This command limits the amount of supplicants contained in the current ISP domain. The supplicants may contend with each other for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance for the existing supplicants.

Examples

# Set a limit of 500 supplicants for the ISP domain, H3C163.net.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] domain H3C163.net

New Domain added.

[H3C-isp-H3C163.net]

[H3C-isp-H3C163.net] access-limit enable 500

1.1.2 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameters

None

Description

Use the accounting optional command to enable accounting to be optional.

Use the undo accounting optional command to disable accounting to be optional.

By default, accounting is not optional. By executing the accounting optional command, you can enable users to utilize the network resources even when no accounting server is available or the switch fails to communicate with the accounting server. Users are denied if you do not execute this command under the same circumstance. This command is used when you want the server to authenticate without charging.

Examples

# Enable accounting option for domain user named H3C163.net.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] domain H3C163.net

[H3C-isp-H3C163.net] accounting optional

1.1.3 attribute

Syntax

attribute { ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum } }*

undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

View

Local user view

Parameters

ip: Specifies the IP address of a user.

mac mac-address: Specifies the MAC address of a user. Where, mac-address takes on the hexadecimal format of X-X-X.

idle-cut second: Allows/Disallows the local users to enable the idle-cut function. (The specific data for this function depends on the configuration of the ISP domain where the users locate.) The argument minute defines the idle-cut time, which is in the range of 60 to 7,200 seconds.

access-limit max-user-number: Specifies the maximum number who access the device by using the current user name. The argument max-user-number is in the range of 1 to 2048.

vlan vlanid: Sets the VLAN attribute of user, in other words, the VLAN to which a user belong. The argument vlanid is an integer in the range of 1 to 4094.

location: Sets the port binding attribute of user.

nas-ip ip-address: IP address of the access server in the event of binding a remote port with a user. The argument ip-address is an IP address in dotted decimal format and defaults to 127.0.0.1 (which represents the local machine).

port portnum: Sets the port with which a user is bound. The argument portnum is represented by “SlotNumber SubSlotNumber PortNumber”. If the bound port has no SubSlotNumber, the value 0 can be used as the SubSlotNumber.

& Note:

When you are setting a port with which you are bound, this setting takes effect only when the slot number, the subslot number and the port number exist.

Description

Use the attribute command to configure some attributes for specified local user.

Use the undo attribute command to cancel the attributes that have been defined for this local user.

As for attributes of the users that are of local LAN service type, user IP address and MAC address attribute are valid only when the ISP domain authentication scheme is a local authentication scheme, or the ISP domain authentication scheme is a RADIUS authentication scheme and the type of the RADIUS scheme is extended.

It should be noted that the argument nas-ip must be defined for a user bound with a remote port, which is unnecessary, however, in the event of a user bound with a local port.

Related commands: display local-user.

& Note:

Among the attribute options in local user view, only access-limit is applicable to telnet and ssh terminal users. Other attributes, such as port binding, VLAN binding and IP binding, are not applicable to terminal users.

Examples

# Configure the IP address 10.110.50.1 to the user test1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user test1

[H3C-luser-test1] attribute ip 10.110.50.1

1.1.4 cut connection

Syntax

cut connection { all | access-type { dot1x | gcm | mac-authentication } | domain domain-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name }

View

System view

Parameters

all : Configures to disconnect all connection.

access-type dot1x: Configures to disconnect the user connections that are of specified access category.

dot1x: Specifies 802.1x users.

gcm: Specifies GCM users.

mac-authentication: Specifies users authenticated by MAC addresses.

domain domain-name: Configures to cut the connection according to ISP domain. domain-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

mac mac-address: Configures to cut the connection of the supplicant whose MAC address is mac-address. The argument mac-address is in the hexadecimal format (x-x-x).

radius-scheme radius-server-name: Configures to cut the connection according to RADIUS scheme name. radius-server-name specifies the RADIUS server name with a character string not exceeding 32 characters.

interface interface-type interface-num: Configures to cut the connection according to the port.

ip ip-address: Configures to cut the connection according to IP address.

vlan vlanid: Configures to cut the connection according to VLAN ID. Here, vlanid ranges from 1 to 4094.

ucibindex ucib-index: Configures to cut the connection according to ucib-index. Here, ucib-index ranges from 0 to 2311.

user-name user-name: Configures to cut the connection according to user name . user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 55 characters.

Description

Use the cut connection command to disconnect a user or a category of users by force.

Related commands: display connection.

Examples

# Cut all the connections in the ISP domain, H3C163.net.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] cut connection domain H3C163.net

1.1.5 display connection

Syntax

display connection [ access-type { dot1x | gcm } | domain domain-name | hwtacacs-scheme hwtacacs-scheme-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlanid | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameters

access-type dot1x: Configures to display the user connections that are of the specified access category.

dot1x: Specifies 802.1x access mode.

gcm: Specifies GCM access mode.

domain domain-name: Configures to display all the users in an ISP domain. domain-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections of the hwtacacs scheme named hwtacacs -scheme-name. hwtacacs -scheme-name is a string of no more than 32 characters.

mac mac-address: Configures to display the supplicant whose MAC address is mac-address. The argument mac-address is in the hexadecimal format (x-x-x).

radius-scheme radius-server-name: Configures to display the supplicant according to RADIUS server name. radius-server-name specifies the RADIUS server name with a character string not exceeding 32 characters.

interface interface-type interface-number: Configures to display the supplicant according the port.

ip ip-address: Configures to display the user specified with IP address.

vlan vlanid: Configures to display the user specified with VLAN ID. Here, vlanid ranges from 1 to 4094.

ucibindex ucib-index: Configures to display the user specified with ucib-index. Here, ucib-index ranges from 0 to 2311.

user-name user-name: Configures to display a user specifies with user-name. user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the display connection command to view the relevant information of all the supplicants or the specified one(s). The output can help you with the user connection diagnosis and troubleshooting.

If no parameter is specified, this command displays the related information about all connected users.

Related commands: cut connection.

Examples

# Display the relevant information of all the users.

<H3C> display connection

Total 0 connections matched ,0 listed.

1.1.6 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameters

isp-name: Specifies the ISP domain name, with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

Description

Use the display domain command to view the configuration of a specified ISP domain or display the summary information of all ISP domains.

By default, this command displays the summary information about all the ISP domains in the system.

This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting.

Related commands: access-limit, domain, radius-scheme, state, display domain.

Examples

# Display the summary information of all ISP domains of the system.

<H3C> display domain

0 Domain = system

State = Active

Scheme = LOCAL

Access-limit = Disable

Vlan-assignment-mode = Integer

Accounting required

Accounting-mode = Time

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Default Domain Name: system

Total 1 domain(s).1 listed.

1.1.7 display local-user

Syntax

display local-user [ domain isp-name | idle-cut { enable | disable } | service-type { ftp | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlanid ]

View

Any view

Parameters

domain isp-name: Configures to display all the local users in the specified ISP domain. isp-name specifies the ISP domain name with a character string not exceeding 24 characters. The specified ISP domain shall have been created.

idle-cut: Configures to display the local users according to the state of idle-cut function. disable means that the user disables the idle-cut function and enable means the user enables the function. This parameter only takes effect on the users configured as Lan-access type. For other types of users, the display local-user idle-cut enable and display local-user idle-cut disable commands will not display any information.

service-type: Configures to display local user of a specified type.

ftp means that the specified user type is FTP.

lan-access means that the specified user type is Lan-access which mainly refers to Ethernet accessing users, 802.1x supplicants for example.

ppp: Specifies PPP users.

ssh: Specifies SSH users.

telnet: Specifies Telnet users.

terminal: Specifies terminal users.

state { active | block }: Configures to display the local users in the specified state. active means that the system allows the user requesting network service and block means the system does not allow the user requesting network service.

user-name user-name: Configures to display a local user specified with user-name . user-name is the argument specifying the username. It is a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 55 characters.

vlan vlanid: Configures to display the local users belonged to specified VLAN. vlanid is the integer, ranging from 1 to 4094.

Description

Use the display local-user command to view the relevant information about all the local users or the specified one(s).

The output can help you with the fault diagnosis and troubleshooting related to local user.

By default, this command displays the relevant information about all the local users.

Related commands: local-user.

Examples

# Display the relevant information of all the local users.

<H3C> display local-user

The contents of local user user1:

State: Active ServiceType Mask: None

Idle Cut: Disable

AccessLimit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

Total 1 local user(s) Matched,1 listed.

Table 1-1 Description on the fields of the display local-user command

Field	Description
State	State
Service Type Mask	Service type mask
Idle Cut	Idle cut switch
AccessLimit	Limit on the number of access connections
Current AccessNum	Number of current accesses
Bind location	Whether to be bound with port
VLAN ID	VLAN that the user belongs to
IP address	IP address of the user
MAC address	MAC address of the user

1.1.8 domain

Syntax

domain { isp-name | default { disable | enable isp-name } }

undo domain isp-name

View

System view

Parameters

isp-name: Specifies an ISP domain name. The name is expressed with a character string not exceeding 24 characters, excluding “/”, “: ”, “*”, “? ”, “<”, and “>”.

default enable isp-name: Enables the default ISP domain specified by isp-name.

default disable: Disables the configuration of the default ISP. Restores the default ISP domain to system.

Description

Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to cancel a specified ISP domain.

By default, a domain named as system has been created in the system. The attributes of system are all default values.

ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking [email protected] as an example, the isp-name (that is, H3C163.net) following the @ is the ISP domain name. When H3C Series Switches control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name.

The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes for each ISP domain, which includes AAA schemes (RADIUS scheme group applied and so forth.)

For a switch, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains.

When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related commands: access-limit, radius-scheme, state, display domain.

Examples

# Create a new ISP domain, H3C163.net, and enters its view.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] domain H3C163.net

New Domain added.

[H3C-isp-H3C163.net]

1.1.9 idle-cut

Syntax

idle-cut { disable | enable minute flow }

View

ISP domain view

Parameters

disable: means disabling the user to use idle-cut function.

enable: means enabling the user to use idle-cut function.

minute: Specifies the maximum idle time, ranging from 1 to 120 and measured in minutes.

flow: Minimum data traffic, ranging from 1 to 10,240,000 and measured in bytes.

Description

Use the idle-cut command to configure the user template in the current ISP domain.

By default, after an ISP domain is created, this attribute in user template is disable, that is, the user Idle-cut is disabled.

The user template is a set of default user attributes. If a user requesting for the network service does not have some required attributes, the corresponding attributes in the template will be endeavored to him as default ones. The user template of the switch you are using may only provide user Idle-cut settings. After a user is authenticated, if the Idle-cut is configured to enable or disable by neither the user nor the RADIUS server, the user will adopt the Idle-cut state in the template.

Because a user template only works in one ISP domain, it is necessary to configure user template attributes for users from different ISP domain respectively.

Related commands: domain.

Examples

# Enable the user in the current ISP domain, H3C163.net, to use the Idle-cut attribute specified in the user template (that is, enabling the user to use the Idle-cut function). The maximum idle time is 50 minutes and the minimum data traffic is 500 bytes.

[H3C-isp-H3C163.net] idle-cut enable 50 500

1.1.10 ip pool

Syntax

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

View

System view, ISP domain view

Parameters

pool-number: Address pool number ranging from 0 to 99.

low-ip-address and high-ip-address: Two ends of the IP address pool. The number of IP addresses in an address pool cannot exceed 1024. If you do not provide the high-ip-address argument, then the address pool only contains the one specified by the low-ip-address argument.

Description

Use the ip pool command to create a local IP address pool for PPP users.

Use the undo ip pool command to remove a specified local address pool.

By default, no local IP address pool is created.

After creating an IP address pool in system view, you can use the remote address command to assign IP addresses in it to PPP users.

The IP addresses in an IP address pool created in ISP domain view are mainly for PPP users of the ISP domain. This kind of IP address pools is suitable for ports with many PPP users connected to them and the available IP address these ports provide are not sufficient. For example, a PPPoE-enabled Ethernet port can accommodate up to 4,095 users, but its Virtual Template can have only one IP address pool configured, which contains up to only 1,024 IP addresses. By configuring an ISP domain address pool for the Ethernet port, PPP users of the ISP can obtain their IP addresses from the IP address pool, through which the tension of the port address pool can be eased.

Examples

# Create a local IP address pool ranging from 129.102.0.1 to 129.102.0.10.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] domain H3C163.net

[H3C-isp-H3C163.net] ip pool 0 129.102.0.1 129.102.0.10

1.1.11 level

Syntax

level level

undo level

View

Local user view

Parameters

level: User priority, an integer ranging from 0 to 3.

Description

Use the level command to set user priority.

Use the undo level command to restore the default user priority.

By default, the user priority is 0.

Related commands: local user.

& Note:

If you specify not to authenticate or to authenticate by passwords, the levels of the commands available to an authenticated user are determined by the priority of the user interface. If a user needs to provide user name and password to pass the authentication, the levels of the commands available to an authenticated user are determined by the priority of the user.

Examples

# Set the user priority to 3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user test1

[H3C-luser-test1] level 3

1.1.12 local-user

Syntax

local-user { username | password-display-mode { auto | cipher-force } }

undo local-user { username | all [ service-type { ftp | lan-access | telnet | ppp | ssh | terminal } ] | password-display-mode }

View

System view

Parameters

username : Name of the user.

password-display-mode { auto | cipher-force }: Specifies the password display mode. auto means displaying the password in user-specified mode; cipher-force means displaying password in cipher text by force.

all [ service-type { ftp | lan-access | telnet | ppp | ssh | terminal } ]: Deletes all local users or a type of local users. ftp means deleting all local FTP users, lan-access means deleting all local Lan-access users, telnet means deleting all local Telnet users, ppp means deleting all local PPP views, ssh means deleting all local SSH views, and terminal means deleting all the terminals.

Description

Use the local-user command to configure a local user and enter the local user view.

Use the undo local-user command to remove specified local user(s).

By default, the user database of the system is empty. If the client user wants to access FTP Server (S9500 devices) through FTP, this configuration is required.

Related commands: display local-user, service-type.

Examples

# Add a local user named test1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user test1

[H3C-luser-test1]

1.1.13 local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameters

cipher-force: Forced Cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text.

auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode.

Description

Use the local-user password-display-mode command to configure the password display mode of all the accessing users.

Use the undo local-user password-display-mode command to cancel the password display mode that has been set for all the accessing users.

If cipher-force has been adopted, the user efforts of specifying to display passwords in simple text will render useless.

The default password display mode for all the access users is cipher-force.

Related commands: display local-user, password.

Examples

# Force all the accessing users to display passwords in cipher text.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user password-display-mode cipher-force

1.1.14 name

Syntax

name string

undo name

View

VLAN view

Parameters

string: Name of the delivered VLAN. The name can contain up to 32 characters.

Description

Use the name command to configure the name of a delivered VLAN.

Use the undo name command to remove the name configured for a delivered VLAN.

By default, a delivered VLAN has no name.

The name command works with the function of dynamic VLAN delivering. For information about dynamic VLAN delivering, refer to the vlan-assignment-mode command.

Related commands: dot1x guest-vlan, vlan-assignment-mode.

Examples

# Set the name of VLAN 100 to test.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 100

[H3C-vlan100] name test

1.1.15 password

Syntax

password [ simple | cipher ] password

undo password

View

Local user view

Parameters

simple: Specifies to display passwords in simple text.

cipher: Specifies to display passwords in cipher text.

password: Defines a password. For simple mode, the password must be a plain-text string, which can contain up to 63 characters, for example, aabbcc. For cipher mode, the password can be either a plain-text string or cipher-text string, which can contain up to 88 characters.

Description

Use the password command to configure a password display mode for local users.

Use the undo password command to cancel the specified password display mode.

If local-user password-display-mode cipher-force has been adopted, the user efforts of using the password command to set the password display mode to simple text (simple) will render useless.

Related commands: display local-user.

Examples

# Set the user test1 to display the password in simple text, given the password is 20030422.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] local-user test1

[H3C-luser-test1] password simple 20030422

1.1.16 scheme

Syntax

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo scheme { radius-scheme | hwtacacs-scheme | none }

View

ISP domain view

Parameters

radius-scheme-name: RADIUS scheme name, a string no longer than 32 characters in length.

hwtacacs-scheme-name: HWTACACS scheme name, a string no longer than 32 characters in length.

local: Specifies to use the AAA service provided by the local device.

none: Specifies no specific AAA service, permitting all AAA requests.

Description

Use the scheme command to configure the AAA scheme used in the current ISP domain.

Use the undo scheme command to restore the default domain AAA scheme.

By default, an AAA scheme specifies to perform local authentications.

The scheme command specifies a RADIUS/HWTACACS scheme for the current ISP domain. The specified scheme must be an existing scheme.

If you have configured the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command, the local AAA (local) scheme will be used as the secondary AAA scheme which will be used only when the Radius Server or the TACACS Server fails. If you want to use the local or none scheme as the primary AAA scheme, you cannot configure the RADIUS or HWTACACS scheme in the command.

All AAA schemes except for the RADIUS scheme support command line authorization.

Related commands: radius scheme, hwtacacs scheme.

Examples

# With H3C163.net as the current ISP domain, specify to adopt the RADIUS scheme named extended.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] domain H3C163.net

New Domain added.

[H3C-isp-H3C163.net]

[H3C-isp-H3C163.net] scheme radius-scheme extended

# Specify the ISP domain named test to adopt the scheme named rd, with local authentication as the secondary AAA Scheme.

[H3C-isp-test] scheme radius-scheme rd local

# Specify the ISP domain named test to adopt scheme hwtac, with local as the secondary AAA scheme.

[H3C-isp-test] scheme hwtacacs-scheme hwtac local

1.1.17 radius-scheme

Syntax

radius-scheme radius-scheme-name

View

ISP domain view

Parameters

radius-scheme-name: RADIUS scheme name, a string no longer than 32 characters in length.

Description

Use the radius-scheme command to specify the RADIUS scheme to be referenced by the current ISP domain.

By default, a newly created ISP domain uses local AAA scheme instead of RADIUS scheme.

Note that the specified RADIUS scheme must have been configured by using the scheme command.

Related commands: radius scheme, display radius.

Examples

# Specify the RADIUS scheme test for the current ISP domain H3C163.net to reference.

[H3C-isp-H3C163.net] radius-scheme test

1.1.18 self-service-url

Syntax

self-service-url enable url-string

self-service-url disable

View

ISP domain view

Parameters

url-string: The URL (uniform resource locator) of the Web page on a self-service server. The Web page is used to modify passwords. This argument is a string that is of 1 to 64 characters in length. Do not provide character of “?” in this argument. If an URL contains "?", replace it with "|" when inputting the URL in the command line.

Description

Use the self-service-url enable command to configure self-service server uniform resource locator (URL).

Use the self-service-url disable command to remove the configuration of self-service server URL.

By default, self-service server URL is not configured on a switch.

This command must be incorporated with a RADIUS server (such as a CAMS server) that supports self-service. Self-service means that users can manage their accounts and card numbers by themselves. And a server with the self-service software installed is called a self-service server.

Once this function is enabled on a switch, users can locate the self-service server through the following operations:

l Select "Change user password" on the 802.1x client.

l After the client opens the default explorer (IE or NetScape), it locates the specified URL page used to change the user password on the self-service server.

l Change user password on this page.

The "Change user password" option is available only when the user passes the authentication; otherwise, this option is in grey and unavailable.

Examples

# Specify the URL of the Web page used to change password on the self-service server to be http://10.153.89.94/selfservice/modPasswd1x.jsp|userName.

[H3C] domain system

[H3C-isp-system] self-service-url enable http://10.153.89.94/selfservice/modP

asswd1x.jsp|userName

1.1.19 service-type

Syntax

service-type { ftp [ ftp-directory directory ] | lan-access | ppp [call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] }

undo service-type { ftp [ ftp-directory directory ] | lan-access | ppp [call-number call-number | callback-nocheck | callback-number callback-number ] | ssh [ level level | telnet | terminal ] | telnet [ level level | ssh | terminal ] | terminal [ level level | ssh | telnet ] }

View

Local user view

Parameters

ftp: Specifies user types as FTP.

ftp-directory directory: Specifies the directory of FTP users, directory is a character string of up to 64 characters.

lan-access: Specifies user type to Lan-access, which mainly refers to Ethernet accessing users, 802.1x supplicants for example.

ppp: Specifies PPP users.

call-number: Sets the phone number of the caller.

callback-nocheck: Specifies nocheck when the Modem calls back.

callback-number: Sets the callback number for callback user.

ssh: Specifies SSH users.

telnet: Specifies user type as Telnet.

level level: Specifies the level of Telnet or SSH users. The argument level is an integer in the range of 0 to 3 and defaults to 0.

terminal: Specifies user type as Terminal.

& Note:

l When you configure service types telnet, ssh, and terminal, later configuration will overwrite the previous one. In this case, to configure the two or three of them at the same time, you must specify the desired service types in one command at one time.

l When configuring login path for an FTP user, ensure that the path is available in the standby board. Otherwise, the user may not be able to log in after an active/standby switchover.

Description

Use the service-type command to configure a service type for a particular user.

Use the undo service-type command to cancel the specified service type for the user.

Examples

# Set to provide the Lan-access service for the user test1.

[H3C-luser-test1] service-type lan-access

1.1.20 state

Syntax

state { active | block }

View

ISP domain view, Local user view

Parameters

active: Configures the current ISP domain (ISP domain view)/current user (local user view) as being in active state, that is, the system allows the users in the domain (ISP domain view) or the current user (local user view) to request network service.

block: Configures the current ISP domain (ISP domain view)/current user (local user view) as being in block state, that is, the system does not allow the users in the domain (ISP domain view) or the current user (local user view) to request network service.

Description

Use the state command to configure the state of the current ISP domain/ current user.

By default, after an ISP domain is created, it is in the active state (in ISP domain view).

A local user will be active (in local user view) upon its creation.

In ISP domain view, every ISP can either be in Active or Block state. If an ISP domain is configured to be Active, the users in it can request for network service, while in Block state, its users cannot request for any network service, which will not affect the users currently online.

Related commands: domain.

Examples

# Set the current ISP domain H3C163.net to be in the block state. The supplicants in this domain cannot request for the network service.

[H3C-isp-H3C163.net] state block

# Set the user test1 to be in the block state.

[H3C-luser-test1] state block

1.1.21 vlan-assignment-mode

Syntax

vlan-assignment-mode { integer | string }

View

ISP domain view

Parameters

integer: Specify the VLAN delivery mode to be integer.

string: Specify the VLAN delivery mode to be string.

Description

Use the vlan-assignment-mode command to specify the VLAN delivery mode (integer or string).

By default, the integer mode is used, that is, the switch supports the RADIUS server delivering VLAN IDs in integer form.

Dynamic VLAN delivering aims to control the network resources available to a user. With this function enabled, a switch adds the ports connecting to authenticated users to specified VLANs according to the attribute values delivered by the RADIUS server. In actual use, ports are usually set to operate in port-based mode in order to work together with Guest VLAN. A port operating in MAC address-based mode can only have one host connected to it. Currently, the VLAN IDs delivered by RADIUS servers can be of integer or string type.

l As for a VLAN ID that is of integer type, a switch adds the port to the corresponding VLAN according to the VLAN ID delivered by the RADIUS authentication server. If the VLAN does not exist, the switch creates the VLAN first and then adds the port to the VLAN.

l As for a VLAN ID that is of string type, a switch compares the VLAN ID delivered by the RADIUS authentication server with the names of the VLANs existing on the switch. If a matching entry is found, the switch adds the port into the corresponding VLAN. Otherwise, the delivery fails and the user fails to pass the authentication.

& Note:

l When configuring a VLAN delivering mode, keep the mode configured on the switch consistent with the mode configured on the Radius Server.

l For the string delivery mode, the value range of the VLAN name supported by the switch is 1-32 characters. If the name configured on the Radius Server exceeds 32 characters, the delivery will fail.

l For the string delivery mode, a string that contains numerals only is first interpreted as a number. That is, if the VLAN name delivered by the RADIUS server contains only numerals (such as “1024”), and the equivalent integer is within the range 1 to 4,094, the switch takes the VLAN name as an integer and add the authenticated port to the VLAN identified by the integer (In this case, the switch will add the port to VLAN 1024). If the equivalent integer is not within the range 1 to 4,094 (such as string “12345”), the RADIUS server fails to deliver the VLAN name; if the all-numeral string contains space, such as “ 12 345”, the first block of non-spaced numbers in the string will be converted into its equivalent integer, namely, integer 12 in this example.

l Hybrid ports and Trunk ports do not support VLAN delivering; only Access ports support VLAN delivering.

Related commands: name, dot1x guest-vlan.

Examples

# Specify the dynamic VLAN delivery mode to be string.

[H3C-isp-H3C163.net] vlan-assignment-mode string

1.2 RADIUS Protocol Configuration Commands

1.2.1 accounting optional

Syntax

accounting optional

undo accounting optional

View

RADIUS scheme view

Parameters

None

Description

Use the accounting optional command to enable the RADIUS accounting option.

Use the undo accounting optional command to disable the RADIUS accounting option.

By default, selection of RADIUS accounting option is disabled.

If no RADIUS server is available or if RADIUS accounting server fails when the accounting optional is configured, the user can still use the network resource, otherwise, the user will be disconnected.

The user configured with accounting optional command in RADIUS scheme will no longer send real-time accounting update packet or stop accounting packet.

The accounting optional command in RADIUS scheme view is only effective on the accounting that uses this RADIUS scheme.

Examples

# Enable the selection of RADIUS accounting of the RADIUS scheme named as CAMS.

[H3C-radius-cams] accounting optional

1.2.2 data-flow-format

Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS scheme view

Parameters

data: Sets data unit.

byte: Sets 'byte' as the unit of data flow.

giga-byte: Sets 'giga-byte' as the unit of data flow.

kilo-byte: Sets 'kilo-byte' as the unit of data flow.

mega-byte: Sets 'mega-byte' as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets 'giga-packet' as the unit of packet flow.

kilo-packet: Sets 'kilo-packet' as the unit of packet flow.

mega-packet: Sets 'mega-packet' as the unit of packet flow.

one-packet: Sets 'one-packet' as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flow that send to RADIUS Server.

Use the undo data-flow-format command to restore the unit to the default setting.

By default, the data unit is byte and the data packet unit is one-packet.

Related command, see display radius.

Examples

# Set the unit of data flow that is sent to RADIUS Server test is kilo-byte and the data packet unit is kilo-packet.

[H3C-radius-test] data-flow-format data kilo-byte packet kilo-packet

1.2.3 debugging radius

Syntax

debugging radius packet

undo debugging radius packet

View

User view

Parameters

packet: Enables packet debugging

Description

Use the debugging radius command to enable RADIUS packet debugging.

Use the undo debugging radius command to disable RADIUS packet debugging.

By default, RADIUS packet debugging is disabled.

Examples:

# Enable RADIUS packet debugging.

<H3C> debugging radius packet

1.2.4 display local-server

Syntax

display local-server { statistics | nas-ip }

View

Any view

Parameters

None

Description

Use the display local-server statistics command to view the statistics of local RADIUS scheme.

Use the display local-server nas-ip command to view the Nas-ip that is allowed to access the Local-server.

Related commands: local-server.

Examples

# Display the statistics of local RADIUS scheme.

<H3C> display local-server statistics

The localserver packet statistics:

Receive: 0 Send: 0

Discard: 0 Receive Packet Error: 0

Auth Reveive: 0 Auth Send: 0

Acct Receive: 0 Acct Send: 0

1.2.5 display radius

Syntax

display radius [ radius-server-name ]

View

Any view

Parameters

radius-server-name: Specifies the RADIUS scheme name with a character string not exceeding 32 characters. Display all RADIUS scheme when the parameter is not set.

Description

Use the display radius command to view the configuration information of all RADIUS scheme or a specified one.

By default, this command outputs the configuration information about the specified or all the RADIUS schemes.

Related commands: radius scheme.

Examples

# Display the configuration information of all the RADIUS schemes.

<H3C> display radius

------------------------------------------------------------------

SchemeName =system Index=0 Type=extended

Primary Auth IP =127.0.0.1 Port=1645 State=active

Primary Acct IP =127.0.0.1 Port=1646 State=active

Second Auth IP =0.0.0.0 Port=1812 State=block

Second Acct IP =0.0.0.0 Port=1813 State=block

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Username format =without-domain

Data flow unit =Byte

Packet unit =1

------------------------------------------------------------------

Total 1 RADIUS scheme(s). 1 listed

Table 1-2 Description on the fields of the display radius command

Field	Description
SchemeName	The name of Radius Scheme
Index	The index of Radius Scheme
Type	The type of Radius Scheme
Primary Auth IP/ Port/ State	The IP address of the primary authentication server/the number of the access port/the current state of the server
Primary Acct IP/ Port/ State	The IP address of the primary accounting server/the number of the access port/the current state of the server
Second Auth IP/ Port/ State	The IP address of the secondary authentication server/the number of the access port/the current state of the server
Second Acct IP/ Port/ State	The IP address of the secondary accounting server/the number of the access port/the current state of the server
Auth Server Encryption Key	The login password of the authentication server
Acct Server Encryption Key	The login password of the accounting server
TimeOutValue (seconds)	Response timeout value of the RADIUS server
Retry Times	The maximum transmitting times of RADIUS request packet.
Permitted send realtime PKT failed counts	The maximum times of sending real-time no-response accounting packet
Retry sending times of noresponse acct-stop-PKT	The maximum retry times of buffered no-response accounting stop packet
Username format	The format of the username
Data flow unit	The unit of data flow
Packet unit	The unit of packets

1.2.6 display radius nas-ip

Syntax

display radius nas-ip

View

Any view

Parameters

None

Description

Use the display radius nas-ip command to display all the global NAS-IP information configured in system view, including the global NAS-IP information of public network and private network. When the NAS-IP information of global private network is displayed, the name of the VPN which the NAS-IP belongs to is also displayed.

Related commands: radius nas-ip.

Examples

# Display all NAS-IP information.

<H3C> display radius nas-ip

Radius VPN nas-ip: 192.168.1.1 vpn-instance:vpn1

Radius VPN nas-ip: 192.168.2.1 vpn-instance:vpn2

Radius global nas-ip: 192.168.3.1

1.2.7 display radius statistics

Syntax

display radius statistics

View

Any view

Parameters

None

Description

Use the display radius statistics command to display the statistics information of RADIUS packet.

The displayed packet information can help with RADIUS diagnosis and troubleshooting.

Related commands: radius scheme.

Examples

# Display the statistics information of RADIUS packets.

<H3C> display radius statistics

state statistic(total=4120):

DEAD=4120 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=0

AcctStop=0 OnLine=0 Stop=0

StateErr=0

Receive and Send packets statistic:

Send PKT total :0 Receive PKT total:0

RADIUS received packets statistic:

Code= 2,Num=0 ,Err=0

Code= 3,Num=0 ,Err=0

Code= 5,Num=0 ,Err=0

Code=11,Num=0 ,Err=0

Code=22,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request ,Num=0 ,Err=0 ,Succ=0

EAP auth request ,Num=0 ,Err=0 ,Succ=0

Account request ,Num=0 ,Err=0 ,Succ=0

Account off request ,Num=0 ,Err=0 ,Succ=0

Leaving request ,Num=0 ,Err=0 ,Succ=0

PKT auth timeout ,Num=0 ,Err=0 ,Succ=0

PKT acct_timeout ,Num=0 ,Err=0 ,Succ=0

Realtime Account ,Num=2317 ,Err=0 ,Succ=2317

PKT response ,Num=0 ,Err=0 ,Succ=0

EAP reauth_request ,Num=0 ,Err=0 ,Succ=0

PORTAL access ,Num=0 ,Err=0 ,Succ=0

Update ack ,Num=0 ,Err=0 ,Succ=0

PORTAL access ack ,Num=0 ,Err=0 ,Succ=0

Session ctrl pkt ,Num=0 ,Err=0 ,Succ=0

RADIUS send messages statistic:

Normal auth accept ,Num=0

Normal auth reject ,Num=0

EAP auth accept ,Num=0

EAP auth reject ,Num=0

EAP auth replying ,Num=0

EAP reauth accept ,Num=0

EAP_reauth_reject ,Num=0

Account success ,Num=0

Account failure ,Num=0

Account off ack ,Num=0

Update request ,Num=0

Leaving ack ,Num=0

Cut req ,Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

No-response-acct-stop packet=0

Discarded No-response-acct-stop packet=0

Table 1-3 Description on the fields of the display radius statistics command

Field	Description
state statistic(total=4120)	State statistics (total=2312)
DEAD	Dead state
AuthProc	Processing authentication
AuthSucc	Authentication successful
AcctStart	Starting accounting
RLTSend	Sending real time accounting
RLTWait	Waiting for real time accounting
AcctStop	Stop waiting for accounting
OnLine	Online
Stop	Stop
StateErr	State error

1.2.8 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameters

radius-scheme radius-server-name: Configures to display the saved stopping accounting requests according to RADIUS scheme name. radius-server-name specifies the RADIUS scheme name with a character string not exceeding 32 characters.

session-id session-id: Configures to display the saved stopping accounting requests according to the Session ID. session-id specifies the Session ID with a character string not exceeding 50 characters.

time-range start-time stop-time: Configures to display the saved stopping accounting requests according to the saving time. start-time specifies the start time of the saving time range and stop-time specifies the stop time of the saving time range. The time is expressed in the format hh:mm:ss-yyyy/mm/dd. When this parameter is specified, all the stopping accounting requests saved in the time range since start-time to stop-time will be displayed.

user-name user-name: Configures to display the saved stopping accounting requests according to the username. User-name specifies the username, a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the display stop-accounting-buffer command to view the stopping accounting requests, which have not been responded and saved in the buffer. You can select to display the packets sent to a certain RADIUS scheme, or display the packets according to user Session ID or username. You may also display the request packets saved during a specified time range. The displayed packet information can help with diagnosis and troubleshooting.

After transmitting the stopping accounting requests, if there is no response from the RADIUS scheme, the switch will save the packet in the buffer and retransmit it for several times, which is set through the retry stop-accounting command.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable.

Examples

# Display the stopping accounting requests saved in the system buffer since 0:0:0 to 23:59:59 on August 31, 2006.

<H3C> display stop-accounting-buffer time-range 0:0:0-2006/08/31 23:59:59-2006/08/31

Total find 0 record

1.2.9 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameters

accounting: Configures to set the encryption key for RADIUS accounting packet.

authentication: Configures to set the encryption key for RADIUS authentication/authorization packet.

string: Specifies the key with a character string not exceeding 16 characters. By default, the key is null.

Description

Use the key command to configure encryption key for RADIUS authentication/authorization or accounting packet.

Use the undo key command to restore the default key.

RADIUS client (switch system) and RADIUS scheme use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key. Only when the keys are identical can both ends accept the packets from each other and give responses. So it is necessary to ensure that the key set on the switch and that for the RADIUS scheme are identical. If the authentication/authorization and accounting are performed on two different servers with different encryption keys, you are supposed to set two encryption keys respectively.

Related commands: primary accounting, primary authentication, radius-scheme.

Examples

# Set the authentication/authorization key of the RADIUS scheme test to hello.

[H3C-radius-test] key authentication hello

# Set the accounting packet key of the RADIUS scheme test to ok.

[H3C-radius-test] key accounting ok

1.2.10 local-server

Syntax

local-server enable

undo local-server

View

System view

Parameters

None

Description

Use the local-server enable command to enable the local RADIUS server and enable port 1645 and 1646. You must use this command to enable ports before using local RADIUS servers.

Use the undo local-server command to disable the local RADIUS server. Port 1645 and port 1646 are disabled, and RADIUS servers are unavailable in this case.

By default, local RADIUS servers are enabled, and port 1645 and port 1646 are enabled too.

Examples

# Enable the local RADIUS server.

<H3C> system-view

[H3C] local-server enable

1.2.11 local-server nas-ip

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameters

nas-ip ip-address: Sets Nas-IP address of access server. ip-address is expressed in the format of dotted decimal. By default, there is a local server with the NAS-IP address of 127.0.0.1.

key password: Sets password of logon user. password is a character string containing up to 16 characters.

Description

Use the local-server command to configure the parameters of local RADIUS server.

Use the undo local-server command to cancel a local RADIUS server.

RADIUS service, which adopts authentication/authorization/accounting servers to manage users, is widely used in H3C series switches. Besides, local authentication/authorization service is also used in these products and it is called local RADIUS function, i.e. realize basic RADIUS function on the switch.

Caution:

l When using local RADIUS server function, remember the number of UDP port used for authentication is 1645 and that for accounting is 1646.

l The password configured by this command must be the same as that of the RADIUS authentication/authorization packet configured by the command key authentication in RADIUS scheme view.

l When operating as a local RADIUS server, an H3C S9500 Series Routing Switch supports CHAP and PAP authentications but not EAP MD5-challenge authentication.

H3C series switches support up to 16 local RADIUS scheme.

Related commands: radius-scheme, state.

Examples

# Set the IP address of local RADIUS scheme to 10.110.1.2 and the password to test.

[H3C] local-server nas-ip 10.110.1.2 key test

1.2.12 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameters

ip-address: Source IP address which is expressed in the format of dotted decimal notation.

Description

Use the nas-ip command to configure the source IP address which NAS switch uses to send RADIUS packets. In this case, all the packets sent to Radius server carry the same source IP address.

Use the undo nas-ip command to undo the configuration.

By specifying the source IP address used in sending Radius packets, you can avoid unreachability of packets back from the server when the physical interface fails. It is recommended to use the Loopback interface address.

By default, the source IP address of packets is the IP address of the VLAN interface to which the port connecting with the server belongs.

Related commands: display radius, radius nas-ip

Examples

# Configure the IP address that NAS (switch) uses to send RADIUS packets as 10.1.1.1.

[H3C] radius scheme test1

[H3C-radius-test1] nas-ip 10.1.1.1

1.2.13 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal format.

port-number: Specifies UDP port number. ranging from 1 to 65535.

Description

Use the primary accounting command to configure the IP address and port number for the primary accounting server.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server. By default, the primary accounting server of the RADIUS scheme created by the system, whose name is system, uses IP address of 127.0.0.1 and UDP port of 1646. The primary accounting server of a newly created RADIUS scheme uses IP address of 0.0.0.0 and UDP port of 1813.

After creating a new RADIUS scheme, you need to set the IP address and the UDP port for the RADIUS servers the scheme contains, such as authentication/authorization server and accounting server. Besides, you can set primary and secondary server for each kind of server. Although, in actual use, these settings depend on specific demands, at least one authentication/authorization server and one accounting server is required. Make sure the port settings on the switch about RADIUS service are identical to those on the RADIUS servers.

Related commands: key, radius nas-ip, state.

Examples

# Set the IP address of the primary accounting server of RADIUS scheme test to 10.110.1.2 and the UDP port 1813 to provide RADIUS accounting service.

[H3C-radius-test] primary accounting 10.110.1.2 1813

1.2.14 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal format.

port-number: Specifies UDP port number. ranging from 1 to 65535.

Description

Use the primary authentication command to configure the IP address and port number for the primary RADIUS authentication/authorization.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization.

By default, the primary authentication server of the RADIUS scheme created by the system, whose name is system, uses IP address of 127.0.0.1 and UDP port of 1645. The secondary authentication server uses IP address of 0.0.0.0 and UDP port of 1812. The primary and secondary authentication server of a newly created RADIUS scheme uses IP address of 0.0.0.0 and UDP port of 1812.

After creating a RADIUS scheme, you are supposed to set IP addresses and UDP port numbers for the RADIUS servers, including primary/secondary authentication/authorization servers and accounting servers. In real networking environments, the above parameters shall be set according to the specific requirements. However, at least you have to set one authentication/authorization server and an accounting server. Besides, ensure that the RADIUS service port settings on the switch are consistent with the port settings on the RADIUS server.

Related commands: key, radius-scheme, state.

Examples

# Set the IP address of the primary authentication/authorization server of RADIUS scheme test to 10.110.1.1 and the UDP port 1812 to provide RADIUS authentication/authorization service.

[H3C-radius-test] primary authentication 10.110.1.1 1812

1.2.15 radius client

Syntax

radius client enable

undo radius client

View

System view

Parameters

None

Description

Use the radius client enable command to enable the port 1812. To use RADIUS authentication, make sure the port is enabled.

Use the undo radius client to disable the port 1812. You can use this command to disable ports when you do not use RADIUS authentication. The system does not receive (or respond to) UDP packets whose destination port is the port 1812 after the port 1812 is disabled.

The port 1812 is enabled by default.

Currently the RADIUS service of the system adopts the port 1812 as the source port in authentication and accounting packets, so the system cannot receive RADIUS response packets any more if the port 1812 is disabled. Thus, RADIUS service is disabled.

Examples

# Disable the port 1812.

<H3C> system-view

[H3C] undo radius client

1.2.16 radius nas-ip

Syntax

radius nas-ip ip-address [ vpn-instance vpn-instance-name ]

undo radius nas-ip [ vpn-instance vpn-instance-name ]

View

System view

Parameters

ip-address: Source IP address expressed in the format of dotted decimal notation. It must be a legal unicast address.

vpn-instance-name: VPN instance name, which is a string of 1 to 19 characters.

Description

Use the radius nas-ip command to configure the nas-ip of the global public network. Only one public network nas-ip can be configured globally.

Use the radius nas-ip ip-address vpn-instance command to configure the nas-ip of the global private network. Only one nas-ip can be configured for each private network and a maximum of 16 private networks can be configured.

Use the undo radius nas-ip command to cancel the nas-ip configuration for global public network.

Use the undo radius nas-ip vpn-instance command to cancel the nas-ip configuration for a private network.

Related commands: display radius nas-ip.

Examples

# Configure the source IP address that the switch uses to send RADIUS packets as 129.10.10.1.

<H3C> system-view

[H3C] radius nas-ip 129.10.10.1

1.2.17 radius scheme

Syntax

radius scheme radius-server-name

undo radius scheme radius-server-name

View

System view

Parameters

radius-server-name: Specifies the RADIUS scheme name with a character string not exceeding 32 characters.

Description

Use the radius scheme command to configure a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, RADIUS scheme named as system has been created in the system. The attributes of system are all default values.

RADIUS protocol configuration is performed on a per-RADIUS-scheme basis. Every RADIUS scheme shall at least have the specified IP address and UDP port number of the RADIUS authentication/authorization/accounting server and some necessary parameters exchanged with the RADIUS client end (switch system). So it is necessary to create the RADIUS scheme and enter its view before performing other RADIUS protocol configurations.

A RADIUS scheme can be used by several ISP domains at the same time. You can configure up to 16 RADIUS schemes, including the default scheme named as system.

Although the undo radius scheme command can remove a specified RADIUS scheme, the default one cannot be removed. Note that a scheme currently in use by the online user cannot be removed.

Related commands: display radius, display radius statistics, key, retry realtime-accounting, radius-scheme, reset stop-accounting-buffer, retry, timer realtime-accounting, state, stop-accounting-buffer enable, user-name-format.

Examples

# Create a RADIUS scheme named test and enters its view.

[H3C] radius scheme test

[H3C-radius-test]

1.2.18 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameters

None

Description

Use the reset radius statistics command to clear the statistic information related to the RADIUS protocol.

Related commands: display radius.

Examples

# Clear the RADIUS protocol statistics.

<H3C> reset radius statistics

1.2.19 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameters

radius-scheme radius-server-name: Configures to delete the stopping accounting requests from the buffer according to the specified RADIUS scheme. radius-server-name specifies the RADIUS scheme name with a character string not exceeding 32 characters.

session-id session-id: Configures to delete the stopping accounting requests from the buffer according to the specified session ID. session-id specifies the Session ID with a character string not exceeding 50 characters.

time-range start-time stop-time: Configures to delete the stopping accounting requests from the buffer according to the saving time. Start-time specifies the start time of the saving time range and stop-time specifies the stop time of the saving time range. The time is expressed in the format hh:mm:ss-yyyy/mm/dd. When this parameter is set, all the stopping accounting requests saved since start-time to stop-time will be deleted.

user-name user-name: Configures to delete the stopping accounting requests from the buffer according to the username. User-name specifies the username, a character string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can only be used once in one username. The pure username (the part before @, namely the user ID) cannot exceed 24 characters.

Description

Use the reset stop-accounting-buffer command to reset the stopping accounting requests, which are saved in the buffer and have not been responded.

This command is used to delete the stopping accounting requests from the switch buffer. You can select to delete the packets transmitted to a specified RADIUS scheme, or according to the Session-id or username, or delete the packets transmitted during the specified time-range.

Related commands: display stop-accounting-buffer hwtacacs-scheme, reset stop-accounting-buffer, stop-accounting-buffer enable.

Examples

# Delete the stop-accounting requests saved in the system buffer by the user, [email protected].

<H3C> reset stop-accounting-buffer user-name [email protected]

# Delete the stop-accounting requests saved in the system buffer since 0:0:0 to 23:59:59 on August 31, 2006.

<H3C> reset stop-accounting-buffer time-range 0:0:0-2006/08/31 23:59:59-2006/08/31

1.2.20 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameters

retry-times: Specifies the maximum times of retransmission, ranging from 1 to 20. By default, the value is 3.

Description

Use the retry command to configure retransmission times of RADIUS request packet.

Use the undo retry command to restore the retransmission times to default value.

Because RADIUS protocol uses UDP packets to carry the data, its communication process is not reliable. If the RADIUS server has not responded NAS until timeout, NAS has to retransmit RADIUS request packet. Suppose the maximum retransmission times is N. If the number of accumulative transmissions is more than N-[N/2] but the primary RADIUS server still gives no answer, the NAS will consider that it has lost the communication with the current RADIUS server and then turn to transmit the request to another RADIUS server.

Setting a suitable retry-time according to the network situation can speed up the system response.

Related commands: radius scheme.

Examples

# Set to retransmit the RADIUS request packet no more than 5 times in the RADIUS scheme test.

[H3C-radius-test] retry 5

1.2.21 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameters

retry-times: Specifies the maximum times of real-time accounting request failing to be responded, ranging from 1 to 255. By default, the accounting request can fail to be responded up to 5 times.

Description

Use the retry realtime-accounting command to configure the maximum times of real-time accounting request failing to be responded.

Use the undo retry realtime-accounting command to restore the maximum times of real-time accounting request failing to be responded to the default value.

RADIUS server usually checks if a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS, it will consider that there is line or device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unexpected failure occurs. H3C Series Switches support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

How to calculate the value of count? Suppose RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Allow the real-time accounting request failing to be responded for up to 10 times.

[H3C-radius-test] retry realtime-accounting 10

1.2.22 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameters

retry-times: Maximal retransmission times of a buffered stop-accounting request, ranging from 10 to 65535. By default, the value is 500.

Description

Use the retry stop-accounting command to configure the maximal retransmission times after a stop-accounting request is saved into the buffer due to getting no response.

Use the undo retry stop-accounting command to restore the retransmission times to the default value.

Because the stopping accounting request concerns account balance and will affect the amount of charge, which is very important for both the user and ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the switch to RADIUS accounting server has not been responded, the switch shall save it in the local buffer and retransmit it until the server responds or discard the messages after transmitting for specified times.

Related commands: display stop-accounting-buffer hwtacacs scheme, radius scheme, reset stop-accounting-buffer,.

Examples

#Perform the following configuration such that the switch can retransmit a buffered stop-accounting request to the server configured for the RADIUS scheme test for up to 1000 times

[H3C-radius-test] retry stop-accounting 1000

1.2.23 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal format. By default, the IP address of secondary accounting server is at 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the accounting service is provided via UDP 1813.

Description

Use the secondary accounting command to configure the IP address and port number for the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the IP address and port number to default values.

For detailed information, read the description of the primary accounting command.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary accounting server of RADIUS scheme test to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.

[H3C-radius-test] secondary accounting 10.110.1.1 1813

1.2.24 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameters

ip-address: IP address, in dotted decimal format. By default, the IP address of secondary authentication/authorization server is 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the authentication/authorization service is provided via UDP 1812.

Description

Use the secondary authentication command to configure the IP address and port number for the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the IP address and port number to default values.

For detailed information, read the description of the primary authentication command.

Related commands: key, radius scheme, state.

Examples

# Set the IP address of the secondary authentication/authorization server of RADIUS scheme test, to 10.110.1.2 and the UDP port 1812 to provide RADIUS authentication/authorization service.

[H3C-radius-test] secondary authentication 10.110.1.2 1812

1.2.25 security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Parameters

ip-address: IP address of the security policy server.

all: All security policy servers.

Description

Use the security-policy-server command to specify a security policy server.

Use the undo security-policy-server command to remove one or all security policy servers.

By default, no security policy server is specified.

Note that:

l If more than one VLAN interface of an access device is enabled with Portal, the interfaces may use different security policy servers. You can specify up to eight security policy servers for a RADIUS scheme.

l The specified security policy server must be a security policy server or RADIUS server that is correctly configured and working normally. Otherwise, the device will regard it as an illegal server.

Related commands: radius nas-ip.

Examples

# For RADIUS scheme test, set the IP address of a security policy server to 10.110.1.2.

[H3C-radius-test] security-policy-server 10.110.1.2

1.2.26 server-type

Syntax

server-type { extended | portal | standard }

undo server-type

View

RADIUS scheme view

Parameters

extended: Configures the switch system to support the extended RADIUS scheme, which requires the RADIUS client (switch system) and RADIUS server to interact according to the private RADIUS protocol regulation and Huawei private packet format.

portal: RADIUS server cooperating with iTellin Portal system.

standard: Configures the switch system to support the RADIUS server of Standard type, which requires the RADIUS client end (switch system) and RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).

Description

Use the server-type command to configure the RADIUS scheme type supported by the switch.

Use the undo server-type command to restore the RADIUS scheme type to the default value.

The default RADIUS server type of a newly created RADIUS scheme is standard. The RADIUS server type of the default RADIUS scheme (with a name of “system”), which is created by the system, is extended

H3C S9500 Series Routing Switches support standard RADIUS protocol and the extended RADIUS service platform IP Hotel, 201+ and Portal independently developed by Huawei. This command is used to select the supported RADIUS scheme type.

Related commands: radius scheme.

Examples

# Set RADIUS scheme type of RADIUS scheme test to extended.

[H3C-radius-test] server-type extended

& Note:

If RADIUS authentication is adopted for FTP user, you need to set server-type to extended in the corresponding RADIUS scheme, so that the extended RADIUS protocol is used. Otherwise, user directory attributes cannot be obtained correctly.

1.2.27 state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS scheme view

Parameters

primary: Configures to set the state of the primary RADIUS server.

secondary: Configures to set the state of the secondary RADIUS server.

accounting: Configures to set the state of RADIUS accounting server.

authentication: Configures to set the state of RADIUS authentication/authorization.

block: Configures the RADIUS server to be in the state of block.

active: Configures the RADIUS server to be active, namely the normal operation state.

Description

Use the state command to configure the state of RADIUS server.

By default, for the RADIUS scheme named system, which the system creates by default, the primary RADIUS server is in the state of active, and the secondary RADIUS server is in the state of block. For a new RADIUS scheme, the RADIUS server is in the state of block if an IP address is not configured for the server; the RADIUS server is in the state of active if an IP address is configured for the server.

For the primary and secondary servers (no matter an authentication/authorization or an accounting server), if the primary server is disconnected to NAS for some fault, NAS will automatically turn to exchange packets with the secondary server. However, after the primary one recovers, NAS will not resume the communication with it at once, instead, it continues communicating with the secondary one. When the secondary one fails to communicate, NAS will turn to the primary one again. This command is used to set the primary server to be active manually, in order that NAS can communicate with it right after the troubleshooting.

When the primary and secondary servers are all active or block, NAS will send the packets to the primary server firstly. If NAS fails to connect the primary servers, it will send the packets to the secondary server.

Related commands: primary accounting, primary authentication, radius scheme, secondary accounting, secondary authentication.

Examples

# Set the status of the secondary authentication server of RADIUS scheme test to active.

[H3C-radius-test] state secondary authentication active

1.2.28 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameters

None

Description

Use the stop-accounting-buffer enable command to configure to save the stopping accounting requests without response in the switch system buffer.

Use the undo stop-accounting-buffer enable command to cancel the function of saving the stopping accounting requests without response in the switch system buffer.

By default, enable to save the stopping accounting requests in the buffer.

Related commands: display stop-accounting-buffer hwtacacs scheme, radius scheme, reset stop-accounting-buffer.

Examples

# Enable the switch to buffer the stop-accounting requests that get no answer from the server configured for the RADIUS scheme test.

[H3C-radius-test] stop-accounting-buffer enable

1.2.29 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameters

minutes: The parameter ranges from 1 to 255 in minutes. By default, the primary server waits for 5 minutes before it resumes the Active state.

Description

Use the timer quiet command to configure the time that the primary server takes to resume the Active state.

Use the undo timer quiet command to restore the default configuration.

This command is designed to inhibit the switch from processing user request packets for a period of time when the communication between the switch and the server is interrupted. After the switch has waited for a period of time that is equal to or greater than the time set by this command, it restarts sending user request packets to the server.

Related commands: display radius

Examples

# Set the quiet timer of the primary server to 10 minutes.

[H3C] radius scheme test1

[H3C-radius-test1] timer quiet 10

1.2.30 timer realtime-accounting

Syntax

timer realtime-accounting minute

undo timer realtime-accounting

View

RADIUS scheme view

Parameters

minute: Real-time accounting interval, ranging from 3 to 60 and measured in minutes. It must be a multiple of 3.By default, the value is 12.

Description

Use the timer realtime-accounting command to configure the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

To implement real-time accounting, it is necessary to set a real-time accounting interval. After the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly.

The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the requirement for NAS and RADIUS server is. When there are a large amount of users (more than 1000, inclusive), we suggest a larger value. The following table recommends the ratio of minute value to number of users.

Table 1-4 Recommended ratio of minute to number of users

Number of users	Real-time accounting interval (in minutes)
1 to 99	3
100 to 499	6
500 to 999	12
≥1000	≥15

Related commands: retry realtime-accounting, radius-scheme.

Examples

# Set the real-time accounting interval of RADIUS scheme test to 51 minutes.

[H3C-radius-test] timer realtime-accounting 51

1.2.31 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameters

seconds: The value range is 1 to 10 in seconds. The default response timeout value of the RADIUS server is 3 seconds.

Description

Use the timer response-timeout command to set the response-timeout value of RADIUS server.

Use the undo timer response-timeout command to restore the default configuration.

Related commands: display radius.

Examples

# Set the response timeout value of the RADIUS server to 5 seconds.

[H3C] radius scheme test1

[H3C-radius-test1] timer response-timeout 5

& Note:

When a RADIUS server (such as CAMS) uses extended RADIUS protocol to dynamically assign upstream rate to each user, you must use self-defined flow template with the SMAC field on the access ports of users. Otherwise, traffic limit cannot be performed properly for each user.

1.2.32 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameters

with-domain: Specifies to send the username with domain name to RADIUS server.

without-domain: Specifies to send the username without domain name to RADIUS server.

Description

Use the user-name-format command to configure the username format to be sent to RADIUS server.

By default, as for the newly created RADIUS scheme, the username sent to RADIUS servers includes an ISP domain name; as for the default RADIUS scheme system, the username sent to RADIUS servers excludes the ISP domain name.

The supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. The switch will put the users into certain ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, the username will be sent to the RADIUS server after its domain name is removed. Accordingly, the switch provides this command to decide whether the username to be sent to RADIUS server carries ISP domain name or not.

& Note:

If a RADIUS scheme is configured to reject usernames including ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

Related commands: radius-scheme.

Examples

# Specify that no domain name is taken along with the username to the RADIUS server.

[H3C-radius-test] user-name-format without-domain

1.2.33 vpn-instance

Syntax

vpn-instance vpn-name

undo vpn-instance

View

RADIUS scheme view

Parameters

vpn-name: The name of the VPN instance, which is a string of 1 to 19 characters.

Description

Use the vpn-instance command to configure the VPN that the RADIUS scheme belongs to.

Use the undo vpn-instance command to cancel the VPN configuration.

The VPN in this command must exist and must be assigned with a route distinguisher (RD). One RADIUS scheme can only be bound to one VPN.

& Note:

The nas-ip configured must belong to the VLAN bound to the specified VPN after a VPN is specified by the RADIUS scheme; otherwise the packets cannot be sent. Also pay attention to this point when configuring global RADIUS nas-ip.

Related commands: radius-scheme.

Examples

# Specify the VPN to which the RADIUS server belongs in the RADIUS scheme test as vpn1.

[H3C-radius-test] vpn-instance vpn1

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } } | { packet { giga-packet | kilo-packet | mega-packet | one-packet } }

undo data-flow-format { data | packet }

View

HWTACACS view

Parameters

data: Sets data unit.

byte: Sets byte as the data unit.

giga-byte: Sets giga-byte as the data unit.

kilo-byte: Sets kilo-byte as the data unit.

mega-byte: Sets mega-byte as the data unit.

packet: Sets packet unit.

giga-packet: Sets giga-packet as the packet unit.

kilo-packet: Sets kilo-packet as the packet unit.

mega-packet: Sets mega-packet as the packet unit.

one-packet: Sets one-packet as the packet unit.

Description

Use the data-flow-format command to configure the units of data flow to TACACS Server.

Use the undo data-flow-format command to restore the default units.

By default, the data unit is byte and the packet unit is one-packet.

Related commands: display hwtacacs.

Examples

# Set the data unit of data flow to TACACS Server test to kilo-byte and the packet unit to kilo-packet.

[H3C-hwtacacs-test] data-flow-format data kilo-byte packet kilo-packet

1.3.2 debugging hwtacacs

Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

View

User view

Parameters

all: Enables all HWTACACS debugging.

error: Enables error debugging.

event: Enables event debugging.

message: Enables message debugging.

receive-packet: Enables incoming packet debugging.

send-packet: Enables outgoing packet debugging.

Description

Use the debugging hwtacacs command to enable HWTACACS debugging.

Use the undo debugging hwtacacs command to disable HWTACACS debugging.

By default, HWTACACS debugging is disabled.

Examples

# Enable the event debugging of HWTACACS.

<H3C> debugging hwtacacs event

1.3.3 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name ]

View

Any view

Parameters

hwtacacs-scheme-name: Scheme name of the HWTACACS server, a string of 1 to 32 case-insensitive characters, excluding "?". If this argument is null, configuration information of all HWTACACS schemes are displayed.

Description

Use the display hwtacacs command to view configuration information of one or all HWTACACS schemes.

By default, configuration information of all HWTACACS schemes is displayed.

Related commands: hwtacacs scheme.

Examples

# Display the configuration information of the HWTACACS scheme gy.

<H3C> display hwtacacs gy

-------------------------------------------------------------------- HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

Source-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Response-timeout-Interval(sec) : 5

Domain-included : No

Traffic-unit : B

Packet traffic-unit : one-packet

-------------------------------------------------------------

Total 1,1 printed

1.3.4 display stop-accounting-buffer hwtacacs-scheme

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests related to the HWTACACS scheme specified by hwtacacs-scheme-name, a character string not exceeding 32 characters, excluding “?”.

Description

Use the display stop-accounting-buffer command to display the information on the stop-accounting requests buffered in the switch.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable.

Examples

# Display information on the buffered stop-accounting requests related to the HWTACACS scheme test.

<H3C> display stop-accounting-buffer hwtacacs-scheme test

%No accounting stop packet exists.

1.3.5 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameters

ip-address: IP address of a specified source, which is that of the local host and cannot be a broadcast address of class A, B or C, a class D address, an all-zero address, or an address begins with 127.

Description

Use the hwtacacs nas-ip command to specify the source address of the HWTACACS packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

By specifying the source address of the HWTACACS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

For the hwtacacs nas-ip command, the HWTACACS view takes precedence over the system view.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.

Examples

# Configure the switch to send hwtacacs packets from 129.10.10.1.

[H3C] hwtacacs nas-ip 129.10.10.1

1.3.6 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameters

hwtacacs-scheme-name: Name of a HWTACACS scheme, a character string not exceeding 32 characters.

Description

Use the hwtacacs scheme command to enter the HWTACACS view. If you specified a nonexistent scheme, a new HWTACACS scheme will be created.

Use the undo hwtacacs scheme command to delete a HWTACACS scheme.

Examples

# Create a HWTACACS scheme named test1 and enter the HWTACACS view.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1]

1.3.7 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS view

Parameters

accounting: Shared key of the accounting server.

authentication: Shared key of the authentication server.

authorization: Shared key of the authorization server.

string: Shared key, a string up to 16 characters excluding the characters “?”.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.

Use the undo key command to delete the configuration.

By default, no key is set.

The HWTACACS client (the switch system) and HWTACACS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. So it is necessary to ensure that the same key is set on the switch and the HWTACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

Related commands: display hwtacacs.

Examples

# Use hello as the shared key for HWTACACS accounting.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] key accounting hello

1.3.8 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS view

Parameters

ip-address: Source IP address, in dotted decimal format.

Description

Use the nas-ip command to set the source IP address for HWTACACS packets sent from the NAS (switch), such that all the packets sent to the TACACS server carry the same source IP address.

Use the undo nas-ip command to delete the configuration.

Specifying the source address for sending HWTACACS packet avoids the unreachability of packet returned from the server when the physical interface fails. Generally, the Loopback interface address is recommended.

By default, the source IP address of the packets is the IP address of the interface of the VLAN to which the port connecting the server belongs.

Related commands: display hwtacacs, hwtacacs nas-ip.

Examples

# Configure the source IP address for HWTACACS packets sent from the NAS (switch) to 10.1.1.1.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] nas-ip 10.1.1.1

1.3.9 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, the IP address of the TACACS accounting server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme accounting server only when no Active TCP connection used to send accounting packets is now using the server, and the removal impacts only packets forwarded afterwards.

Examples

# Configure a primary accounting server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.10 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

HWTACACS view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to configure a primary TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, the IP address of the TACACS authentication server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authentication server only when no Active TCP connection used to send authentication packets uses the server, and the removal impacts only packets forwarded afterwards.

Related commands: display hwtacacs.

Examples

# Configure a primary authentication server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authentication 10.163.155.13 49

1.3.11 primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.

By default, the IP address of the TACACS authorization server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authorization server only when no Active TCP connection used to send authorization packets is now using the server, and the removal impacts only packets forwarded afterwards.

Related commands: display hwtacacs.

Examples

# Configure a primary authorization server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] primary authorization 10.163.155.13 49

1.3.12 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameters

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS protocol statistics.

<H3C> reset hwtacacs statistics

1.3.13 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a character string not exceeding 32 characters, excluding“?”.

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the switch.

Related commands: display stop-accounting-buffer hwtacacs scheme, stop-accounting-buffer enable, reset stop-accounting-buffer..

Examples

# Delete the buffered stop-accounting requests that are related to the HWTACACS scheme test.

<H3C> reset stop-accounting-buffer hwtacacs-scheme test

1.3.14 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS view

Parameters

retry-times: The maximum number of stop-accounting request attempts. It is in the range 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request.

Related commands: display stop-accounting-buffer hwtacacs scheme, hwtacacs scheme, reset stop-accounting-buffer.

Examples

# Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.

[H3C] retry stop-accounting 50

1.3.15 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, IP address of TACACS accounting server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme accounting server only when no Active TCP connection used to send accounting packets is now using the server, and the removal impacts only packets forwarded afterwards.

Examples

# Configure a secondary accounting server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary accounting 10.163.155.12 49

1.3.16 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS view

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port-number: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary authentication server.

By default, IP address of TACACS authentication server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

You can remove a TACACS scheme authentication server only when no Active TCP connection used to send authentication packets is now using the server, and the removal impacts only packets forwarded afterwards.

Related commands: display hwtacacs.

Examples

# Configure a secondary authentication server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authentication 10.163.155.13 49

1.3.17 secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View

HWTACACS view

Parameters

ip-address: IP address of the server, a legal unicast address in dotted decimal format.

port-number: Port number of the server, ranging from 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, IP address of TACACS authorization server is all zeros.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

If you repeatedly use this command, the latest configuration overwrites the previous one.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] secondary authorization 10.163.155.13 49

1.3.18 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS view

Parameters

minutes: Ranges from 1 to 255 minutes. By default, the primary server must wait five minutes before it resumes the active state.

Description

Use the timer quiet command to set the waiting time before the primary server resumes the active state.

Use the undo timer quiet command to restore the default configuration.

This command is designed to inhibit the switch from processing user request packets for a time when the communication between the switch and the server is interrupted. After the switch waits for a time that is equal or greater than the time set by this command, it re-attempts to send packets to the server.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer quiet 10

1.3.19 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS view

Parameters

minutes: Real-time accounting interval, which is in the range of 3 to 60 minutes and must be a multiple of 3. By defaults, it is 12 minutes.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

The setting of real-time accounting interval is necessary for real-time accounting. After an interval is set, the NAS transmits the accounting information of online users to the TACACS accounting server periodically.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the numbers of users and the recommended intervals.

Table 1-5 Number of users and recommended interval

Number of users	Real-time accounting interval ( in minutes)
1 – 99	3
100 – 499	6
500 – 999	12
¦1000	¦15

Examples

# Set the real-time accounting interval of the HWTACACS scheme test to 51 minutes.

[H3C-hwtacacs-test] timer realtime-accounting 51

1.3.20 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS view

Parameters

seconds: TACACS server response timeout time, which is in the range of 1 to 300 seconds and defaults to 5 seconds.

Description

Use the timer response-timeout command to set the TACACS server response timeout time.

Use the undo timer response-timeout command to restore the default setting.

& Note:

Since HWTACACS is implemented based on TCP, server response timeout or TCP timeout may terminate the connection to the TACACS server.

Related commands: display hwtacacs.

Examples

# Set the TACACS server response timeout time to 30 seconds.

[H3C] hwtacacs scheme test1

[H3C-hwtacacs-test1] timer response-timeout 30

1.3.21 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS view

Parameters

with-domain: Specifies that the domain name is taken along with the username that will be sent to the TACACS server.

without-domain: Specifies that no domain name is taken along with the username that will be sent to the TACACS server.

Description

Use the user-name-format command to set the username format acceptable to the TACACS server.

For a HWTACACS scheme, each username sent to a TACACS server contains a domain name by default.

Username is usually in the “userid@isp-name” format, with the ISP domain name following “@”. The switch uses domain names to group users to different ISP domains. While some earlier TACACS servers do not accept the username with domain name. In this case, you must remove the domain name before sending a username to the server.

& Note:

When you specify that no ISP domain name is contained in usernames for a HWTACACS scheme, this scheme cannot be used in two or more ISP domains at the same time; otherwise, errors may occur because the TACACS server considers users in different ISP domains but with the same name as one user.

Related commands: display hwtacacs.

Examples

# Specify that no domain name is taken along with the username to the HWTACACS server.

[H3C-hwtacacs-test] user-name-format without-domain

H3C S9500 Command Manual-Release1648[v1.24]-07 Security Volume

1.1.4 cut connection

1.1.5 display connection

1.1.20 state

1.2.13 primary accounting

1.2.14 primary authentication

1.2.18 reset radius statistics

1.2.24 secondary authentication

1.2.27 state

1.2.29 timer quiet

1.3.4 display stop-accounting-buffer hwtacacs-scheme

1.3.16 secondary authentication

1.3.17 secondary authorization

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us