H3C S3100-52P Command Manual-Release 1602(V1.01)

HomeSupportSwitchesH3C S3100 Switch SeriesReference GuidesCommand ReferencesH3C S3100-52P Command Manual-Release 1602(V1.01)
18-AAA Command
Title Size Download
18-AAA Command 341.34 KB

Table of Contents

Chapter 1 AAA Configuration Commands. 1-1

1.1 AAA Configuration Commands. 1-1

1.1.1 access-limit 1-1

1.1.2 accounting. 1-2

1.1.3 accounting optional 1-3

1.1.4 attribute. 1-4

1.1.5 authentication. 1-5

1.1.6 authentication super 1-7

1.1.7 authorization. 1-8

1.1.8 authorization vlan. 1-9

1.1.9 cut connection. 1-9

1.1.10 display connection. 1-11

1.1.11 display domain. 1-12

1.1.12 display local-user 1-14

1.1.13 domain. 1-16

1.1.14 domain delimiter 1-17

1.1.15 idle-cut 1-18

1.1.16 level 1-19

1.1.17 local-user 1-20

1.1.18 local-user password-display-mode. 1-21

1.1.19 messenger 1-22

1.1.20 name. 1-23

1.1.21 password. 1-23

1.1.22 radius-scheme. 1-24

1.1.23 scheme. 1-25

1.1.24 self-service-url 1-26

1.1.25 service-type. 1-28

1.1.26 state. 1-29

1.1.27 vlan-assignment-mode. 1-30

1.2 RADIUS Configuration Commands. 1-32

1.2.1 accounting optional 1-32

1.2.2 accounting-on enable. 1-33

1.2.3 calling-station-id mode. 1-34

1.2.4 data-flow-format 1-35

1.2.5 display local-server statistics. 1-36

1.2.6 display radius scheme. 1-37

1.2.7 display radius statistics. 1-39

1.2.8 display stop-accounting-buffer 1-41

1.2.9 key. 1-42

1.2.10 local-server 1-43

1.2.11 local-server nas-ip. 1-44

1.2.12 nas-ip. 1-45

1.2.13 primary accounting. 1-46

1.2.14 primary authentication. 1-47

1.2.15 radius client 1-48

1.2.16 radius nas-ip. 1-49

1.2.17 radius scheme. 1-50

1.2.18 radius trap. 1-51

1.2.19 reset radius statistics. 1-52

1.2.20 reset stop-accounting-buffer 1-52

1.2.21 retry. 1-53

1.2.22 retry realtime-accounting. 1-54

1.2.23 retry stop-accounting. 1-56

1.2.24 secondary accounting. 1-57

1.2.25 secondary authentication. 1-57

1.2.26 server-type. 1-58

1.2.27 state. 1-59

1.2.28 stop-accounting-buffer enable. 1-60

1.2.29 timer 1-61

1.2.30 timer quiet 1-62

1.2.31 timer realtime-accounting. 1-63

1.2.32 timer response-timeout 1-64

1.2.33 user-name-format 1-65

1.3 HWTACACS Configuration Commands. 1-66

1.3.1 data-flow-format 1-66

1.3.2 display hwtacacs. 1-67

1.3.3 display stop-accounting-buffer 1-68

1.3.4 hwtacacs nas-ip. 1-69

1.3.5 hwtacacs scheme. 1-70

1.3.6 key. 1-71

1.3.7 nas-ip. 1-72

1.3.8 primary accounting. 1-72

1.3.9 primary authentication. 1-73

1.3.10 primary authorization. 1-74

1.3.11 reset hwtacacs statistics. 1-75

1.3.12 reset stop-accounting-buffer 1-76

1.3.13 retry stop-accounting. 1-76

1.3.14 secondary accounting. 1-77

1.3.15 secondary authentication. 1-78

1.3.16 secondary authorization. 1-79

1.3.17 timer quiet 1-80

1.3.18 timer realtime-accounting. 1-80

1.3.19 timer response-timeout 1-81

1.3.20 user-name-format 1-82

Chapter 2 EAD Configuration Commands. 2-1

2.1 EAD Configuration Commands. 2-1

2.1.1 security-policy-server 2-1

 


Chapter 1  AAA Configuration Commands

 

&  Note:

l      The maximum length of a domain name is changed from 24 characters to 128 characters. See domain.

l      The configuration of ISP domain delimiter is added. See domain delimiter.

l      The configuration of HWTACACS authentication scheme for user level switching is added. See authentication super.

l      The configuration of the MAC address format for the Calling-Station-Id field in RADIUS packets is added. See calling-station-id mode.

 

1.1  AAA Configuration Commands

1.1.1  access-limit

Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameters

disable: Specifies not to limit the number of access users that can be contained in current ISP domain.

enable max-user-number: Specifies the maximum number of access users that can be contained in current ISP domain. The max-user-number argument ranges from 1 to 2,072.

Description

Use the access-limit command to set the maximum number of access users that can be contained in current ISP domain.

Use the undo access-limit command to restore the default setting.

By default, there is no limit on the number of access users in an ISP domain.

Because resource contention may occur among access users, there is a need to limit the number of access users in an ISP domain so as to provide reliable performance to the current users in the ISP domain.

Examples

# Allow ISP domain aabbcc.net to contain at most 500 access users.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] access-limit enable 500

1.1.2  accounting

Syntax

accounting { none | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name }

undo accounting

View

ISP domain view

Parameters

none: Specifies not to perform user accounting.

radius-scheme radius-scheme-name: Specifies to use a RADIUS accounting scheme. Here, radius-scheme-name is the name of a RADIUS scheme; it is a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS accounting scheme. Here, hwtacacs-scheme-name is the name of an HWTACACS scheme; it is a string of up to 32 characters.

Description

Use the accounting command to configure an accounting scheme for current ISP domain.

Use the undo accounting command to cancel the accounting scheme configuration for current ISP domain.

By default, no separate accounting scheme is configured for an ISP domain.

When you use the accounting command to reference a RADIUS or HWTACACS scheme in current ISP domain, the RADIUS or HWTACACS scheme must already exist.

The accounting command takes precedence over the scheme command. If the accounting command is used in ISP domain view, the system uses the scheme referenced in the accounting command to charge the users in the domain. Otherwise, the system uses the scheme referenced in the scheme command to charge the users.

Related commands: scheme, radius scheme, hwtacacs scheme, accounting optional.

Examples

# Specify "radius" as the RADIUS accounting scheme that will be referenced by ISP domain "aabbcc.net".

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] accounting radius-scheme radius

1.1.3  accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameters

None

Description

Use the accounting optional command to open the accounting-optional switch.

Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.

By default, the system performs accounting for users unconditionally..

Note that:

l           If the system does not find any available accounting server or fails to communicate with any accounting server when it performs accounting for an online user, it will not disconnect the user as long as the accounting optional command has been executed.

l           The accounting optional command is commonly used in the cases where only authentication is needed and accounting is not needed.

l           If you configure the accounting optional command in ISP domain view, it is effective to all users in the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme is used for.

Examples

# Open the accounting-optional switch for the ISP domain named aabbcc.net.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] accounting optional

1.1.4  attribute

Syntax

attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlan-id | location { nas-ip ip-address port port-number | port port-number } }*

undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

View

Local user view

Parameters

ip ip-address: Sets the IP address of the user.

mac mac-address: Sets the MAC address of the user. Here, mac-address is in H-H-H format.

idle-cut second: Enables the idle-cut function for the local user and sets the allowed idle time. Here, second is the allowed idle time, which ranges from 60 to 7,200 seconds.

access-limit max-user-number: Sets the maximum number of users who can access the switch with the current username. Here, max-user-number ranges from 1 to 1,024.

vlan vlan-id: Sets the VLAN attribute of the user (that is, specifies to which VLAN the user belongs). Here, vlan-id is an integer ranging from 1 to 4094.

location: Sets the port binding attribute of the user.

nas-ip ip-address: Sets the IP address of an access server, so that the user can be bound to a port on the server. Here, ip-address is in dotted decimal notation and is 127.0.0.1 by default (representing this device). When binding the user to a remote port, you must use nas-ip ip-address to specify a remote access server IP address. When binding the user to a local port, you need not use nas-ip ip-address.

port port-number: Sets the port to which you want to bind the user. Here, port-number is in the format of device ID/slot number/port number; the device ID ranges from 1 to 8, the slot number ranges from 0 to 15 (if the bound port has no slot number, just input 0 for this item) and the port number ranges from 1 to 255.

Description

Use the attribute command to set the attributes of a user whose service type is lan-access.

Use the undo attribute command to cancel attribute settings of the user.

You may use display local-user command to view the settings of the attributes.

Examples

# Create local user user1 and set the IP address attribute of user1 to 10.110.50.1, allowing only the user using the IP address of 10.110.50.1 to use the account user1 for authentication.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

New local user added.

[Sysname-luser- user1] password simple pass1

[Sysname-luser- user1] service-type lan-access

[Sysname-luser-user1] attribute ip 10.110.50.1

1.1.5  authentication

Syntax

authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo authentication

View

ISP domain view

Parameters

radius-scheme radius-scheme-name: Specifies to use a RADIUS authentication scheme. Here, radius-scheme-name is a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS authentication scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.

local: Specifies to use local authentication scheme.

none: Specifies not to perform authentication.

Description

Use the authentication command to configure an authentication scheme for current ISP domain.

Use the undo authentication command to restore the default authentication scheme setting of current ISP domain.

By default, no separate authentication scheme is configured for an ISP domain.

Note that:

l           Before you can use the authentication command to reference a RADIUS scheme in current ISP domain, the RADIUS scheme must already exist.

l           If you execute the authentication radius-scheme radius-scheme-name local command, the local scheme is used as the secondary authentication scheme in case no RADIUS server is available. That is, if the communication between the switch and a RADIUS server is normal, no local authentication will be performed; otherwise, local authentication will be performed.

l           If you execute the authentication hwtacacs-scheme hwtacacs-scheme-name local command, the local scheme is used as the secondary authentication scheme in case no TACACS server is available. That is, if the communication between the switch and a TACACS server is normal, no local authentication will be performed; otherwise, local authentication will be performed.

l           If you execute the authentication local command, the local scheme is used as the primary scheme. In this case, there is no secondary authentication scheme.

l           If you execute the authentication none command, no authentication will be performed.

l           The authentication command takes precedence over the scheme command. If the authentication command is configured in an ISP domain view, the system uses the authentication scheme referenced in the command to authenticate the users in the domain; otherwise it uses the scheme referenced in the scheme command to authenticate the users.

Related commands: scheme, radius scheme, hwtacacs scheme.

Examples

# Reference the RADIUS scheme "radius1" as the authentication scheme of the ISP domain aabbcc.net.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] authentication radius-scheme radius1

# Reference the RADIUS scheme "rd" as the authentication scheme and the local scheme as the secondary authentication scheme of the ISP domain aabbcc.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc

New Domain added.

[Sysname-isp-aabbcc] authentication radius-scheme rd local

1.1.6  authentication super

Syntax

authentication super hwtacacs-scheme hwtacacs-scheme-name

undo authentication super

View

ISP domain view

Parameters

hwtacacs-scheme-name: Name of the HWTACACS authentication scheme, a string of 1 to 32 characters.

Description

Use the authentication super command to specify a HWTACACS authentication scheme for user level switching in the current ISP domain.

Use the undo authentication super command to remove the specified HWTACACS authentication scheme.

By default, no HWTACACS authentication scheme is configured for user level switching.

When you execute the authentication super command to specify a HWTACACS authentication scheme for user level switching, the HWTACACS scheme must exist.

 

&  Note:

The S3100-52P Ethernet switch adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches. For details about configuring a HWTACACS authentication scheme for low-to-high user level switching, refer to Switching User Level in the Command Line Interface Operation.

 

Related commands: hwtacacs scheme.

Examples

# Set the HWTACACS scheme to ht for user level switching in the current ISP domain aabbcc.net.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] authentication super hwtacacs-scheme ht

1.1.7  authorization

Syntax

authorization { none | hwtacacs-scheme hwtacacs-scheme-name }

undo authorization

View

ISP domain view

Parameters

none: Specifies not to use any authorization scheme.

hwtacacs-scheme hwtacacs-scheme-name: Specifies to use an HWTACACS scheme. Here, hwtacacs-scheme-name is the name of an HWTACACS scheme; it is a string of up to 32 characters.

Description

Use the authorization command to configure an authorization scheme for current ISP domain.

Use the undo authorization command to restore the default authorization scheme setting of the ISP domain.

By default, no separate authorization scheme is configured for an ISP domain.

Related commands: scheme, radius scheme, hwtacacs scheme.

Examples

# Allow users in ISP domain aabbcc.net to access network services without being authorized.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] authorization none

1.1.8  authorization vlan

Syntax

authorization vlan string

undo authorization vlan

View

Local user view

Parameters

string: Number or descriptor of the authorized VLAN for the current user, a string of 1 to 32 characters. If it is a numeral string and there is a VLAN with the number configured, it specifies the VLAN. If it is a numeral string but no VLAN is present with the number, it specifies the VLAN using it as the VLAN descriptor.

Description

Use the authorization vlan command to specify an authorized VLAN for a local user. A user passing the authentication of the local RADIUS server can access network resources in the authorized VLAN.

Use the undo authorization vlan command to remove the configuration.

By default, no authorized VLAN is specified for a local user.

 

&  Note:

For local RADIUS authentication to take effect, the VLAN assignment mode must be set to string after you specify authorized VLANs for local users.

 

Examples

# Specify the authorized VLAN for local user 00-14-22-2C-AA-69 as VLAN 2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user 00-14-22-2C-AA-69

[Sysname-luser-00-14-22-2C-AA-69] authorization vlan 2

1.1.9  cut connection

Syntax

cut connection { all | access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name }

View

System view

Parameters

all: Cuts down all user connections.

access-type { dot1x | mac-authentication }: Cuts down user connections of a specified access type. dot1x is used to cut down all 802.1x user connections, and mac-authentication is used to cut down all MAC authentication user connections.

domain isp-name: Cuts down all user connections in a specified ISP domain. Here, isp-name is the name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.

interface interface-type interface-number: Cuts down all user connections under a specified port. Here, interface-type is a port type and interface-number is a port number.

ip ip-address: Cuts down all user connections with a specified IP address.

mac mac-address: Cuts down the user connection with a specified MAC address. Here, mac-address is in H-H-H format.

radius-scheme radius-scheme-name: Cuts down all user connections using a specified RADIUS scheme. Here, radius-scheme-name is a string of up to 32 characters.

vlan vlan-id: Cuts down all user connections of a specified VLAN. Here, vlan-id ranges from 1 to 4094.

ucibindex ucib-index: Cuts down the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071.

user-name user-name: Cuts down the connection of a specified user. Here, user-name is a string of up to 184 characters..

Description

Use the cut connection command to forcibly cut down one user connection, one type of user connections, or all user connections.

This command cannot cut down the connections of Telnet and FTP users.

Related commands: display connection.

Examples

# Cut down all user connections under the ISP domain aabbcc.net.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] cut connection domain aabbcc.net

1.1.10  display connection

Syntax

display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameters

access-type { dot1x | mac-authentication }: Displays user connections of a specified access type. Here, dot1x is used to display all 802.1x user connections, and mac-authentication is used to display all MAC authentication user connections.

domain isp-name: Displays all user connections under  specified ISP domain. Here, isp-name is the name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.

interface interface-type interface-number: Displays all user connections on a specified port.

ip ip-address: Displays all user connections with a specified IP address.

mac mac-address: Displays the user connection with a specified MAC address. Here, mac-address is in hexadecimal format (in the form of H-H-H).

radius-scheme radius-scheme-name: Displays all user connections using a specified RADIUS scheme. Here, radius-scheme-name is a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Displays all user connections using a specified RADIUS scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.

vlan vlan-id: Displays all user connections of a specified VLAN. Here, vlan-id ranges from 1 to 4094.

ucibindex ucib-index: Displays the user connection with a specified connection index. Here, ucib-index ranges from 0 to 2071.

user-name user-name: Displays the connection of a specified user. Here, user-name is a character string in the format of pure-username@domain-name. The pure-username cannot be longer than 55 characters, the domain-name cannot be longer than 24 characters, and the entire user-name cannot be longer than 184 characters.

Description

Use the display connection command to display information about specified or all user connections.

If you execute this command without specifying any parameter, all user connections will be displayed.

This command cannot display information about the connections of FTP users.

Related commands: cut connection.

Examples

# Display information about all user connections.

<Sysname> display connection

------------------unit 1------------------------

Index=40 , Username=user1@domain1

MAC=000f-3d80-4ce5  , IP=0.0.0.0

 On Unit 1: Total 1 connections matched, 1 listed.

 

# Display information about the user connection with index 0.

[Sysname] display connection ucibindex 0

Index=0   , Username=user1@system

MAC=000f-3d80-4ce5   , IP=192.168.0.3

Access=8021X   ,Auth=CHAP    ,Port=Ether   ,Port NO=0x10003001              

Initial VLAN=1, Authorization VLAN=1

ACL Group=Disable

CAR=Disable

Priority=Disable

Start=2000-04-03 02:51:53 ,Current=2000-04-03 02:52:22 ,Online=00h00m29s

 On Unit 1:Total 1 connections matched, 1 listed.

 Total 1 connections matched, 1 listed.  

Here, Port NO=0x10003001 means (by the binary bits):

Table 1-1 Description of the Port NO field

31 to 28 bit

27 to 24 bit

23 to 20 bit

19 to 12 bit

11 to 0 bit

UNIT ID

Slot number

Sub-slot number

Port number

VLAN ID

 

1.1.11  display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameters

isp-name: Name of an ISP domain, a string of up to 128 characters. This must be the name of an existing ISP domain.

Description

Use the display domain command to display configuration information about one specific or all ISP domains.

Related commands: access-limit, domain, scheme, state.

Examples

# Display configuration information about all ISP domains.

<Sysname> display domain

0  Domain = system

   State = Active

   Scheme = LOCAL

   Access-limit = 512

   Vlan-assignment-mode = Integer

   Domain User Template:

   Idle-cut = = Enable Time = 60(min) Flow = 200(byte)

   Self-service URL = http://aabbcc.net

   Messenger Time Maxlimit = 30(min) span = 10(min)

 

Default Domain Name: system

Total 1 domain(s).1 listed. 

Table 1-2 Description on the fields of the display domain command

Field

Description

Domain

Domain name

State

Status of the domain, which can be active or block.

Scheme

AAA scheme that the domain uses

Access-Limit

Maximum number of local user connections in the domain

Vlan-assignment-mode

VLAN assignment mode, which can be Integer or String.

Domain User Template

Domain user template settings, that is, attribute settings for all users in the domain.

Idle-Cut

Status of the idle-cut function

Self-service URL

Self-service URL for password changing

Messenger Time

Settings of the messenger time service, which is for reminding online users of their remaining online time.

The setting in this example indicates that the system starts to remind an online user (at an interval of 10 minutes) when the remaining online time is 30 minutes.

Default Domain Name

Default ISP domain of the system

 

1.1.12  display local-user

Syntax

display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name ]

View

Any view

Parameters

domain isp-name: Displays all local users belonging to a specified ISP domain. Here, isp-name is the name of an ISP domain, a string of up to 128 characters. You can only specify an existing ISP domain.

idle-cut { disable | enable }: Displays the local users who are inhibited from enabling the idle-cut function, or the local users who are allowed to enable the idle-cut function. Here, disable specifies the inhibited local users and enable specifies the allowed local users.

vlan vlan-id: Displays the local users belonging to a specified VLAN. Here, vlan-id ranges from 1 to 4094.

service-type: Displays the local users of a specified type. You can specify one of the following user types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, telnet, and terminal (this type of user is a terminal user who logs into the switch through the Console port).

state { active | block }: Displays the local users in a specified state. Here active represents the users allowed to request network services, and block represents the users inhibited from requesting network services.

user-name user-name: Displays the local user with a specified username. Here, user-name is a string of up to 184 characters.

Description

Use the display local-user command to display information about specified or all local users.

Related commands: local-user.

Examples

# Display information about all local users.

<Sysname> display local-user

0  The contents of local user test:

   State:                    Active           ServiceType Mask: L

   Idle-cut:                 Enable           Idle TimeOut: 3600 seconds

   Access-limit:             Enable           Current AccessNum: 1

   Max AccessNum:            1024

   Bind location:            127.0.0.1/1/0/2 (NAS/UNITID/SUBSLOT/PORT)

   Vlan ID:                  1

   Authorization VLAN:       2

   IP address:               192.168.0.108

   MAC address:              000d-88f6-44c1

Total 1 local user(s) Matched, 1 listed.

ServiceType Mask Meaning: C--Terminal  F--FTP  L--LanAccess  S--SSH  T--Telnet

Table 1-3 describes the fields in the above display output.

Table 1-3 Description on the fields of the display local-user command

Field

Description

State

Status of the local user

ServiceType Mask

Service type mask:

T means Telnet service.

S means SSH service.

C means client service.

LM means lan-access service.

F means FTP service.

None means no defined service.

Idle-cut

Status of the idle-cut function

Access-limit

Limit on the number of access users

Current AccessNum

Number of current access users

Bind location

Whether or not bound to a port

Vlan ID

VLAN of the user

Authorization VLAN

Authorized VLAN of the user

IP address

IP address of the user

MAC address

MAC address of the user

 

1.1.13  domain

Syntax

domain { isp-name | default { disable | enable isp-name } }

undo domain isp-name

View

System view

Parameters

isp-name: Name of an ISP domain, a string of up to 128 characters. This string cannot contain the following characters: /\:*?<>|. If the domain name includes one or more “~” characters and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion. This is because any domain name longer than 16 characters will appear in the form of “system prompt-the first 15 characters of the domain name~4-digit index” in the view prompt to avoid word wrap.

default: Manually changes the default ISP domain, which is "system" by default. There is one and only one default ISP domain.

disable: Disables the configured default ISP domain.

enable: Enables the configured default ISP domain.

Description

Use the domain command to create an ISP domain and enter its view, or enter the view of an existing ISP domain, or configure the default ISP domain.

Use the undo domain command to delete a specified ISP domain.

The ISP domain "system" is used as the default ISP domain before you manually configure the default ISP domain, and you can use the display domain command to check the settings of the default ISP domain "system".

After you execute the domain command, the system creates a new ISP domain if the specified ISP domain does not exist. Once an ISP domain is created, it is in the active state. You can manually specify an ISP domain as the default domain only when the specified domain already exists.

Related commands: access-limit, scheme, state, display domain.

Examples

# Create a new ISP domain named aabbcc.net.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net]

# Create a new ISP domain named 01234567891234567 (note that it will appear as 012345678912345~0001 in the view prompt).

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]domain 01234567891234567

New Domain added.

[Sysname-isp-012345678912345~0001]

1.1.14  domain delimiter

Syntax

domain delimiter { at | dot }

undo domain delimiter

View

System view

Parameters

at: Specifies “@” as the delimiter between the username and the ISP domain name.

dot: Specifies “.” as the delimiter between the username and the ISP domain name.

Description

Use the domain delimiter command to specify the delimiter form between the username and the ISP domain name.

Use the undo domain delimiter command to restore the delimiter form to the default setting.

By default, the“@” character is used as the delimiter between the username and the ISP domain name.

 

&  Note:

l      If you have configured to use "." as the delimiter, for a username that contains multiple ".", the first "." will be used as the domain delimiter.

l      If you have configured to use "@" as the delimiter, the "@" must not appear more than once in the username. If “.” is the delimiter, the username must not contain any “@”.

 

Related commands: domain.

Examples

# Specify “.” as the delimiter between the username and the ISP domain name.

<Sysname> system-view

Enter system view, return to user view with Ctrl+Z.

[Sysname] domain delimiter dot

1.1.15  idle-cut

Syntax

idle-cut { disable | enable minute flow }

View

ISP domain view

Parameters

disable: Disables the idle-cut function for the domain.

enable: Enables the idle-cut function for the domain.

minute: Maximum idle time in minutes, ranging from 1 to 120.

flow: Minimum traffic in bytes, ranging from 1 to 10,240,000.

Description

Use the idle-cut command to set the user idle-cut function in current ISP domain. If a user’s traffic in the specified period of time is less than the specified amount, the system will disconnect the user.

By default, this function is disabled.

Note that if the authentication server assigns the idle-cut settings, the assigned ones take precedence over the settings configured here.

Related commands: domain.

Examples

# Enable the idle-cut function for ISP domain aabbcc.net, setting the maximum idle time to 50 minutes and the minimum traffic to 500 bytes. After this configuration, if a user in the domain has no traffic or has less than 500 bytes of traffic within 50 minutes, the system will tear down the user’s connection.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] idle-cut enable 50 500

1.1.16  level

Syntax

level level

undo level

View

Local user view

Parameters

level: Privilege level to be set for the user. It is an integer ranging from 0 to 3.

Description

Use the level command to set the privilege level of the user. The privilege level of the user corresponds to the command level of the user. For detailed information, refer to the description of the command-privilege level command in the command line interface part.

Use the undo level command to restore the default privilege level of the user.

The default privilege level is 0.

Note that:

l           If the configured authentication method is none or password authentication, the command level that a user can access after login is determined by the level of the user interface.

l           If the configured authentication method requires a username and a password, the command level that a user can access after login is determined by the privilege level of the user. For SSH users using RSA shared key for authentication, the commands they can access are determined by the levels sets on their user interfaces.

Related commands: local-user.

Examples

# Set the level of user1 to 3.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

New local user added.

[Sysname-luser-user1] level 3

1.1.17  local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal } ] }

View

System view

Parameters

user-name: Local username, a string of up to 184 characters. This string cannot contain the following characters: /:*?<>. It can contain no more than one @ character. The pure username (user ID, that is, the part before @) cannot be longer than 55 characters, and the domain name (the part behind @) cannot be longer than 128 characters. If the username includes one or more “~” characters and the last “~” is followed by numerals, it must be followed by at least five numerals to avoid confusion. This is because any username longer than 16 characters will appear in the form of “system prompt-the first 15 characters of the username~4-digit index” in the view prompt to avoid word wrap.

all: Specifies all local users.

service-type: Specifies the local users of a specified type. You can specify one of the following user types: ftp, lan-access (generally, this type of users are Ethernet access users, for example, 802.1x users), ssh, telnet, and terminal (terminal user who logs into the switch through the Console port).

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to delete one or more local users of the specified  type.

By default, there is no local user in the system.

Related commands: display local-user, service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

New local user added.

[Sysname-luser-user1]

# Add a local user named 01234567891234567 (note that it will appear as 012345678912345~0000 in the view prompt).

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]local-user 01234567891234567

New local user added.

[Sysname-luser-012345678912345~0000]

1.1.18  local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameters

cipher-force: Adopts the forcible cipher mode so that all local users' the passwords will be displayed in cipher text.

auto: Adopts the automatic mode so that each local user's password will be displayed in the mode you have set for the user by the password command.

Description

Use the local-user password-display-mode command to set the password display mode of all local users.

Use the undo local-user password-display-mode command to restore the default password display mode of all local users.

By default, the password display mode of all access users is auto.

If the cipher-force mode is adopted, all passwords will be displayed in cipher text even though you have specified to display some users passwords in plain text by using the password command with the simple keyword.

Related commands: display local-user, password.

Examples

# Specify to display all local user passwords in cipher text in whatever cases.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user password-display-mode cipher-force

1.1.19  messenger

Syntax

messenger time { enable limit interval | disable }

undo messenger time

View

ISP domain view

Parameters

limit: Time limit in minutes, ranging from 1 to 60. The switch will send prompt messages at regular intervals to users whose remaining online time is less than this limit.

interval: Interval to send prompt messages (in minutes). This argument ranges from 5 to 60 and must be a multiple of 5.

Description

Use the messenger time enable command to enable the messenger function and set the related parameters.

Use the messenger time disable command to disable the messenger function.

Use the undo messenger time command to restore the messenger function to its default state.

By default, the messenger function is disabled on the switch.

The purpose of this function is to remind online users of their remaining online time through clients by message dialog box.

Examples

# Enable the switch to send prompt messages at intervals of 5 minutes to the users in the ISP domain "system" after their remaining online time is less than 30 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain system

[Sysname-isp-system] messenger time enable 30 5

1.1.20  name

Syntax

name string

undo name

View

VLAN view

Parameters

string: Assigned VLAN name, a string of up to 32 characters.

Description

Use the name command to set a VLAN name, which will be used for VLAN assignment.

Use the undo name command to cancel the VLAN name.

By default, a VLAN uses its VLAN ID (like VLAN 0001) as its assigned VLAN name.

This command is used in conjunction with the dynamic VLAN assignment function. For details about dynamic VLAN assignment, refer to the vlan-assignment-mode command.

Related commands: vlan-assignment-mode.

Examples

# Set the name of VLAN 100 to test.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] vlan 100

[Sysname-vlan100] name test

1.1.21  password

Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameters

simple: Specifies the password in plain text.

cipher: Specifies the password in cipher text.

password: Password to be set:

l           For simple mode, the password you input must be a plain-text password.

l           For cipher mode, the password can be either a cipher-text password or a plain-text password, and what it is depends on your input.

A password in plain text can be a string of up to 63 consecutive characters, for example, aabbcc. A password in cipher text can be a string of 24 or 88 characters, for example, (TT8F]Y\5SQ=^Q`MAF4<1!!.

Description

Use the password command to set a password for the local user.

Use the undo password command to cancel the password of the local user.

Note that:

l           With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.

l           With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.

Related commands: display local-user.

Examples

# Set the password of user1 to 20030422 and specify to display the password in plain text.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

New local user added.

[Sysname-luser-user1] password simple 20030422

1.1.22  radius-scheme

Syntax

radius-scheme radius-scheme-name

View

ISP domain view

Parameters

radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.

Description

Use the radius-scheme command to configure a RADIUS scheme for current ISP domain.

After an ISP domain is initially created, it uses the local AAA scheme instead of any RADIUS scheme by default.

The RADIUS scheme you specified in the radius-scheme command must already exist. This command is equivalent to the scheme radius-scheme command.

Related commands: radius scheme, scheme, display radius scheme.

Examples

# Configure the ISP domain "aabbcc.net" to use the RADIUS scheme "extended".

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] radius-scheme extended

1.1.23  scheme

Syntax

scheme { local | none | radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] }

undo scheme [ none | radius-scheme | hwtacacs-scheme ]

View

ISP domain view

Parameters

radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.

hwtacacs-scheme-name: Name of a HWTACACS scheme, a string of up to 32 characters.

local: Specifies to use local authentication.

none: Specifies not to perform authentication.

Description

Use the scheme command to configure an AAA scheme for current ISP domain.

Use the undo scheme command to restore the default AAA scheme configuration for the ISP domain.

By default, the ISP domain uses the local AAA scheme.

Note that:

l           When you execute the scheme command to reference a RADIUS scheme in current ISP domain, the referenced RADIUS scheme must already exist.

l           If you execute the scheme radius-scheme radius-scheme-name local command, the local scheme is used as the secondary scheme in case no RADIUS server is available. That is, if the communication between the switch and a RADIUS server is normal, no local authentication is performed; otherwise, local authentication is performed.

l           If you execute the scheme hwtacacs-scheme hwtacacs-scheme-name local command, the local scheme is used as the secondary scheme in case no TACACS server is available. That is, if the communication between the switch and a TACACS server is normal, no local authentication is performed; If the TACACS server is not reachable or there is a key error or NAS IP error, local authentication is performed.

l           If you execute the scheme local or scheme none command to use local or none as the primary scheme, the local authentication is performed or no authentication is performed. In this case, no secondary scheme can be specified and therefore no scheme switching will occur.

l           Both the radius-scheme command and the scheme command can be used to specify the RADIUS scheme to be quoted for the ISP domain. Their functions are the same and the system takes the latest configuration.

Related commands: radius scheme, display domain.

Examples

# Configure the ISP domain aabbcc.net to use RADIUS scheme radius1 as the primary AAA scheme and use the local scheme as the secondary authentication scheme.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] scheme radius-scheme raduis1 local

1.1.24  self-service-url

Syntax

self-service-url { disable | enable url-string }

undo self-service-url

View

ISP domain view

Parameters

url-string: URL of the web page used to modify user password on the self-service server. It is a string of 1 to 64 characters. This string cannot contain any question mark "?". If the actual URL of the self-service server contains a question mark, you should change it to an elect bar "|".

Description

Use the self-service-url enable command to enable the self-service server location function

Use the self-service-url disable command to disable the self-service server location function

Use the undo self-service-url command to restore the default state of this function.

By default, this function is disabled.

Note that:

l           This command must be used with the cooperation of a self-service-supported RADIUS server (such as CAMS). Through self-service, users can manage and control their accounts or card numbers by themselves. A server installed with the self-service software is called a self-service server.

l           After this command is executed on the switch, a user can locate the self-service server through the following operation: choose [change user password] on the 802.1x client, the client opens the default browser (for example, IE or Netscape) and locates the URL page used to change user password on the self-service server. Then, the user can change the password.

l           A user can choose the [change user password] option on the client only after passing the authentication. If the user fails the authentication, this option is in grey and is unavailable.

Examples

# Under the default ISP domain "system", set the URL of the web page used to modify user password on the self-service server to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain system

[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

1.1.25  service-type

Syntax

service-type { ftp | lan-access | { telnet | ssh | terminal }* [ level level ] }

undo service-type { ftp | lan-access | { telnet | ssh | terminal }* }

View

Local user view

Parameters

ftp: Specifies that this is an FTP user.

lan-access: Specifies that this is a LAN access user (who is generally an Ethernet access user, for example, 802.1x user).

telnet: Authorizes the user to access the Telnet service.

ssh: Authorizes the user to access the SSH service.

terminal: Authorizes the user to access the terminal service (that is, allows the user to log into the switch through the Console port).

level level: Specifies the level of the Telnet, terminal or SSH user. Here, level is an integer ranging from 0 to 3 and defaulting to 0.

Description

Use the service-type command to authorize a user to access one or more types of services.

Use the undo service-type command to inhibit a user from accessing specified types of services.

By default, a user is inhibited from accessing any type of service.

You may user the display local-user command to view the types of services that a user is authorized to access.

Examples

# Authorize user1 to access the Telnet service.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

New local user added.

[Sysname-luser-user1] service-type telnet

1.1.26  state

Syntax

state { active | block }

View

ISP domain view, local user view

Parameters

active: Activates the current ISP domain (in ISP domain view) or local user (in local user view), to allow users in current ISP domain or current local user to access the network.

block: Blocks the current ISP domain (in ISP domain view) or local user (in local user view), to inhibit users in current ISP domain or current local user from accessing the network.

Description

Use the state command to set the status of current ISP domain (in ISP domain view) or current local user (in local user view).

By default, an ISP domain/local user is in the active state once it is created.

After an ISP domain is set to the block state, except for online users, users in this domain are inhibited from accessing the network.

After a local user is set to the block state, the user is inhibited from accessing the network unless the user is already online.

Related commands: domain, local-user.

You may use the display domain command or the display local-user command to view the status information.

Examples

# Set the ISP domain aabbcc.net to the block state, so that all its offline users cannot access the network.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] state block

# Set user1 to the block state.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-user user1

[Sysname-user-user1] state block

1.1.27  vlan-assignment-mode

Syntax

vlan-assignment-mode { integer | string }

View

ISP domain view

Parameters

integer: Sets the VLAN assignment mode to integer.

string: Sets the VLAN assignment mode to string.

Description

Use the vlan-assignment-mode command to set the VLAN assignment mode (integer or string) on the switch.

By default, the VLAN assignment mode is integer, that is, the switch supports its RADIUS authentication server to assign integer VLAN IDs.

The dynamic VLAN assignment feature enables a switch to dynamically add the ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access.

In actual applications, to use this feature together with Guest VLAN, you are recommended to set port control to port-based mode.

Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.

l           Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN.

l           String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails the authentication.

The switch supports two dynamic VLAN assignment modes to adapt to different authentication servers. You are recommended to configure the switch according to the dynamic VLAN assignment mode used by the server.

Table 1-4 lists several commonly used RADIUS servers and their dynamic VLAN assignment modes.

Table 1-4 Commonly used servers and their dynamic VLAN assignment modes

Server

Dynamic VLAN assignment mode

CAMS

Integer

For the latest CAMS version, you can determine the assignment mode by attribute value.

ACS

String

FreeRADIUS

You can determine the assignment mode by attribute value (for example, 100 is integer; “100” is string).

Shiva Access Manager

String

Steel-Belted Radius Administrator

String

 

&  Note:

In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the value as the VLAN ID (VLAN 1024, for example).

 

Related commands: name.

Examples

# Set the VLAN assignment mode of the domain h3c163.net to string.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] domain aabbcc.net

New Domain added.

[Sysname-isp-aabbcc.net] vlan-assignment-mode string

1.2  RADIUS Configuration Commands

1.2.1  accounting optional

Syntax

accounting optional

undo accounting optional

View

RADIUS scheme view

Parameters

None

Description

Use the accounting optional command to open the accounting-optional switch.

Use the undo accounting optional command to close the accounting-optional switch so that the system performs accounting for users unconditionally.

By default, the system performs accounting for users unconditionally.

Note that:

l           If the system does not find any available accounting server or fails to communicate with any accounting server when it performs accounting for an online user, it will not disconnect the user as long as the accounting optional command has been executed. This command is commonly used in the cases where only authentication is needed and accounting is not needed.

l           This configuration takes effect only on the ISP domains using this RADIUS scheme.

l           If you configure the accounting optional command in ISP domain view, it is effective to all users in the domain; if you configure it in RADIUS scheme view, it is effective to users the RADIUS scheme is used for.

Examples

# Open the accounting-optional switch in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] accounting optional

1.2.2  accounting-on enable

Syntax

accounting-on enable [ send times | interval interval ]

undo accounting-on { enable | send | interval }

View

RADIUS scheme view

Parameters

times: Maximum number of attempts to send an Accounting-On message, ranging from 1 to 256 and defaulting to 15. If the maximum number has been reached but the switch still receives no response from the CAMS, the switch stops sending Accounting-On messages.

interval: Interval to send Accounting-On messages (in seconds), ranging from 1 to 30 and defaulting to 3.

Description

Use the accounting-on enable command to enable the user re-authentication at restart function.

Use the undo accounting-on enable command to disable the user re-authentication at restart function and restore the default interval and maximum number of attempts to send Accounting-On messages.

Use the undo accounting-on send command to restore the default maximum number of attempts to send Accounting-On messages.

Use the undo accounting-on interval command to restore the default interval to send Accounting-On messages.

By default, the user re-authentication at restart function is disabled.

The purpose of this function is to solve this problem: users cannot re-log into the switch after the switch restarts because they are regarded as already online. After this function is enabled, every time the switch restarts, it sends an Accounting-On message to the RADIUS server to tell the server that it has restarted and ask the server to log out its users. The following gives the operations after the switch restarts:

1)         The switch generates an Accounting-On message, which mainly contains the following information: NAS-ID, NAS-IP-address (source IP address), and session ID. You can configure the NAS-IP-address argument manually by using the nas-ip command. When configuring the NAS-IP-address argument, be sure to specify an appropriate valid IP address. If you do not configure the NAS-IP-address argument, the switch automatically uses the IP address of a VLAN interface as the NAS-IP-address.

2)         The switch sends the Accounting-On message to the CAMS at regular intervals.

3)         Once the CAMS receives the Accounting-On message, it sends a response to the switch. At the same time it finds and deletes the original online information of the users who were accessing the network through the switch before the restart according to the information (NAS-ID, NAS-IP-address and session ID) contained in the message, and ends the accounting of the users based on the last accounting update message.

4)         Once the switch receives the response from the CAMS, it stops sending Accounting-On messages.

5)         If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting-On message, it will not send the Accounting-On message any more.

 

&  Note:

l      After configuring the accounting-on enable command, you need to execute the save command so that the command can take effect when the switch restarts.

l      This function requires the cooperation of the H3C CAMS system.

 

Related commands: nas-ip.

Examples

# Enable the user re-authentication at restart function for the RADIUS scheme named radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable

1.2.3  calling-station-id mode

Syntax

calling-station-id mode { mode1 | mode2 } { lowercase | uppercase }

undo calling-station-id mode

View

RADIUS scheme view

Parameters

mode1: Sets the MAC address format to XXXX-XXXX-XXXX, where each X represents a hexadecimal number.

mode2: Sets the MAC address format to XX-XX-XX-XX-XX-XX.

lowercase: Uses lowercase letters in the MAC address.

uppercase: Uses uppercase letters in the MAC address.

Description

Use the calling-station-id mode command to configure the MAC address format of the Calling-Station-Id (Type 31) field in RADIUS packets.

Use the undo calling-station-id mode command to restore the default format.

By default, the MAC address format is XXXX-XXXX-XXXX, in lowercase.

Examples

# Set the MAC address format of the Calling-Station-Id field to XX-XX-XX-XX-XX-XX, in uppercase.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]radius scheme system

[Sysname-radius-system]calling-station-id mode mode2 uppercase

1.2.4  data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS scheme view

Parameters

data: Sets the data unit of outgoing RADIUS flows, which can be byte, giga-byte, kilo-byte, or mega-byte.

packet: Sets the packet unit of outgoing RADIUS flows, which can be one-packet, giga-packet, kilo-packet, or mega-packet.

Description

Use the data-flow-format command to set the units of RADIUS data flows to RADIUS servers.

Use the undo data-flow-format command to restore the default units.

By default, the data unit and packet unit of outgoing RADIUS flows are byte and one-packet respectively.

Note that the specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.

Related commands: display radius scheme.

Examples

# Specify to measure data and packets in data flows to RADIUS servers in kilo-bytes and kilo-packets respectively in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

1.2.5  display local-server statistics

Syntax

display local-server statistics

View

Any view

Parameters

None

Description

Use the display local-server statistics command to display the RADIUS message statistics about local RADIUS server.

Related commands: local-server.

Examples

# Display the RADIUS message statistics about local RADIUS server.

<Sysname> display local-server statistics

On Unit 1:  

The localserver packet statistics:

Receive:                  30         Send:                   30

Discard:                  0          Receive Packet Error:   0

Auth Receive:             10         Auth Send:               10

Acct Receive:             20         Acct Send:               20

1.2.6  display radius scheme

Syntax

display radius scheme [ radius-scheme-name ]

View

Any view

Parameters

radius-scheme-name: Name of a RADIUS scheme, a string of up to 32 characters.

Description

Use the display radius scheme command to display configuration information about one specific or all RADIUS schemes

Related commands: radius scheme.

Examples

# Display configuration information about all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName  =system                           Index=0    Type=extended

Primary Auth IP  =127.0.0.1        Port=1645

Primary Acct IP  =127.0.0.1        Port=1646

Second  Auth IP  =0.0.0.0          Port=1812

Second  Acct IP  =0.0.0.0          Port=1813

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

Accounting method = required

Accounting-On packet enable, send times = 15 , interval = 3s

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts       =5

Retry sending times of noresponse acct-stop-PKT =500

Quiet-interval(min)                             =5

Username format                                 =without-domain

Data flow unit                                  =Byte

Packet unit                                     =1

calling_station_id format                           =XXXX-XXXX-XXXX in lowercase

unit 1 :

Primary Auth State=active,   Second Auth State=block

Primary Acc  State=active,   Second Acc  State=block

 

 

------------------------------------------------------------------

Total 1 RADIUS scheme(s). 1 listed                                                             

Table 1-5 Description on the fields of the display radius scheme command

Field

Description

SchemeName

Name of the RADIUS scheme

Index

Index number of the RADIUS scheme

Type

Type of the RADIUS servers

Primary Auth IP/Port

IP address/port number of the primary authentication server

Primary Acct IP/Port

IP address/port number of the primary accounting server

Second Auth IP/Port

IP address/port number of the secondary authentication server

Second Acct IP/Port

IP address/port number of the secondary accounting server

Auth Server Encryption Key

Shared key for the authentication servers

Acct Server Encryption Key

Shared key for the accounting servers

Accounting method

Accounting method

Accounting-On packet enable, send times = 15 , interval = 3s

The switch sends up to 15 Accounting-On messages at intervals of 3 seconds after restarting.

TimeOutValue(in second)

RADIUS server response timeout time

RetryTimes

Maximum number of transmission attempts of a RADIUS request

RealtimeACCT(in minute)

Real-time accounting interval in minutes

Permitted send realtime PKT failed counts      

maximum allowed number of continuous real-time accounting failures

Retry sending times of noresponse acct-stop-PKT

Maximum number of transmission attempts of the buffered stop-accounting requests

Quiet-interval(min)

Time that the switch must wait before it can restore the status of a primary server to active

Username format

Username format

Data flow unit

Data unit of data flow

Packet unit

Packet unit of data flow

calling_station_id format

MAC address format of the Calling-Station-Id (Type 31) field in RADIUS packets

Primary Auth State

Status of the primary authentication server

Second Auth State

Status of the secondary authentication server

Primary Acc  State

Status of the primary accounting server

Second Acc  State

Status of the secondary accounting server

 

1.2.7  display radius statistics

Syntax

display radius statistics

View

Any view

Parameters

None

Description

Use the display radius statistics command to display the RADIUS message statistics.

Related commands: radius scheme.

Examples

# Display RADIUS message statistics.

<Sysname> display radius statistics

state statistic(total=2072):

     DEAD=2072     AuthProc=0        AuthSucc=0

AcctStart=0         RLTSend=0         RLTWait=0

 AcctStop=0          OnLine=0            Stop=0

 StateErr=0

 

Received and Sent packets statistic:

Unit 1........................................

Sent PKT total  :0        Received PKT total:0

RADIUS received packets statistic:

Code= 2,Num=0       ,Err=0

Code= 3,Num=0       ,Err=0

Code= 5,Num=0       ,Err=0

Code=11,Num=0       ,Err=0

 

Running statistic:

RADIUS received messages statistic:

Normal auth request             , Num=0       , Err=0       , Succ=0

EAP auth request                , Num=0       , Err=0       , Succ=0

Account request                 , Num=0       , Err=0       , Succ=0

Account off request             , Num=0       , Err=0       , Succ=0

PKT auth timeout                , Num=0       , Err=0       , Succ=0

PKT acct_timeout                , Num=0       , Err=0       , Succ=0

Realtime Account timer          , Num=0       , Err=0       , Succ=0

PKT response                    , Num=0       , Err=0       , Succ=0

EAP reauth_request              , Num=0       , Err=0       , Succ=0

PORTAL access                   , Num=0       , Err=0       , Succ=0

Update ack                      , Num=0       , Err=0       , Succ=0

PORTAL access ack               , Num=0       , Err=0       , Succ=0

Session ctrl pkt                , Num=0       , Err=0       , Succ=0

Set policy result               , Num=0       , Err=0       , Succ=0

RADIUS sent messages statistic:

Auth accept                     , Num=0

Auth reject                     , Num=0

EAP auth replying               , Num=0

Account success                 , Num=0

Account failure                 , Num=0

Cut req                         , Num=0

Set policy result               , Num=0

RecError_MSG_sum:0        SndMSG_Fail_sum :0

Timer_Err       :0        Alloc_Mem_Err   :0

State Mismatch  :0        Other_Error     :0

 

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

1.2.8  display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

radius-scheme radius-scheme-name: Displays the buffered stop-accounting requests of a specified RADIUS scheme. Here, radius-scheme-name is a string of up to 32 characters.

session-id session-id: Displays the buffered stop-accounting requests of a specified session. Here, session-id is a string of up to 50 characters.

time-range start-time stop-time: Displays the buffered stop-accounting requests generated in a specified time range. Here, start-time is the start time of the time range, stop-time is the end time of the time range, and both are in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd. The parameters here are used to display all the buffered stop-accounting requests generated from start-time to stop-time.

user-name user-name: Displays the buffered stop-accounting requests of a specified user. Here, user-name is a string of up to 184 characters.

Description

Use the display stop-accounting-buffer command to display the non-response stop-accounting requests buffered in the device.

 

&  Note:

l      You can choose to display the buffered stop-accounting requests of a specified RADIUS scheme, session (by session ID), or user (by username). You can also specify a time range to display those generated within the specified time range. The displayed information helps you diagnose and resolve RADIUS problems.

l      If the switch gets no response in a specified time period after sending a stop-accounting request to a RADIUS server, it will buffer the request and transmit the buffered one until the maximum number of transmission attempts (set by the retry stop-accounting command) is reached.

 

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display the buffered stop-accounting requests generated from 0:0:0 08/31/2002 to 23:59:59 08/31/2002.

<Sysname> display stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002

Total find    0 record

1.2.9  key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameters

accounting: Sets a shared key for RADIUS accounting messages.

authentication: Sets a shared key for RADIUS authentication/authorization messages.

string: Shared key to be set, a string of up to 16 characters.

Description

Use the key command to set a shared key for RADIUS authentication/authorization messages or accounting messages.

Use the undo key command to restore the corresponding default shared key setting.

By default, no shared key exists.

Note that:

l           Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before exchanging the messages with each other.

l           The two parties verify the validity of the RADIUS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have same shared key.

l           The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.

Related commands: primary accounting, primary authentication, radius scheme.

Examples

# Set "hello" as the shared key for RADIUS authentication/authorization messages in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] key authentication hello

# Set "ok" as the shared key for RADIUS accounting messages in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] key accounting ok

1.2.10  local-server

Syntax

local-server enable

undo local-server

View

System view

Parameters

None

Description

Use the local-server enable command to enable the UDP ports for local RADIUS services.

Use the undo local-server command to disable the UDP ports for local RADIUS services.

By default, the UDP ports for local RADIUS services are enabled.

In addition to functioning as a RADIUS client to provide remote RADIUS authentication, authorization, and accounting services, the switch can act as a local RADIUS server to provide simple RADIUS server functions locally. For the switch to act as a local server, you need to use this command to enable the service ports. The UDP port for local RADIUS authentication/authorization service is 1645, and that for local RADIUS accounting service is 1646.

Related commands: radius scheme, state, local-server nas-ip.

Examples

# Enable UDP ports for local RADIUS services.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-server enable

1.2.11  local-server nas-ip

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameters

nas-ip ip-address: Specifies the IP address of a network access server (NAS) that can use the local RADIUS services. Here, ip-address is in dotted decimal notation.

key password: Sets the shared key between the local RADIUS server and the NAS. Here, password is a string of up to 16 characters.

Description

Use the local-server nas-ip command to set the related parameters of the local RADIUS server.

Use the undo local-server nas-ip command to cancel a specified NAS setting for the local RADIUS server.

By default, the local RADIUS server is enabled and it allows the access of NAS 127.0.0.1. That is, the local device serves as both a RADIUS server and a network access server, and all authentications are performed locally. The default share key is null.

Note that:

l           The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

l           The switch supports the IP addresses and shared keys of at most 16 network access servers (including the local device); that is, when the switch serves as a RADIUS server, it can provide authentication service to at most 16 NASs simultaneously.

l           When serving as a local RADIUS server, the switch does not support EAP authentication.

Related commands: radius scheme, state, local-server enable.

Examples

# Allow the local RADIUS server to provide services to NAS 10.110.1.2 with shared key aabbcc.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] local-server nas-ip 10.110.1.2 key aabbcc

1.2.12  nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameters

ip-address: Source IP address for RADIUS messages, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address.

Description

Use the nas-ip command to set the source IP address of outgoing RADIUS messages.

Use the undo nas-ip command to remove the source IP address setting.

By default, the IP address of the outbound interface is used as the source IP address of RADIUS messages.

 

&  Note:

The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the configuration in RADIUS scheme view takes precedence over that in system view.

 

You can set the source IP address of outgoing RADIUS messages to avoid messages returned from RADIUS server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address.

Related commands: display radius scheme, radius nas-ip.

Examples

# Set source IP address 10.1.1.1 for outgoing RADIUS messages in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] nas-ip 10.1.1.1

1.2.13  primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address of the primary accounting server to be used, in dotted decimal notation.

port-number: UDP port number of the primary accounting server, ranging from 1 to 65535.

Description

Use the primary accounting command to set the IP address and port number of the primary RADIUS accounting server to be used by the current scheme.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server, which are 0.0.0.0 and 1813 respectively.

In the system default RADIUS scheme “system”, the default IP address of the primary accounting server is 127.0.0.1 and the default UDP port number is 1646. In a new RADIUS scheme, the default IP address of the primary accounting server is 0.0.0.0 and the default UDP port number is 1813.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and 1813 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

1.2.14  primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address of the primary authentication/authorization server to be used, in dotted decimal notation.

port-number: UDP port number of the primary authentication/authorization server, ranging from 1 to 65535.

Description

Use the primary authentication command to set the IP address and port number of the primary RADIUS authentication/authorization server used by the current RADIUS scheme.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server, which are 0.0.0.0 and 1812 respectively.

In the system default RADIUS scheme “system”, the default IP address of the primary authentication/authorization server is 127.0.0.1 and the default UDP port number is 1645. In a new RADIUS scheme, the default IP address of the primary authentication/authorization server is 0.0.0.0 and the default UDP port number is 1812.

Note that:

l           After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. For each kind of server, you can configure two servers in a RADIUS scheme: primary and secondary servers.

l           In an actual network environment, you can make RADIUS server-related configuration as required. But you should configure at least one authentication/authorization server and one accounting server, and at the same time, you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and 1812 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

1.2.15  radius client

Syntax

radius client enable

undo radius client

View

System view

Parameters

None

Description

Use the radius client enable command to enable RADIUS authentication and accounting ports.

Use the undo radius client command to disable RADIUS authentication and accounting ports.

By default, RADIUS authentication and accounting ports are enabled.

If you want to use the switch as a RADIUS client, you need to ensure that the ports for RADIUS authentication and accounting are open. Otherwise, you can disable the ports to improve security of the switch.

Related commands: radius scheme.

Examples

# Disable the RADIUS authentication and accounting ports.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] undo radius client enable

1.2.16  radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Parameters

ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class-D address.

Description

Use the radius nas-ip command to set the source IP address of outgoing RADIUS messages.

Use the undo radius nas-ip command to restore the default setting.

By default, no source IP address is set, and the IP address of corresponding outbound interface is used as the source IP address of RADIUS messages.

 

&  Note:

The nas-ip command in RADIUS scheme view has the same function as the radius nas-ip command in system view; and the configuration in RADIUS scheme view takes precedence over that in system view.

 

Note that:

l           You can set the source IP address of outgoing RADIUS messages to avoid messages returned from RADIUS server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address.

l           You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one.

Related commands: nas-ip.

Examples

# Set source address 129.10.10.1 for outgoing RADIUS messages.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius nas-ip 129.10.10.1

1.2.17  radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameters

radius-scheme-name: Name of the RADIUS scheme to be created, a string of up to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete a specified RADIUS scheme.

By default, a RADIUS scheme named "system" has already been created in the system.

Note that:

l           All the attributes of RADIUS scheme "system" take the default values, which you can see by using the display radius scheme command.

l           The RADIUS protocol configuration is performed on a RADIUS scheme basis. For each RADIUS scheme, you should specify at least the IP addresses and UDP port numbers of the RADIUS authentication/authorization and accounting servers, and the parameters required for the RADIUS client to interact with the RADIUS servers. You should first create a RADIUS scheme and enter its view before performing RADIUS protocol configurations.

l           A RADIUS scheme can be referenced by multiple ISP domains simultaneously.

l           The undo radius scheme command cannot delete the default RADIUS scheme. In addition, you are not allowed to delete a RADIUS scheme which is being used by an online user.

Related commands: key, retry realtime-accounting, scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter its view.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1]

1.2.18  radius trap

Syntax

radius trap { authentication-server-down | accounting-server-down }

undo radius trap { authentication-server-down | accounting-server-down }

View

System view

Parameters

authentication-server-down: Enables/disables the switch to send trap messages when a RADIUS authentication server turns down.

accounting-server-down: Enables/disables the switch to send trap messages when a RADIUS accounting server turns down.

Description

Use the radius trap command to enable the switch to send trap messages when a RADIUS server turns down.

Use the undo radius trap command to disable the switch from sending trap messages when a RADIUS authentication server or a RADIUS accounting server turns down.

By default, this function is disabled.

This configuration takes effect on all RADIUS scheme.

 

&  Note:

The switch considers a RADIUS server as being down if it has tried the configured maximum number of times to send a message to the RADIUS server but does not receive any response.

 

Examples

# Enable the switch to send trap messages when a RADIUS authentication server turns down.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius trap authentication-server-down

1.2.19  reset radius statistics

Syntax

reset radius statistics

View

User view

Parameters

None

Description

Use the reset radius statistics command to clear RADIUS message statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS message statistics.

<Sysname> reset radius statistics

1.2.20  reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

radius-scheme radius-scheme-name: Deletes the buffered stop-accounting requests of a specified RADIUS scheme. Here, radius-scheme-name is the name of a RADIUS scheme, which is a string of up to 32 characters that does not contain any of the following characters: /:*?<>.

session-id session-id: Deletes the buffered stop-accounting requests of a specified session. Here, session-id is a session ID, which is a string of up to 50 characters.

time-range start-time stop-time: Deletes the buffered stop-accounting requests generated within a specified time period. Here, start-time is the start time of the time period, stop-time is the end time of the time period, and both are in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Deletes the buffered stop-accounting requests of a specified user. Here, user-name is the name of a user, which is a string of up to 184 characters.

Description

Use the reset stop-accounting-buffer command to delete stop-accounting requests that are buffered on the switch due to getting no response.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Delete the stop-accounting requests buffered for user user0001@aabbcc.net.

<Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net

# Delete the stop-accounting requests buffered from 0:0:0 08/31/2002 to 23:59:59 08/31/2002.

<Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002 23:59:59-08/31/2002

1.2.21  retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameters

retry-times: Maximum number of transmission attempts of a RADIUS request, ranging from 1 to 20.

Description

Use the retry command to set the maximum number of transmission attempts of a RADIUS request.

Use the undo retry command to restore the default maximum number of transmission attempts.

By default, the maximum number of RADIUS request transmission attempts is 3.

Note that:

l           The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry its data. Therefore, it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the server response timeout timer expires. If the switch gets no answer after it has tried the maximum number of times to transmit a RADIUS request, the switch considers that the request fails.

l           Appropriately setting this maximum number of transmission attempts according to your network situation can improve the reacting speed of the system.

Related commands: radius scheme.

Examples

# Set the maximum number of RADIUS request transmission attempts for RADIUS scheme radius1 to five.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] retry 5

1.2.22  retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum allowed number of continuous real-time accounting failures, ranging from 1 to 255.

Description

Use the retry realtime-accounting command to set the maximum allowed number of continuous real-time accounting failures.

Use the undo retry realtime-accounting command to restore the default maximum number of continuous real-time accounting failures.

By default, the maximum number of continuous real-time accounting failures is five.

Note that:

l           Generally, a RADIUS server uses the connection timeout timer to determine whether a user is currently online. If the RADIUS server receives no real-time accounting message for a specified period of time, it considers that the switch or the line is in trouble and stop accounting for the user. To make the switch cooperate with the RADIUS server in this feature, it is necessary to cut down the user connection on the switch to synchronize with the RADIUS server when the server terminates the accounting and connection of a user in case of unforeseen trouble. You can limit the number of continuous real-time accounting requests that fail due to getting no response, and then the switch will cut down user connection if the limit is reached.

l           A real-time account request may be transmitted multiple times in an accounting attempt (the maximum number of transmission attempts is set by the retry command in RADIUS scheme view). If no response is received after the switch tries the maximum number of attempts to send the request, the switch considers the accounting fails. Suppose that the response timeout time of RADIUS server is three seconds (set by the timer response-timeout command), the maximum number of transmission attempts is 3 (set by the retry command), the real-time accounting interval is 12 minutes (set by the timer realtime-accounting command), the maximum allowed number of real-time accounting failures is 5 (set by the retry realtime-accounting command). In this case, the switch initiates an accounting request every 12 minutes; if the switch does not receive a response within 3 seconds after it sends out the accounting request, it resends the request; if the switch continuously sends the accounting request for three times but does not receive any response; it considers this real-time accounting a failure. Then, the switch reinitiates the accounting request every 12 minutes; if five continuous accounting failures occur, the switch cuts down the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum allowed number of continuous real-time accounting failures for RADIUS scheme radius1 to 10.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] retry realtime-accounting 10

1.2.23  retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximum number of transmission attempts of a buffered stop-accounting request, ranging from 10 to 65,535.

Description

Use the retry stop-accounting command to set the maximum number of transmission attempts of a stop-accounting request buffered due to no response.

Use the undo retry stop-accounting command to restore the default maximum number of transmission attempts of a buffered stop-accounting request.

By default, the maximum number of stop-accounting request transmission attempts is 500.

Stop-accounting requests are critical to billing and will eventually affect the charges of users; they are important to both users and ISPs. Therefore, the switch should do its best to transmit them to RADIUS accounting servers. When getting no response to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, specify that the switch can transmit a buffered stop-accounting request at most 1000 times

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] retry stop-accounting 1000

1.2.24  secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address of the secondary accounting server to be used, in dotted decimal notation.

port-number: UDP port number of the secondary accounting server, ranging from 1 to 65535.

Description

Use the secondary accounting command to set the IP address and port number of the secondary RADIUS accounting server to be used by the current scheme.

Use the undo secondary accounting command to restore the default IP address and port number of the secondary RADIUS accounting server, which are 0.0.0.0 and 1813 respectively.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the secondary accounting server for RADIUS scheme radius1 to 10.110.1.1 and 1813 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

1.2.25  secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address of the secondary authentication/authorization server to be used, in dotted decimal notation.

port-number: UDP port number of the secondary authentication/authorization server, ranging from 1 to 65535.

Description

Use the secondary authentication command to set the IP address and port number of the secondary RADIUS authentication/authorization server to be used by the current scheme.

Use the undo secondary authentication command to restore the default IP address and port number of the secondary RADIUS authentication/authorization server, which is 0.0.0.0 and 1812 respectively.

Related commands: key, radius scheme, state.

Examples

# Set the IP address and UDP port number of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and 1812 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

1.2.26  server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Parameters

extended: Specifies to support H3C's RADIUS server (which is generally a CAMS), that is, use the procedure and message format of private RADIUS protocol to interact with an H3C's RADIUS server.

standard: Specifies to support standard RADIUS server, that is, use the procedure and message format of a standard RADIUS protocol (RFC 2865/2866 or above) to interact with a standard RADIUS server.

Description

Use the server-type command to configure the switch to support a specified type of RADIUS server.

Use the undo server-type command to restore the default setting.

By default, the switch supports RADIUS servers of the standard type, and the RADIUS server type in the default scheme named system is extended.

Related commands: radius scheme.

Examples

# Configure the switch to support H3C's RADIUS server in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] server-type extended

1.2.27  state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS scheme view

Parameters

primary: Specifies that the server to be set is a primary RADIUS server.

secondary: Specifies that the server to be set is a secondary RADIUS server.

accounting: Specifies that the server to be set is a RADIUS accounting server.

authentication: Specifies that the server to be set is a RADIUS authentication/authorization server.

block: Sets the status of the specified RADIUS server to block (that is, the down state).

active: Sets the status of the specified RADIUS server to active (that is, the normal working state).

Description

Use the state command to set the status of a RADIUS server.

By default, all RADIUS servers in any customized RADIUS scheme are in the block state; the primary RADIUS servers in the default RADIUS scheme "system" are in the active state, and the secondary RADIUS servers in "system" are in the block state.

For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme, note that:

l           When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server.

l           After the primary server remains in the block state for a set time (set by the timer quiet command), the switch will try to communicate with the primary server again when it receives a RADIUS request. If it finds that the primary server has recovered, the switch immediately restores the communication with the primary server instead of communicating with the secondary server, and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged.

l           When both primary and secondary servers are in the active or block state, the switch sends messages only to the primary server.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary authentication server in RADIUS scheme radius1 to active.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] state secondary authentication active

1.2.28  stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the switch to buffer the stop-accounting requests that get no response.

Use the undo stop-accounting-buffer enable command to disable the switch from buffering the stop-accounting requests that get no response.

By default, the switch is enabled to buffer the stop-accounting requests that get no response.

Stop-accounting requests are critical to billing and will eventually affect the charges; they are important to both users and ISPs. Therefore, the switch should do its best to transmit them to RADIUS accounting servers. When getting no response to such a request, the switch should first buffer the request on itself, and then retransmit the request to the RADIUS accounting server until it gets a response, or the maximum number of transmission attempts is reached (in this case, it discards the request).

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the switch to buffer the stop-accounting requests that get no response from the servers.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] stop-accounting-buffer enable

1.2.29  timer

Syntax

timer seconds

undo timer

View

RADIUS scheme view

Parameters

seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds.

Description

Use the timer command to set the response timeout time of RADIUS servers (that is, the timeout time of the response timeout timer of RADIUS servers).

Use the undo timer command to restore the default response timeout timer of RADIUS servers.

By default, the response timeout time of RADIUS servers is 3 seconds.

Note that:

l           After sending out a RADIUS request (authentication/authorization request or accounting request) to a RADIUS server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers, and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers. You can use the timer command to set the timeout time of this timer, and if the switch gets no answer before the response timeout timer expires, it needs to retransmit the request to ensure that the user can obtain RADIUS service.

l           Appropriately setting the timeout time of this timer according to your network situation can improve the performance of your system.

l           The timer command has the same function with the timer response-timeout command.

Related commands: radius scheme, retry.

Examples

# Set the timeout time of the response timeout timer for RADIUS scheme radius1 to 5 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] timer 5

1.2.30  timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameters

minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes.

Description

Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active.

Use the undo timer quiet command to restore the default wait time.

By default, the switch waits five minutes.

Related commands: display radius scheme.

Examples

# Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to active.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] timer quiet 10

1.2.31  timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Parameters

minutes: Real-time accounting interval, in minutes. It ranges from 3 to 60 and must be a multiple of 3.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default real-time accounting interval.

By default, this interval is 12 minutes.

Note that:

l           To control the interval at which users are charged in real time, you can set the real-time accounting interval. After the setting, the switch periodically sends online users' accounting information to the RADIUS server at the set interval.

l           The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the RADIUS server. The higher the performance of the switch and the RADIUS server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000). Table 1-6 lists the recommended intervals for different numbers of users.

Table 1-6 Numbers of users and recommended intervals

Number of users

Real-time accounting interval

1 to 99

3

100 to 499

6

500 to 999

12

≥1000

≥15

 

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval of RADIUS scheme radius1 to 51 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] timer realtime-accounting 51

1.2.32  timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameters

seconds: Response timeout time of RADIUS servers, ranging from 1 to 10 seconds.

Description

Use the timer response-timeout command to set the response timeout time of RADIUS servers.

Use the undo timer response-timeout command to restore the default response timeout time of RADIUS servers.

By default, the response timeout time of RADIUS servers is 3 seconds.

Note that:

l           After sending out a RADIUS request (authentication/authorization request or accounting request) to a RADIUS server, the switch waits for a response from the server. The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers, and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers. You can use the timer response-timeout command to set the timeout time of this timer, and if the switch gets no answer before the response timeout timer expires, it needs to retransmit the request to ensure that the user can obtain RADIUS service.

l           Appropriately setting the timeout time of this timer according to your network situation can improve the performance of your system.

l           This command has the same function with the timer command.

Related commands: radius scheme, retry.

Examples

# Set the response timeout time in RADIUS scheme radius1 to five seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] timer response-timeout 5

1.2.33  user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameters

with-domain: Specifies to include ISP domain names in the usernames to be sent to RADIUS server.

without-domain: Specifies to exclude ISP domain names from the usernames to be sent to RADIUS server.

Description

Use the user-name-format command to set the format of the usernames to be sent to RADIUS server

By default, except for the default RADIUS scheme "system", the usernames sent to RADIUS servers in any RADIUS scheme carry ISP domain names.

Note that:

l           Generally, an access user is named in the userid@isp-name format. Here, isp-name behind the @ character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names. In this case, it is necessary to remove domain names from usernames before sending usernames to RADIUS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to the RADIUS server.

l           For a RADIUS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).

l           For an 802.1x user, if you have specified to use EAP authentication, the switch will encapsulate and send the contents from the client directly to the server. In this case, the configuration of the user-name-format command is not effective.

Related commands: radius scheme.

Examples

# Specify to exclude ISP domain names from the usernames to be sent to RADIUS server in RADIUS scheme radius1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme radius1

New Radius scheme

[Sysname-radius-radius1] user-name-format without-domain

1.3  HWTACACS Configuration Commands

1.3.1  data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Parameters

data: Sets the data unit of outgoing HWTACACS data flows, which can be byte, giga-byte, kilo-byte, or mega-byte.

packet: Sets the packet unit of outgoing HWTACACS data flows, which can be one-packet, giga-packet, kilo-packet, or mega-packet.

Description

Use the data-flow-format command to set the units of data flows to TACACS servers.

Use the undo data-flow-format command to restore the default units.

By default, the data unit and packet unit for outgoing HWTACACS flows are byte and one-packet respectively.

Note that the specified unit of data flows sent to the TACACS server must be consistent with the traffic statistics unit of the TACACS server. Otherwise, accounting cannot be performed correctly.

Related commands: display hwtacacs.

Examples

# Specify to measure data and packets in data flows to TACACS servers in kilo-bytes and kilo-packets respectively in HWTACACS scheme hwt1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte

[Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet

1.3.2  display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters. This name is case-insensitive. If this argument is not specified, the system displays information about all HWTACACS schemes.

statistics: Displays statistics about one or all HWTACACS schemes.

Description

Use the display hwtacacs command to display configuration or statistics information of one specified or all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# Display configuration information of HWTACACS scheme ht1.

<Sysname> display hwtacacs ht1

--------------------------------------------------------------------  HWTACACS-server template name   : ht1

  Primary-authentication-server   : 172.31.1.11:49

  Primary-authorization-server    : 172.31.1.11:49

  Primary-accounting-server       : 172.31.1.11:49

  Secondary-authentication-server : 0.0.0.0:0

  Secondary-authorization-server  : 0.0.0.0:0

  Secondary-accounting-server     : 0.0.0.0:0

  Current-authentication-server   : 172.31.1.11:49

  Current-authorization-server    : 172.31.1.11:49

  Current-accounting-server       : 172.31.1.11:49

  Source-IP-address               : 0.0.0.0

  key authentication              : 790131

  key authorization               : 790131

  key accounting                  : 790131

  Quiet-interval(min)             : 5

  Response-timeout-Interval(sec)  : 5

  Realtime-accouting-Interval(min): 12

  Stop-acct-PKT resending times   : 100   

  Domain-included                 : No

  Traffic-unit                    : B

  Packet traffic-unit             : one-packet

1.3.3  display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Displays the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is a string of up to 32 characters.

Description

Use the display stop-accounting-buffer command to display stop-accounting requests buffered in the switch.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

1.3.4  hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameters

ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address.

Description

Use the hwtacacs nas-ip command to set the source address of outgoing HWTACACS messages.

Use the undo hwtacacs nas-ip command to restore the default setting.

By default, no source address is specified, and the IP address of corresponding outbound interface is used as the source address.

Note that:

l           You can specify the source address of outgoing HWTACACS messages to avoid messages returned from server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address.

l           You can specify only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one.

Related commands: nas-ip.

Examples

# Configure the switch to use source address 129.10.10.1 for outgoing HWTACACS messages.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs nas-ip 129.10.10.1

1.3.5  hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter its view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

Examples

# Create an HWTACACS scheme named "hwt1" and enter the corresponding HWTACACS scheme view.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

1.3.6  key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization }

View

HWTACACS scheme view

Parameters

accounting: Sets a shared key for HWTACACS accounting messages.

authentication: Sets a shared key for HWTACACS authentication messages.

authorization: Sets a shared key for HWTACACS authorization messages.

string: Shared key to be set, a string of up to 16 characters.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting messages.

Use the undo key command to delete such a configuration.

By default, no key is set for HWTACACS messages.

Related commands: display hwtacacs.

Examples

# Use hello as the shared key for HWTACACS accounting messages in HWTACACS scheme hwt1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

1.3.7  nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Parameters

ip-address: Source IP address to be set, an IP address of this device. This address can neither be the all 0's address nor be a Class D address.

Description

Use the nas-ip command to set the source address of outgoing HWTACACS messages.

Use the undo nas-ip command to restore the default setting.

Note that:

l           You can set the source address of HWTACACS messages to avoid messages returned from server from being unable to reach their destination due to physical interface trouble. It is recommended to use a Loopback interface address as the source IP address.

l           You can set only one source IP address by using this command. When you re-execute this command again, the newly set source IP address will overwrite the old one.

Related commands: display hwtacacs.

Examples

# Set source IP address 10.1.1.1 for outgoing HWTACACS messages in HWTACACS scheme hwt1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

1.3.8  primary accounting

Syntax

primary accounting ip-address [ port ]

undo primary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the primary accounting server to be used, a valid unicast address in dotted decimal notation.

port: Port number of the primary accounting server, ranging from 1 to 65535.

Description

Use the primary accounting command to set the IP address and port number of the primary HWTACACS accounting server to be used by the current scheme.

Use the undo primary accounting command to restore the default IP address and port number of the primary HWTACACS accounting server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary accounting servers. If you do this, your setting will fail.

l           If you re-execute the command, the new setting will overwrite the old one.

l           You can remove an accounting server setting only when there is no active TCP connection that is sending accounting messages to the server.

Examples

# Set the IP address and UDP port number of the primary accounting server for HWTACACS scheme test1 to 10.163.155.12 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.9  primary authentication

Syntax

primary authentication ip-address [ port ]

undo primary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the primary authentication server to be used, a valid unicast address in dotted decimal notation.

port: Port number of the primary authentication server, ranging from 1 to 65535.

Description

Use the primary authentication command to set the IP address and port number of the primary HWTACACS authentication server to be used by the current scheme.

Use the undo primary authentication command to restore the default IP address and port number of the primary HWTACACS authentication server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary authentication servers. If you do this, your setting will fail.

l           If you re-execute the command, the new setting will overwrite the old one.

l           You can remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server.

Related commands: display hwtacacs.

Examples

# Set the IP address and UDP port number of the primary authentication server for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

1.3.10  primary authorization

Syntax

primary authorization ip-address [ port ]

undo primary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the primary authorization server to be used, a valid unicast address in dotted decimal notation.

port: Port number of the primary authorization server, ranging from 1 to 65535.

Description

Use the primary authorization command to set the IP address and port number of the primary HWTACACS authorization server to be used by the current scheme.

Use the undo primary authorization command to restore the default IP address and port number of the primary authorization server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary authorization servers. If you do this, your setting will fail.

l           If you re-execute the command, the new setting will overwrite the old one.

l           You can remove an authorization server setting only when there is no active TCP connection that is sending authorization messages to the server.

Related commands: display hwtacacs.

Examples

# Set the IP address and UDP port number of the primary authorization server for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

1.3.11  reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameters

accounting: Clears HWTACACS accounting statistics.

authentication: Clears HWTACACS authentication statistics.

authorization: Clears HWTACACS authorization statistics.

all: Clears all HWTACACS statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS protocol statistics.

<Sysname> reset hwtacacs statistics all

1.3.12  reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Deletes the buffered stop-accounting requests of a specified HWTACACS scheme. Here, hwtacacs-scheme-name is the name of a HWTACACS scheme, which is a string of up to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear stop-accounting requests that are buffered on the switch due to getting no response.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Delete the stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

1.3.13  retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Parameters

retry-times: Maximum number of transmission attempts of a stop-accounting request, ranging from 1 to 300.

Description

Use the retry stop-accounting command to enable the stop-accounting request retransmission function and set the maximum number of attempts to transmit a stop-accounting request.

Use the undo retry stop-accounting command to restore the default setting.

By default, this function is enabled and the maximum number of transmission attempts is 100.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Enable the stop-accounting request retransmission function and set the maximum number of transmission attempts of a request to 50.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

1.3.14  secondary accounting

Syntax

secondary accounting ip-address [ port ]

undo secondary accounting

View

HWTACACS scheme view

Parameters

ip-address: IP address of the secondary accounting server to be used, a valid unicast address in dotted decimal notation.

port: Port number of the secondary accounting server, ranging from 1 to 65535.

Description

Use the secondary accounting command to set the IP address and port number of the secondary HWTACACS accounting server to be used by the current scheme.

Use the undo secondary accounting command to restore the default IP address and port number of the secondary HWTACACS accounting server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary accounting servers. If you do this, your setting will fail.

l           If you re-execute the command, the new setting will overwrite the old one.

l           You can remove an accounting server setting only when there is no active TCP connection that is sending accounting messages to the server.

Examples

# Set the IP address and UDP port number of the secondary accounting server for HWTACACS scheme hwt1 to 10.163.155.12 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

1.3.15  secondary authentication

Syntax

secondary authentication ip-address [ port ]

undo secondary authentication

View

HWTACACS scheme view

Parameters

ip-address: IP address of the secondary authentication server to be used, a valid unicast address in dotted decimal notation.

port: Port number of the secondary authentication server, ranging from 1 to 65535.

Description

Use the secondary authentication command to set the IP address and port number of the secondary HWTACACS authentication server to be used by the current scheme.

Use the undo secondary authentication command to restore the default IP address and port number of the secondary HWTACACS authentication server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary authentication servers. If you do this, your setting will fail.

l           If you re-execute the command, the new setting overwrites the old one.

l           You can remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server.

Related commands: display hwtacacs.

Examples

# Set the IP address and UDP port number of the secondary authentication server for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

1.3.16  secondary authorization

Syntax

secondary authorization ip-address [ port ]

undo secondary authorization

View

HWTACACS scheme view

Parameters

ip-address: IP address of the secondary authorization server, a valid unicast address in dotted decimal notation.

port: Port number of the secondary authorization server, ranging from 1 to 65535.

Description

Use the secondary authorization command to set the IP address and port number of the secondary HWTACACS authorization server to be used by the current scheme.

Use the .undo secondary authorization command to restore the default IP address and port number of the secondary HWTACACS authorization server, which are 0.0.0.0 and 49 respectively.

Note that:

l           You are not allowed to set the same IP address for both primary and secondary authorization servers.

l           If you re-execute the command, the new setting will overwrite the old one.

l           You can remove an authorization server setting only when there is no active TCP connection that is sending authorization messages to the server.

Related commands: display hwtacacs.

Examples

# Set the IP address and UDP port number of the secondary authorization server for HWTACACS scheme hwt1 to 10.163.155.13 and 49 respectively.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

1.3.17  timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Parameters

minutes: Wait time before primary server state restoration, ranging from 1 to 255 minutes.

Description

Use the timer quiet command to set the time that the switch waits before it tries to re-communicate with the primary server and restore the status of the primary server to active.

Use the undo timer quiet command to restore the default wait time.

By default, the switch waits five minutes.

Related commands: display hwtacacs.

Examples

# Configure the switch to wait 10 minutes before it tries to restore the status of the primary server to active.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet  10

1.3.18  timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Parameters

minutes: Real-time accounting interval, in minutes. It ranges from 3 to 60 and must be a multiple of 3.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default real-time accounting interval.

By default, the real-time accounting interval is 12 minutes.

Note that:

l           To control the interval at which users are charged in real time, you can set the real-time accounting interval. After the setting, the switch periodically sends online users' accounting information to TACACS accounting server at the set interval.

l           The setting of the real-time accounting interval depends, to some degree, on the performance of the switch and the TACACS server. The higher the performance of the switch and the TACACS server is, the shorter the interval can be. It is recommended to set the interval as long as possible when the number of users is relatively great (≥1000). The following table lists the recommended intervals for different numbers of users.

Table 1-7 Numbers of users and recommended intervals

Number of users

Real-time accounting interval

1 to 99

3

100 to 499

6

500 to 999

12

≥1000

≥15

 

Examples

# Set the real-time accounting interval in HWTACACS scheme hwt1 to 51 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

1.3.19  timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Parameters

seconds: Response timeout time of TACACS servers, ranging from 1 to 300 seconds.

Description

Use the timer response-timeout command to set the response timeout time of TACACS servers.

Use the undo timer response-timeout command to restore the default response timeout time of TACACS servers.

By default, the response timeout time of TACACS servers is five seconds.

As HWTACACS is based on TCP, both server response timeout and TCP timeout may cause disconnection from TACACS server.

Related commands: display hwtacacs.

Examples

# Set the response timeout time of TACACS servers to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

1.3.20  user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS scheme view

Parameters

with-domain: Specifies to include ISP domain names in the usernames to be sent to TACACS server.

without-domain: Specifies to exclude ISP domain names from the usernames to be sent to TACACS server.

Description

Use the user-name-format command to set the format of the usernames to be sent to TACACS server.

By default, the usernames sent to TACACS server in a HWTACACS scheme carry ISP domain names.

Note that:

l           Generally, an access user is named in the userid@isp-name format. Here, isp-name behind the @ character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old TACACS servers cannot accept the usernames that carry ISP domain names. In this case, it is necessary to remove domain names from usernames before sending usernames to TACACS server. For this reason, the user-name-format command is designed for you to specify whether or not ISP domain names are carried in the usernames to be sent to TACACS server.

l           For a HWTACACS scheme, if you have specified to exclude ISP domain names from usernames, you should not use this scheme in more than one ISP domain. Otherwise, such errors may occur: the TACACS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).

Related commands: hwtacacs scheme.

Examples

# Specify to exclude ISP domain names from the usernames to be sent to TACACS server in HWTACACS scheme hwt1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

 


Chapter 2  EAD Configuration Commands

2.1  EAD Configuration Commands

2.1.1  security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Parameters

ip-address: IP address of a security policy server.

all: IP addresses of all security policy servers.

Description

Use the security-policy-server command to set the IP address of a security policy server.

Use the undo security-policy-server command to remove one specified or all security policy server address settings.

You can configure up to eight security policy server addresses in each RADIUS scheme. The switch only responds to those session control messages that come from authentication server or security policy server.

Examples

# Set a security policy server address 192.168.0.1 on the switch.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] radius scheme extended

[Sysname-radius-extended] security-policy-server 192.168.0.1

[Sysname-radius-extended] display current-configuration

radius scheme extended

primary authentication 1.1.11.29 1812

secondary authentication 127.0.0.1 1645

security-policy-server 192.168.0.1

user-name-format without-domain

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网