enable max-user-number: Specifies that the system limits the number of users in the current ISP domain. The maximum number ranges from 1 to 2048.

Description

Use the access-limit enable command to set the maximum number of users allowed by an ISP domain.

Use the undo access-limit or access-limit disable command to remove the limitation.

By default, there is no limit to the amount of supplicants in an ISP domain.

As the supplicants may compete for network resources, setting a proper limit to the amount of users helps in providing a reliable system performance.

Examples

# Set a limit of 500 supplicants for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] access-limit enable 500

1.1.2 accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting default command to configure the default accounting method for all types of users.

Use the undo accounting default command to restore the default.

By default, the accounting method is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The accounting method specified with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.

l Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.

l With the access mode of login, accounting is not supported for FTP services.

Related commands: authentication default, authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use local accounting for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for all types of users and to use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default radius-scheme rd local

# Configure the default ISP domain system to use the default accounting method for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo accounting default

1.1.3 accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting lan-access command to configure the accounting method for LAN users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting method is used for LAN users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default.

Examples

# Configure the default ISP domain system to use local accounting for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for LAN users and to use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access radius-scheme rd local

# Configure the default ISP domain system to remove the configured accounting method for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo accounting lan-access

1.1.4 accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the accounting login command to configure the accounting method for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting method is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local accounting for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for login users and to use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login radius-scheme rd local

# Configure the default ISP domain system to remove the configured accounting method for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo accounting login

1.1.5 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Default Level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

Note that:

l With the accounting optional command configured, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used when authentication is required but accounting is not.

l If you configure the accounting optional command for a domain, the device does not send real-time accounting updates or stop-accounting requests for users of the domain any more.

Examples

# Enable the accounting optional feature for users in domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] accounting optional

1.1.6 accounting portal

Syntax

accounting portal { none | radius-scheme radius-scheme-name }

undo accounting portal

View

ISP domain view

Default Level

2: System level

Parameters

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting portal command to configure the accounting method for portal users.

Use the undo accounting portal command to restore the default.

By default, the default accounting method is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, radius scheme.

Examples

# In the default ISP domain system, specify the accounting method for portal users to RADIUS scheme, with the name rd.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting portal radius-scheme rd

1.1.7 accounting ppp

Syntax

accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting ppp

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the accounting ppp command to configure the accounting method for PPP users.

Use the undo accounting ppp command to restore the default.

By default, the default accounting method is used for PPP users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local accounting for PPP users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting ppp local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for PPP users and to use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting ppp radius-scheme rd local

# Configure the default ISP domain system to remove the configured accounting method for PPP users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo accounting ppp

1.1.8 attribute

Syntax

attribute { access-limit max-user-number | idle-cut minute | ip ip-address | location { nas-ip ip-address port slot-number subslot-number port-number | port slot-number subslot-number port-number } | mac mac-address | vlan vlan-id } *

undo attribute { access-limit | idle-cut | ip | location | mac | vlan } *

View

Local user view

Default Level

2: System level

Parameters

access-limit max-user-number: Specifies the maximum number of concurrent users that can log in using the current username, which ranges from 1 to 1024.

idle-cut minute: Configures the idle cut function. The idle cut period ranges from 1 to 120, in minutes.

ip ip-address: Specifies the IP address of the user. The attribute ip command only applies to authentications that support IP address passing, such as 802.1x. If you configure the command to authentications that do not support IP address passing, such as MAC address authentication, the local authentication will fail.

location: Specifies the port binding attribute of the user.

nas-ip ip-address: Specifies the IP address of the port of the remote access server bound by the user. ip-address specifies an IP address in dotted decimal notation. The default is 127.0.0.1, that is, the device itself. This keyword and argument combination is required only when the user is bound to a remote port.

port slot-number subslot-number port-number: Specifies the port to which the user is bound. The value of slot-number and subslot-number both range from 0 to 15. The value of port-number ranges from 0 to 255. The ports bounded are determined by port number, regardless of port type.

mac mac-address: Specifies the MAC address of the user in the format of H-H-H.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is an integer in the range 1 to 4094.

Description

Use the attribute command to set some of the attributes for a LAN user.

Use the undo attribute command to remove the configuration.

The idle-cut command in user interface view applies to LAN users only.

Related commands: display local-user.

Examples

# Set the IP address of user user1 to 10.110.50.1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] attribute ip 10.110.50.1

1.1.9 authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authentication default command to configure the authentication method for all types of users.

Use the undo authentication default command to restore the default for all types of users.

By default, the authentication method is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.

Related commands: authorization default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for all types of users and to use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme rd local

# Configure the default ISP domain system to use the default authentication method for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authentication default

1.1.10 authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authentication lan-access command to configure the authentication method for LAN users.

Use the undo authentication login command to restore the default.

By default, the default authentication method is used for LAN users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for LAN users and to use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access radius-scheme rd local

# Configure the default ISP domain system to remove the configured authentication method for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authentication lan-access

1.1.11 authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authentication login command to configure the authentication method for login users.

Use the undo authentication login command to restore the default.

By default, the default authentication method is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for login users and to use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login radius-scheme rd local

# Configure the default ISP domain system to remove the configured authentication method for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authentication login

1.1.12 authentication portal

Syntax

authentication portal { none | radius-scheme radius-scheme-name }

undo authentication portal

View

ISP domain view

Default Level

2: System level

Parameters

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authentication portal command to configure the authentication method for portal users.

Use the undo authentication portal command to restore the default.

By default, the default authentication method is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# In the default ISP domain system, specify the authentication method for portal users to RADIUS scheme, with the name rd.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication portal radius-scheme rd

1.1.13 authentication ppp

Syntax

authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication ppp

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authentication ppp command to configure the authentication method for PPP users.

Use the undo authentication ppp command to restore the default.

By default, the default authentication method is used for PPP users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for PPP users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication ppp local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for PPP users and to use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication ppp radius-scheme rd local

# Configure the default ISP domain system to remove the configured authentication method for PPP users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authentication ppp

1.1.14 authorization command

Syntax

authorization command hwtacacs-scheme hwtacacs-scheme-name

undo authorization command

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization command command to specify the authorization scheme for command line users.

Use the undo authorization command command to restore the default.

By default, the default authorization method is used for command line users.

Note that the HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme.

Examples

# Configure the default ISP domain system to use HWTACACS authorization scheme hw for command line users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization command hwtacacs-scheme hw

1.1.15 authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authorization default command to configure the authorization method for all types of users.

Use the undo authorization default command to restore the default for all types of users.

By default, the authorization method for all types of users is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.

l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.

Related commands: authentication default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for all types of users and to use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default radius-scheme rd local

# Configure the default ISP domain system to use the default authorization method for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authorization default

1.1.16 authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to configure the authorization method for LAN users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization method is used for LAN users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization lan-access local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for LAN users and to use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization lan-access radius-scheme rd local

# Configure the default ISP domain system to remove the configured authorization method for LAN users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authorization lan-access

1.1.17 authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to configure the authorization method for login users.

Use the undo authorization login command to restore the default.

By default, the default authorization method is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for login users and to use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login radius-scheme rd local

# Configure the default ISP domain system to remove the configured authorization method for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authorization login

1.1.18 authorization portal

Syntax

authorization portal { none | radius-scheme radius-scheme-name }

undo authorization portal

View

ISP domain view

Default Level

2: System level

Parameters

none: Makes no authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authorization portal command to configure the authorization method for portal users.

Use the undo authorization portal command to restore the default.

By default, the default authorization method is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use RADIUS authorization scheme rd for portal users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization portal radius-scheme rd

1.1.19 authorization ppp

Syntax

authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization ppp

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme name, which is a string of 1 to 32 characters.

Description

Use the authorization ppp command to configure the authorization method for PPP users.

Use the undo authorization ppp command to restore the default.

By default, the default authorization method is used for PPP users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for PPP users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system]authorization ppp local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for PPP users and to use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization ppp radius-scheme rd local

# Configure the default ISP domain system to restore the default.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] undo authorization ppp

1.1.20 cut connection

Syntax

cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]

View

System view

Default Level

2: System level

Parameters

access-type { dot1x | mac-authentication | portal }: Specifies user connections according to the type of access. dot1x specifies all 802.1x user connections, mac-authentication specifies all MAC authentication user connections, and portal specifies all Portal authentication user connections.

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies all user connections of an interface.

ip ip-address: Specifies all user connections of an IP address specified by ip-address.

mac mac-address: Specifies the user connection of a MAC address specified by mac-address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies a user connection by connection index.

user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters.

vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies a connection on a slot.

Description

Use the cut connection command to tear down the specified connecitons forcibly.

This command is effective to LAN users of service-type only. You cannot cut the connections of Telnet, FTP, and SSH users with this command.

Related commands: display connection, service-type

Examples

# Tear down all connections in ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] cut connection domain aabbcc.net

1.1.21 display connection

Syntax

display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

access-type { dot1x | mac-authentication | portal }: Specifies user connections by access type. dot1x specifies all 802.1x user connections, mac-authentication specifies all MAC authentication user connections, and portal specifies all Portal authentication user connections.

domain isp-name: Specifies user connections by ISP domain. isp-name specifies an ISP domain name and is a string of 1 to 24 characters. The specified ISP domain must already exist.

interface interface-type interface-number: Specifies user connections by interface number.

ip ip-address: Specifies user connections by IP address.

mac mac-address: Specifies user connections by MAC address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies user connections by connection index.

user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters.

vlan vlan-id: Specifies user connections by VLAN ID. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies user connections by slot number.

Description

Use the display connection command to display information about specified or all AAA user connections.

If no parameters are specified in the command, the system displays the information about all AAA user connections.

This command does not apply to FTP user connections.

Related commands: cut connection.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Total 0 connection matched.

1.1.22 display domain

Syntax

display domain [ isp-name ]

View

Any view

Default Level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters. The specified ISP domain must already exist.

Description

Use the display domain command to display the configuration information of a specified ISP domain.

By default, the system displays the configuration information about all ISP domains if no ISP domain is specified.

Related commands: access-limit, domain, state.

Examples

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain = aabbcc

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius=test, local

Lan-access authorization scheme : hwtacacs=hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut = Disable

Self-service = Disable

1 Domain = system

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Default Domain Name: system

Total 2 domain(s)

Table 1-1 Description on the fields of the display domain command

Field	Description
Domain	Domain name
State	Status of the domain
Default authentication scheme	Default authentication method
Default authorization scheme	Default authorization method
Default accounting scheme	Default accounting method
Lan-access authentication scheme	Authentication method for LAN users
Lan-access authorization scheme	Authentication method for LAN users
Lan-access accounting scheme	Accounting method for LAN users
Domain User Template	Template for users in the domain
Idle-cut	Whether idle cut is enabled
Self-service	Whether self service is enabled
Default Domain Name	Name of the default ISP domain

1.1.23 display local-user

Syntax

display local-user [ domain isp-name | idle-cut { disable | enable } | service-type { ftp | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

domain isp-name: Specifies local users by ISP domain. isp-name specifies an ISP domain name, which is a case-insensitive string of 1 to 24 characters. The specified ISP domain must already exist.

idle-cut { disable | enable }: Specifies local users with the idle-cut function disabled or enabled.

disable indicates that users are not allowed to enable idle-cut, and enable indicates that users are allowed to enable idle-cut.

service-type: Specifies local users by user type. ftp refers to users using FTP, lan-access refers to users accessing the network through an Ethernet, such as 802.1x users; pad refers to users using x.25 PAD; ppp refers to users using PPP; ssh refers to users using SSH; telnet refers to users using Telnet; terminal refers to users logging in through the console port, AUX port, or Asyn port.

state { active | block }: Specifies local users by state. A local user in the state of active can access network services, while a local user in the state of blocked cannot.

user-name user-name: Specifies a local user by username. The username is a case-sensitive string of 1 to 80 characters.

vlan vlan-id: Specifies local users by VLAN ID. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies local users by slot number.

Description

Use the display local-user command to display information about specified or all local users.

Related commands: local-user.

Examples

# Display the information on the local user named "abc" on the interface card of Slot 1.

<Sysname> display local-user user-name abc slot 1

Slot: 1

The contents of local user abc:

State: Active

ServiceType: lan-access

Idle-cut: Disable

Access-limit: Enable Current AccessNum: 0

Bind location: 2.2.2.2/3/2/255 (NAS/SLOT/SUBSLOT/PORT)

Vlan ID: Disable

IP address: Disable

MAC address: Disable

Password-Aging: Enable(90 day(s))

Password-Length: Enable(10 characters)

Password-Composition: Enable(1 type(s), 1 character(s) per type)

Total 1 local user(s) matched.

Table 1-2 Description on the fields of display local-user (for centralized device)

Field	Description
Slot	Slot number
State	Status of the local user, active or block
ServiceType	Service types that the user can use (ftp, lan-access, pad, ssh, telnet, terminal)
Idle-cut	Whether idle cut is enabled
Access-limit	Accessing user connection limit
Current AccessNum	Number of users currently accessing network services
Bind location	Whether bound with a port
VLAN ID	VLAN to which the user belongs
IP address	IP address of the user
MAC address	MAC address of the user
Password-Aging	Aging time of the local user password
Password-Length	Minimum length of the local user password
Password-Composition	Password composition policy of the local user
Total 1 local user(s) matched	1 local user in total

1.1.24 domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Default Level

3: Manage level

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.

Description

Use the domain isp-name command to create an ISP domain or enter ISP domain view.

Use the domain default command to specify the default ISP domain and enter ISP domain view.

Use the undo domain command to remove an ISP domain.

By default, the system uses the domain of system. You can view its settings by executing the display domain command.

If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related commands: state, display domain.

Examples

# Create ISP domain aabbcc.net, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net]

1.1.25 domain default

Syntax

domain default { disable | enable isp-name }

View

System view

Default Level

3: Manage level

Parameters

disable: Restores the specified default ISP domain to a non-default one.

enable: Enables the configured default ISP domain.

isp-name: Name of the ISP, a string of 1 to 24 characters.

Description

Use the domain default command to manually configure the system default ISP domain.

By default, the default domain is named system.

Note that:

l There must be only one default ISP domain.

l When configure a default domain, this domain must have existed.

l The default domain configured cannot be deleted unless you cancel it as a default domain first.

Related commands: state, display domain.

Examples

# Create a new ISP domain named aabbcc.net, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] quit

[Sysname] domain default enable aabbcc.net

1.1.26 idle-cut

Syntax

idle-cut { disable | enable minute }

View

ISP domain view

Default Level

2: System level

Parameters

disable: Disables the idle cut function.

enable: Enables the idle cut function.

minute: Allowed idle duration in minutes, in the range 1 to 120.

Description

Use the idle-cut command to enable or disable the idle cut function.

By default, the function is disabled.

Related commands: domain.

Examples

# Enable the idle cut function and set the idle threshold to 50 minutes for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] idle-cut enable 50

1.1.27 ip pool

Syntax

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

View

System view/ISP domain view

Default Level

2: System level

Parameters

pool-number: Address pool number, in the range 0 to 99.

low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there will be only one IP address in the pool, namely the start IP address.

Description

Use the ip pool command to configure an address pool for assigning addresses to PPP users.

Use the undo ip pool command to delete an address pool.

By default, no IP address pool is configured for PPP users.

l Configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.

l You can also configure an IP address pool in ISP domain view for assigning IP addresses to the PPP users in the ISP domain. This applies to the scenario where an interface serves a great amount of PPP users but the address resources are inadequate. For example, an Ethernet interface running PPPoE can accommodate up to 4096 users. However, only one address pool with up to 1024 addresses can be configured on its virtual template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to the PPP users by domain.

Examples

# Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] ip pool 0 129.102.0.1 129.102.0.10

1.1.28 level

Syntax

level level

undo level

View

Local user view

Default Level

2: System level

Parameters

level: Priority level for the user, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower priority.

Description

Use the level command to set the priority level of a user.

Use the undo level command to restore the default.

By default, the user priority is 0.

Note that:

l If you specify not to perform authentication or use password authentication, the level of the commands that a user can use after logging in depends on the priority of the user interface. For details about the authentication, refer to command authentication-mode in User Interface Commands of the System Volume.

l If you specify an authentication method that requires the username and password, the level of the commands that a user can use after logging in depends on the priority of the user. For an SSH user using RSA public key authentication, the commands that can be used depend on the level configured on the user interface.

Related commands: local-user.

Examples

#Set the level of user user1 to 3.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] level 3

1.1.29 local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | ppp | ssh | telnet | terminal } ] }

View

System view

Default Level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 80 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), and greater-than sign (>). In addition, the @ sign can be used only once in one username, and the username part before the @ sign (that is, the user ID) cannot be more than 55 characters. Note that a username cannot be a, al, or all.

all: Specifies all users.

service-type: Specifies the type of users. ftp specifies FTP users, lan-access specifies LAN users (Ethernet users mainly, like 802.1x users), ppp specifies PPP users, ssh specifies SSH users, telnet specifies Telnet users, and terminal specifies terminal users that gain access through the Console port, AUX port or Asyn port.

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to remove the specified local users.

By default, no local user is configured.

Related commands: display local-user, service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

1.1.30 local-user password-display-mode

Syntax

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

View

System view

Default Level

2: System level

Parameters

auto: Displays the password of an accessing user based on the configuration of the user by using the password command.

cipher-force: Displays the passwords of all users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local users.

Use the undo local-user password-display-mode command to restore the default.

The default mode is auto.

With the cipher-force mode, the password of any local user is always displayed in cipher text, even if you specify in the password command to display the password in simple text.

Related commands: display local-user, password.

Examples

# Specify to display the passwords of all users in cipher text.

[Sysname] local-user password-display-mode cipher-force

1.1.31 password

Syntax

password [ cipher | simple ] password

undo password

View

Local user view

Default Level

2: System level

Parameters

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in simple text.

password: Password for the local user.

l In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.

l In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

l With the simple keyword, you must specify the password in simple text. With the cipher keyword, you can specify the password in either simple or cipher text.

Description

Use the password command to configure a password for a local user.

Use the undo password command to delete the password of a local user.

By default, the password of a user is displayed in simple text.

Note that:

l With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.

l With the cipher keyword specified, a password of up to 16 characters in simple text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in simple text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt it, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text. For a password of 88 characters, if the system can decrypt it, the system treats it as a password in cipher text. Otherwise, the system gives an error prompt.

Related commands: display local-user.

Examples

# Set the password of user1 to 20030422 and specify to display the password in plain text.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 20030422

1.1.32 self-service-url

Syntax

self-service-url { disable | enable url-string }

undo self-service-url

View

ISP domain view

Default Level

2: System level

Parameters

disable: Disables the self-service server localization function.

enable url-string: Enables the self-service server localization function. The url-string argument refers to the URL of the self-service server for changing user passwords. The URL is a string of 1 to 64 characters that starts with http:// and cannot contain any question mark.

Description

Use the self-service-url enable command to enable the self-service server localization function.

Use the self-service-url disable command or the undo self-service-url command to disable the self-service server localization function.

By default, the function is disabled.

Note that:

l A self-service RADIUS server, for example, CAMS, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

l After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1x client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.

l Only authenticated users can select [Service/Change Password] from the 802.1x client. The option is gray and unavailable for unauthenticated users.

Examples

# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

1.1.33 service-type

Syntax

service-type { lan-access | { ssh | telnet | terminal }* [ level level ] }

undo service-type { lan-access | { ssh | telnet | terminal }* }

View

Local user view

Default Level

3: Manage level

Parameters

lan-access: Authorizes the user to use the Ethernet to access the network. The user can be, for example, an 802.1x user.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to login from the console or AUX port.

level level: Sets the user level of a Telnet, terminal, or SSH user. The level argument is in the range 0 to 3 and defaults to 0.

Description

Use the service-type command to specify the service types that a user can use.

Use the undo service-type command to delete one or all service types configured for a user.

By default, a user is authorized with no service.

Related commands: service-type ppp and service-type ftp.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

1.1.34 service-type ftp

Syntax

service-type ftp

undo service-type ftp

View

Local user view

Default Level

3: Manage level

Parameters

None

Description

Use the service-type ftp command to authorize a user to use the FTP service.

Use the undo service-type ftp command to disable a user from using the FTP service.

By default, no service is authorized to a user and anonymous access to FTP service is not allowed. If you authorize a user to use the FTP service but do not specify a directory that the user can access, the user can access the root directory of the device by default.

Related commands: work-directory, service-type, service-type ppp.

Examples

# Authorize a user to use the FTP service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type ftp

1.1.35 service-type ppp

Syntax

service-type ppp [ call-number call-number [ : subcall-number ] | callback-nocheck | callback-number callback-number ]

undo service-type ppp [ call-number | callback-nocheck | callback-number ]

View

Local user view

Default Level

2: System level

Parameters

call-number call-number: Specifies a caller number for ISDN user authentication, which is a string of 1 to 64 characters.

[ : subcall-number ]: Specifies the sub-caller number. The total length of the caller number and the sub-caller number must be less than 62 bytes.

callback-nocheck: Enables the PPP user callback without authentication feature.

callback-number callback-number: Specifies a callback number, which is a string of 1 to 64 characters.

Description

Use the service-type ppp command to authorize a user to use the PPP service and configure the callback attribute and caller number of the user.

Use the undo service-type ppp command to restore their default settings.

By default, no service is authorized to a user; if the PPP service is authorized, callback without authentication is enabled, no callback number is specified, and the system does not authenticate the caller number of ISDN users.

Related commands: service-type and service-type ftp.

Examples

# Authorize a user to use the PPP service and enable the callback without authentication feature.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type ppp callback-nocheck

1.1.36 state

Syntax

state { active | block }

View

ISP domain view/local user view

Default Level

2: System level

Parameters

active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.

block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.

Description

Use the state command to configure the status of the current ISP domain or local user.

By default, an ISP domain is active when created. So does a local user.

By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.

By blocking a user, you disable the user from requesting network services. No other users are affected.

Related commands: domain.

Examples

# Place the current ISP domain aabbcc.net to the state of “block”.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] state block

# Place the current user user1 to the state of blocked.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-user-user1] state block

1.1.37 work-directory

Syntax

work-directory directory-name

undo work-directory

View

Local user view

Default Level

3: Manage level

Parameters

directory-name: Name of the directory that FTP/SFTP users are authorized to access, a string of 1 to 135 characters.

Description

Use the work-directory command to specify the directory accessible to FTP/SFTP users.

Use the undo work-directory command to restore the default.

By default, FTP/SFTP users can access the root directory of the device.

Note that:

l The specified directory accessible to users must exist. Otherwise, the system will give an error prompt.

l If you delete a directory accessible to FTP/SFTP users, FTP/SFTP users will not be able to access this directory.

& Note:

l In active/standby mode, if the directory specified by the active card is not available on the standby card, you may fail to log into the system or cannot perform normal operation subsequent to successful login after active/standby switchover occurs.

l If the current working directory specified by FTP/SFTP contains a slot number of the standby card, you will fail to log into the system after active/standby switchover occurs. Therefore, it is recommended that the specified working directory should contain no slot number information.

Examples

# Specify the directory accessible to FTP/SFTP users.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-user-user1] work-directory cf0:

1.2 RADIUS Configuration Commands

1.2.1 data-flow-format (RADIUS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

RADIUS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit of data.

byte: Specifies bytes as unit.

giga-byte: Specifies Gigabytes as unit.

kilo-byte: Specifies Kilobytes as unit.

mega-byte: Specifies Megabytes as unit.

packet: Specifies the unit of packets.

giga-packet: Specifies Giga-packets as unit.

kilo-packet: Specifies Kilo-packets as unit.

mega-packet: Specifies Mega-packets as unit.

one-packet: Specifies packets as unit.

Description

Use the data-flow-format command to configure the unit of data sent to the RADIUS server.

Use the undo data-flow-format command to restore the default.

By default, the unit of data is byte, and the unit of packets is one-packet.

Related commands: display radius.

Examples

# Configure the unit of data sent to the RADIUS server as kilobyte, and configure the unit of packets sent to the RADIUS server as kilo-packet.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

1.2.2 debugging radius packet

Syntax

debugging radius packet [ slot slot-number ]

undo debugging radius packet [ slot slot-number ]

View

User view

Default Level

1: Monitor level

Parameters

packet: Enables debugging for packets.

slot slot-number: Specifies the card in a slot.

Description

Use the debugging radius command to enable debugging for RADIUS.

Use the undo debugging radius command to disable debugging for RADIUS.

By default, debugging is disabled for RADIUS.

Examples

# Enable debugging for RADIUS.

<Sysname> debugging radius packet

1.2.3 display local-server statistics

Syntax

display local-server statistics

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display local-server statistics command to display the statistics of the local RADIUS authentication server.

Related commands: local-server.

Examples

# Display the statistics of the local RADIUS authentication server.

<Sysname> display local-server statistics

The localserver packet statistics:

Receive: 30 Send: 30

Discard: 0 Receive Packet Error: 0

Auth Receive: 10 Auth Send: 10

Acct Receive: 20 Acct Send: 20

1.2.4 display radius

Syntax

display radius [ radius-scheme-name ] [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme-name: Name of a RADIUS scheme, which is a string of 1 to 32 characters.

slot slot-number: Specifies the card in a slot.

Description

Use the display radius command to display the configuration information of all RADIUS schemes or a specified RADIUS scheme.

Note that:

l If no RADIUS scheme is specified, the system displays configuration information of all RADIUS schemes.

l If no slot number is specified, the command will display the configurations of the RADIUS schemes on only the Switching and Routing Processing Unit (SRPU).

Related commands: radius scheme.

Examples

# Configure the configuration information of all RADIUS schemes.

<Sysname> display radius

------------------------------------------------------------------

SchemeName = system

Index = 0 Type=extended

Primary Auth IP = 127.0.0.1 Port= 1645 State= active

Primary Acct IP = 127.0.0.1 Port= 1646 State= active

Second Auth IP = 0.0.0.0 Port= 1812 State= block

Second Acct IP = 0.0.0.0 Port= 1813 State= block

Auth Server Encryption Key = Not configured

Acct Server Encryption Key = Not configured

Interval for timeout(second) = 3

Retransmission times for timeout = 3

Interval for realtime accounting(minute) = 12

Retransmission times of realtime-accounting packet = 5

Retransmission times of stop-accounting packet = 500

Quiet-interval(min) = 5

Username format = without-domain

Data flow unit = Byte

Packet unit = one

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

1.2.5 display radius statistics

Syntax

display radius statistics [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

slot slot-number: Displays the statistics of RADIUS packets on the card of the specified slot.

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics

Slot 0:state statistic(total=2048):

DEAD=2048 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=0

AcctStop=0 OnLine=0 Stop=0

StateErr=0

Received and Sent packets statistic:

Sent PKT total = 0 Received PKT total = 0

RADIUS received packets statistic:

Code= 2,Num=0 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=0 ,Err=0

Code=11,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=0 , Err=0 , Succ=0

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=0 , Err=0 , Succ=0

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=0 , Err=0 , Succ=0

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

Normal author request , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Server ctrl req , Num=0

RecError_MSG_sum = 0 SndMSG_Fail_sum = 0

Timer_Err = 0 Alloc_Mem_Err = 0

State Mismatch = 0 Other_Error = 0

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

Table 1-3 Description on the fields of display radius statistics command

Field	Description
state statistic(total=2,048)	state statistic (total=2,048)
DEAD	Number of idle users
AuthProc	Number of users waiting for authentication
AuthSucc	Number of users who have passed authentication
AcctStart	Number of users for whom accounting has been started
RLTSend	Number of users for whom the system sends real-time accounting packets
RLTWait	Number of users waiting for real-time accounting
AcctStop	Number of users in the state of accounting waiting stopped
OnLine	Number of online users
Stop	Number of users in the state of stop
Received and Sent packets statistic	Number of packets sent and received
Sent PKT total	Number of packets sent
Received PKT total	Number of packets received
RADIUS received packets statistic	Statistic of packets received by RADIUS
Code	Type of packet
Num	Total number of packets
Err	Number of error packets
Running statistic	Statistics of running packets
RADIUS received messages statistic	Number of messages received by RADIUS
Normal auth request	Number of normal authentication requests
EAP auth request	Number of EAP authentication requests
Account request	Number of accounting requests
Account off request	Number of stop-accounting requests
PKT auth timeout	Number of authentication timeout packets
PKT acct_timeout	Number of accounting timeout packets
Realtime Account timer	Number of realtime accounting requests
PKT response	Number of PKT responses
Session ctrl pkt	Number of session control packets
Normal author request	Number of normal authorization packets
Succ	Number of successful packets
RADIUS sent messages statistic	Number of messages that have been sent by RADIUS
Auth accept	Number of accepted authentication packets
Auth reject	Number of rejected authentication packets
EAP auth replying	Number of replying packets of EAP authentication
Account success	Number of accounting succeeded packets
Account failure	Number of accounting failed packets
Server ctrl req	Number of server control requests
RecError_MSG_sum	Number of received packets in error
SndMSG_Fail_sum	Number of packets that failed to be sent out
Timer_Err	Number of timer errors
Alloc_Mem_Err	Number of memory errors
State Mismatch	Number of errors for mismatching status
Other_Error	Number of errors of other types
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory

1.2.6 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Displays information about the buffered stop-accounting requests of the specified RADIUS scheme. radius-scheme-name: Specifies a RADIUS scheme name, a string of 1 to 32 characters.

session-id session-id: Displays information about the buffered stop-accounting requests of the specified session. session-id specifies a session ID, a string of 1 to 50 characters.

time-range start-time stop-time: Displays information about the buffered stop-accounting requests in the specified time range. start-time specifies the start time of a time range, and stop-time specifies the end time of a time range. They are in the format of hh:mm:ss- mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. If this argument is specified, the system will display information about the buffered stop-accounting requests in the time range from start-time to stop-time.

user-name user-name: Displays information about the buffered stop-accounting requests of the specified user. The user-name argument is a case-sensitive string of 1 to 80 characters.

slot slot-number: Displays information about the stop-accounting requests on the card in the specified slot.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name, or slot.

& Note:

If receiving no response after sending a stop-accounting request to a RADIUS server, the device buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2002.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

Slot 1:

Total 0 record(s) Matched

1.2.7 key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

Note that: You must ensure that the same shared key is set on the device and the RADIUS server.

Related commands: display radius.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

1.2.8 local-server

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Default Level

2: System level

Parameters

nas-ip ip-address: Sets the IP address of the network access server for the local RADIUS server, in dotted decimal notation.

key password: Sets the shared key of the local RADIUS server. password specifies a key, a string of 1 to 16 characters.

Description

Use the local-server command to set related parameters for a local RADIUS server. Use the undo local-server command to remove a configured local RADIUS server.

By default, no parameters are configured for local RADIUS servers.

Note that:

l When the authentication function of the local RADIUS server is used, the number of the UDP port for authentication/authorization must be 1645, and the number of the UDP port for accounting must be 1646.

l The shared key configured using the local server command must be consistent with that for authentication/authorization or accounting packets configured using the key { accounting | authentication } command in RADIUS scheme view.

l The device supports a maximum of 16 local RADIUS servers including the default local RADIUS server.

Related commands: radius scheme, state.

Examples

# Set the IP address of the network access server for the local RADIUS server to 10.110.1.2, and set the shared key to aabbcc.

<Sysname> system-view

[Sysname] local-server nas-ip 10.110.1.2 key aabbcc

1.2.9 nas-ip (RADIUS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. The address of a loopback interface is recommended.

l The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

1.2.10 primary accounting (RADIUS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535.

Description

Use the primary accounting command to configure the IP address and UDP port of the primary RADIUS accounting server.

Use the undo primary accounting command to restore the defaults.

By default, the default IP address is 0.0.0.0, and the default port number 1813.

Note that

l The IP address of the primary accounting server must differ from that of the secondary accounting server. Otherwise, the system will prompt that the configuration fails.

l For the primary accounting server used by the default scheme system, the IP address is 127.0.0.1, and the port number is 1646.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

1.2.11 primary authentication (RADIUS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535.

Description

Use the primary authentication command to configure the IP address and UDP port of the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the defaults.

By default, the default IP address is 0.0.0.0, and the default port number 1812.

Note that:

l After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l For the primary authentication server used by the default scheme system, the IP address is 127.0.0.1, and the port number is 1645.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

1.2.12 radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the radius nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

1.2.13 radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default Level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

It cannot be the first n characters of “statistics” (n ranges from 1 to 10). Otherwise, the system will associate it with the display radius statistics command (for displaying the statistics of RADIUS packets) when you execute the display radius command (for displaying the configuration of a RADIUS scheme).

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, the system has created a RADIUS scheme named “system”.

Note that:

l For the RADIUS scheme named “system”, the attributes are of default configuration. You can view the settings of the default scheme system by executing the display radius command.

l The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

l A RADIUS scheme can be referenced by more than one ISP domain at the same time.

l The undo radius scheme command can be used to remove a specified RADIUS scheme, but not the default RADIUS scheme. You cannot remove a RADIUS scheme when the RADIUS scheme is used by an online user.

Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

1.2.14 radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Default Level

2: System level

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the function.

By default, the RADIUS trap function is disabled.

Note that:

l If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message; when the NAS transmits the request for the specified maximum number, it sends another trap message.

l If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

# Disable the RADIUS trap function when the RADIUS accounting server gives no response.

[Sysname] undo radius trap accounting-server-down

1.2.15 reset local-server statistics

Syntax

reset local-server statistics

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reset local-server statistics command to clear the statistics of the local server.

Related commands: display local-server statistics.

Examples

# Clear the statistics of the local server.

<Sysname> reset local-server statistics

1.2.16 reset radius statistics

Syntax

reset radius statistics [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

1.2.17 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Clears the buffered stop-accounting requests of the specified RADIUS scheme. radius-scheme-name specifies a RADIUS scheme name, a string of 1 to 32 characters.

session-id session-id: Clears the buffered stop-accounting requests of the specified session. session-id specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Clears the buffered stop-accounting requests in the specified time range. start-time specifies the start time of a time range, and stop-time specifies the end time of a time range. They are in the format of hh:mm:ss- mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Clears the buffered stop-accounting requests of the specified user. The user-name keyword is a case-sensitive string of 1 to 80 characters.

slot slot-number: Clears the buffered stop-accounting requests of the card in the specified slot.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user [email protected].

<Sysname> reset stop-accounting-buffer user-name [email protected]

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2002.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

1.2.18 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of retransmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS retransmission attempts.

Use the undo retry command to restore the default.

The default value for the retry-times argument is 3.

Note that:

l The maximum number of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

l As RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout time, it will retransmit the RADIUS request. If the number of retransmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device regards that the authentication fails.

l The maximum number of retransmission attempts defined by this command refers to the sum of all retransmission attempts sent by the device to the primary server and the secondary server. For example, assume that the maximum number of retransmission attempts is N and both the primary server and secondary RADIUS server are specified and exist, the device will send a request to the other server if the current server does not respond after the sum of retransmission attempts reaches N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).

Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

1.2.19 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.

Use the undo retry realtime-accounting command to restore the default.

Note that:

l A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the device generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still receives no response, the device will cut the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname -radius-radius1] retry realtime-accounting 10

1.2.20 retry stop-accounting (RADIUS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the device receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will temporarily store the request in the device and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the device discard the request.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

1.2.21 secondary accounting (RADIUS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the secondary accounting command to configure the IP address and UDP port of the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the defaults.

The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary accounting server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

1.2.22 secondary authentication (RADIUS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the secondary authentication command to configure the IP address and UDP port of the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the defaults.

Note that the IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

1.2.23 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default Level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally CAMS), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol.

Description

Use the server-type command to specify the RADIUS server type supported by the device.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

For the default scheme named “system”, the type of its RADIUS server is extended.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to “extended”.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type extended

1.2.24 state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Default Level

2: System level

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.

accounting: Sets the status of the RADIUS accounting server.

authentication: Sets the status of the RADIUS authentication/authorization server.

active: Sets the status of the RADIUS server to active, namely the normal operation state.

block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.

Note that:

l When a primary server, authentication/authorization server or accounting server, fails, the device automatically turns to the secondary server.

l Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case, if the secondary server is available, the device triggers the primary server quiet timer. After the quiet timer times out, if the primary server has resumed, the device turns to use the primary server and stops communicating with the secondary server and the status of the primary server is active again and the status of the secondary server remains the same.

l When both the primary server and the secondary server are in the state of blocked, you need to set the status of the secondary server to active to use the secondary server for authentication. Otherwise, the switchover will not occur.

l If one server is in the active state while the other is blocked, the switchover will not take place even if the active server is not reachable.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication active

1.2.25 stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

1.2.26 timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the period during which the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

By default, the quiet timer of the primary server is 5 minutes.

Related commands: display radius.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

1.2.27 timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, must be a multiple of 3 and in the range 3 to 60, with the default value being 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 1-4 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

1.2.28 timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

Note that:

l If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

l A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

l The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

1.2.29 user-name-format (RADIUS scheme view)

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Default Level

2: System level

Parameters

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

For the default scheme named “system”, its user names contain no ISP domain name.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

l If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same user ID as one.

Related commands: radius scheme.

Examples

# Specify the device to include the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format (HWTACACS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a HWTACACS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Define HWTACACS scheme hwt1 to send data flows and packets destined for the HWTACACS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte

[Sysname-hwtacacs-hwt1] data-flow-format packet kilo-packet

1.3.2 debugging hwtacacs

Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet } [ slot slot-number ]

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet } [ slot slot-number ]

View

User view

Default Level

1: Monitor level

Parameters

all: Turns on/off all types of debugging for HWTACACS.

error: Turns on/off error debugging.

event: Turns on/off event debugging.

message: Turns on/off message debugging.

receive-packet: Turns on/off debugging for received packets.

send-packet: Turns on/off debugging for sent packets.

slot slot-number: Turns on/off debugging for the card in a specified slot.

Description

Use the debugging hwtacacs command to enable debugging for HWTACACS.

Use the undo debugging hwtacacs command to disable debugging for HWTACACS.

By default, debugging is disabled for HWTACACS.

Examples

# Enable debugging for HWTACACS.

<Sysname> debugging hwtacacs event

1.3.3 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics [ slot slot-number ] ] ]

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme-name: Displays the HWTACACS configuration of the specified scheme.

statistics: Displays complete statistics about the HWTACACS server.

slot slot-number: Displays HWTACACS configuration or statistics of the card in a specified slot.

Description

Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# Display information about HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Domain-included : Yes

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

1.3.4 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Displays information about the buffered stop-accounting requests of the specified HWTACACS scheme. hwtacacs-server-name specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

session-id session-id: Displays information about the buffered stop-accounting requests of the specified session. session-id specifies a session by its ID, a string of 1 to 50 characters.

user-name user-name: Displays information about the buffered stop-accounting requests of the specified user name.

slot slot-number: Displays information about the stop-accounting requests on the card of the specified slot.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name, or slot.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1 Slot 0

Slot 0:

Total 0 record(s) Matched

1.3.5 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo hwtacacs nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.

l If you configure the command for more than one time, the last configuration takes effect.

l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

1.3.6 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Default Level

3: Manage level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

1.3.7 key (HWTACACS scheme view)

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for HWTACACS accounting packets.

authentication: Sets the shared key for HWTACACS authentication packets.

authorization: Sets the shared key for HWTACACS authorization packets.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.

Use the undo key command to remove the configuration.

By default, no shared key is configured.

Related commands: display hwtacacs.

Examples

# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

1.3.8 nas-ip (HWTACACS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: hwtacacs nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

1.3.9 primary accounting (HWTACACS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to specify the primary HWTACACS accounting server.

Use the undo primary accounting command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure the primary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.10 primary authentication (HWTACACS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to specify the primary HWTACACS authentication server.

Use the undo primary authentication command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Set the primary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

1.3.11 primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to specify the primary HWTACACS authorization server.

Use the undo primary authorization command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the primary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

1.3.12 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]

View

User view

Default Level

1: Monitor level

Parameters

accounting: Clears HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears statistics of HWTACACS authentication.

authorization: Clears statistics of HWTACACS authorization.

slot slot-number: Clears HWTACACS statistics on the interface card in the specified slot.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

1.3.13 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Clears the buffered stop-accounting requests of the specified HWTACACS scheme. hwtacacs-server-name specifies a HWTACACS scheme name, a string of 1 to 32 characters.

session-id session-id: Clears the buffered stop-accounting requests of the specified session. session-id specifies a session by its ID, a string of 1 to 50 characters.

user-name user-name: Clears the buffered stop-accounting requests of the specified user name.

slot slot-number: Clears the buffered stop-accounting requests of the card on the specified slot.

Description

Use the reset stop-accounting-buffer command to delete the buffered stop-accounting requests that get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

1.3.14 retry stop-accounting (HWTACACS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

1.3.15 secondary accounting (HWTACACS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to specify the secondary HWTACACS accounting server.

Use the undo secondary accounting command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Configure the secondary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

1.3.16 secondary authentication (HWTACACS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to specify the secondary HWTACACS authentication server.

Use the undo secondary authentication command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

1.3.17 secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authorization command to specify the secondary HWTACACS authorization server.

Use the undo secondary authorization command to remove the configuration.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

1.3.18 stop-accounting-buffer enable (HWTACACS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

1.3.19 timer quiet (HWTACACS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

1.3.20 timer realtime-accounting (HWTACACS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes. It is a multiple of 3 in the range 3 to 60 and defaults to 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 1-5 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

1.3.21 timer response-timeout (HWTACACS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Default Level

2: System level

Parameters

seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5.

Description

Use the timer response-timeout command to set the HWTACACS server response timeout timer.

Use the undo timer command to restore the default.

As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.

Related commands: display hwtacacs.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

1.3.22 user-name-format (HWTACACS scheme view)

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a HWTACACS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a HWTACACS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server.

l If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.

Related commands: hwtacacs scheme.

Examples

# Specify the device to include the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

H3C S9500 Command Manual-Release2132[V2.03]-07 Security Volume

1.1.1 access-limit

1.1.2 accounting default

1.1.9 authentication default

1.1.15 authorization default

1.1.20 cut connection

1.1.21 display connection

1.1.22 display domain

1.1.23 display local-user

1.1.24 domain

1.1.25 domain default

1.1.27 ip pool

1.1.29 local-user

1.1.31 password

1.1.33 service-type

1.1.34 service-type ftp

1.1.35 service-type ppp

1.1.36 state

1.2 RADIUS Configuration Commands

1.2.5 display radius statistics

1.2.6 display stop-accounting-buffer

1.2.7 key (RADIUS scheme view)

1.2.8 local-server

1.2.9 nas-ip (RADIUS scheme view)

1.2.10 primary accounting (RADIUS scheme view)

1.2.11 primary authentication (RADIUS scheme view)

1.2.12 radius nas-ip

1.2.13 radius scheme

1.2.16 reset radius statistics

1.2.18 retry

1.2.19 retry realtime-accounting

1.2.20 retry stop-accounting (RADIUS scheme view)

1.2.21 secondary accounting (RADIUS scheme view)

1.2.22 secondary authentication (RADIUS scheme view)

1.2.23 server-type

1.2.24 state

1.2.25 stop-accounting-buffer enable (RADIUS scheme view)

1.2.27 timer realtime-accounting (RADIUS scheme view)

1.2.28 timer response-timeout (RADIUS scheme view)

1.2.29 user-name-format (RADIUS scheme view)

1.3.2 debugging hwtacacs

1.3.4 display stop-accounting-buffer

1.3.5 hwtacacs nas-ip

1.3.6 hwtacacs scheme

1.3.8 nas-ip (HWTACACS scheme view)

1.3.13 reset stop-accounting-buffer

1.3.14 retry stop-accounting (HWTACACS scheme view)

1.3.18 stop-accounting-buffer enable (HWTACACS scheme view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us