with the username that will be sent out with the HWTACACS scheme test.

[H3C-hwtacacs-test] user-name-format without-domain

H3C S9500 Series Routing Switches Command Manual-(V1.01)

1.1.3 dot1x

1.1.5 dot1x dhcp-launch

1.1.6 dot1x guest-vlan

1.1.13 dot1x timer

2.1.4 cut connection

2.1.5 display connection

2.1.18 self-service-url

2.1.20 state

2.2.12 primary accounting

2.2.13 primary authentication

2.2.16 reset radius statistics

2.2.22 secondary authentication

2.2.24 state

2.2.26 timer quiet

2.3.4 display stop-accounting-buffer hwtacacs-scheme

2.3.16 secondary authentication

2.3.17 secondary authorization

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us