Use the access-limit enable command to enable the limit on the number of user connections in an ISP domain and set the allowed maximum number. After the number of user connections reaches the maximum number allowed, no more users will be accepted.

Use the undo access-limit command to restore the default.

By default, there is no limit to the number of user connections in an ISP domain.

As user connections may compete for network resources, setting a proper limit to the number of user connections helps provide a reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] access-limit enable 500

access-limit

Syntax

access-limit max-user-number

undo access-limit

View

Local user view

Default Level

3: Manage level

Parameters

max-user-number: Maximum number of user connections using the current username, in the range 1 to 1024.

Description

Use the access-limit command to enable the limit on the number of user connections using the current username and set the allowed maximum number.

Use the undo access-limit command to remove the limitation.

By default, there is no limit to the number of user connections using the same username.

Note that the access-limit command takes effect only when local accounting is configured.

Related commands: display local-user.

Examples

# Enable the limit on the number of user connections using the username abc and set the allowed maximum number to 5.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] access-limit 5

accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting default command to configure the default accounting method for all types of users.

Use the undo accounting default command to restore the default.

By default, the accounting method is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The accounting method configured with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.

l Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.

Related commands: authentication default, authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for all types of users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default radius-scheme rd local

accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting lan-access command to configure the accounting method for LAN access users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting method that the accounting default command prescribes is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for LAN access users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access radius-scheme rd local

accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting login command to configure the accounting method for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting method is used for login users.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l Accounting is not supported for login users’ FTP services.

Related commands: accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting method for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for login users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login radius-scheme rd local

accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Default Level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

Note that with the accounting optional command configured for a domain:

l A user that will be disconnected otherwise can use the network resources even when there is no accounting server available or communication with the current accounting server fails. This command applies to scenarios where authentication is required but accounting is not.

l If accounting for a user in the domain fails, the device will not send real-time accounting updates for the user any more.

l The limit on the number of local user connections configured by using the access-limit command in local user view is not effective.

Examples

# Enable the accounting optional feature for users in domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] accounting optional

authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication default command to configure the default authentication method for all types of users.

Use the undo authentication default command to restore the default.

By default, the authentication method is local.

Note that:

l The RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.

l The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.

Related commands: authorization default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for all types of users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme rd local

authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication lan-access command to configure the authentication method for LAN access users.

Use the undo authentication login command to restore the default.

By default, the default authentication method is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for LAN access users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access radius-scheme rd local

authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication login command to configure the authentication method for login users.

Use the undo authentication login command to restore the default.

By default, the default authentication method is used for login users.

Note that the RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authentication for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for login users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login radius-scheme rd local

authorization command

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }

undo authorization command

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.

Description

Use the authorization command command to configure the authorization method for command line users.

Use the undo authorization command command to restore the default.

By default, the default authorization method is used for command line users.

Note that:

l The HWTACACS scheme specified for the current ISP domain must have been configured.

l For local authorization, the local users must have been configured for the command line users on the device, and the level of the commands authorized to a local user must be lower than or equal to that of the local user. Otherwise, local authorization will fail.

Related commands: authorization default, hwtacacs scheme.

Examples

# Configure the default ISP domain system to use HWTACACS authorization scheme hw for command line users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization command hwtacacs-scheme hw

# Configure the default ISP domain system to use HWTACACS authorization scheme hw for command line users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization command hwtacacs-scheme hw local

authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization default command to configure the authorization method for all types of users.

Use the undo authorization default command to restore the default.

By default, the authorization method for all types of users is local.

Note that:

l The RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.

l The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.

l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.

Related commands: authentication default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for all types of users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default radius-scheme rd local

authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to configure the authorization method for LAN access users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization method is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system]authorization lan-access local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for LAN access users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization lan-access radius-scheme rd local

authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to configure the authorization method for login users.

Use the undo authorization login command to restore the default.

By default, the default authorization method is used for login users.

Note that the RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use local authorization for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for login users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login radius-scheme rd local

authorization-attribute

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | vlan | work-directory } *

View

Local user view, user group view

Default Level

3: Manage level

Parameters

acl: Specifies the authorized ACL of the local user(s).

acl-number: Authorized ACL for the local user(s), in the range 2000 to 5999.

callback-number: Specifies the authorization PPP callback number of the local user(s).

callback-number: Authorization PPP callback number for the local user(s), a case-sensitive string of 1 to 64 characters.

idle-cut: Specifies the idle cut function for the local user(s). With the idle cut function enabled, an online user whose idle period exceeds the specified idle time will be logged out.

minute: Idle time allowed, in the range 1 to 120 minutes.

level: Specifies the level of the local user(s).

level: Level of the local user(s), which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. The default is 0.

user-profile: Specifies the authorization user profile of the local user(s).

profile-name: Name of the authorization user profile for the local user(s), a case-sensitive string of 1 to 32 characters. It can consist of English letters, digits, and underlines and must start with an English letter.

vlan: Specifies the authorized VLAN of the local user(s).

vlan-id: Authorized VLAN for the local user(s), in the range 1 to 4094.

work-directory: Specifies the authorized work directory of the local user(s), if the user or users are authorized the FTP or SFTP service type.

directory-name: Authorized work directory, a case-insensitive string of 1 to 135 characters. This directory must already exist.

Description

Use the authorization-attribute command to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device will assign these attributes to the user.

Use the undo authorization-attribute command to remove authorization attributes.

By default, no authorization attribute is configured for a local user or user group.

Note that:

l Every configurable authorization attribute has its definite application environments and purposes. However, the assignment of local user authorization attributes does not take the service type into account. Therefore, when configuring authorization attributes for a local user, consider what attributes are needed.

l Authorization attributes configured for a user group are effective on all local users of the group.

l An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

l If you specify to perform no authentication or perform password authentication, the levels of commands that a user can access after login depends on the level of the user interface. For information about user interface login authentication method, refer to the authentication-mode command in Login Commands. If the authentication method requires users to provide usernames and passwords, the levels of commands that a user can access after login depends on the level of the user. For an SSH user authenticated with an RSA public key, available commands depend on the level specified on the user interface.

l If you remove the specified work directory from the file system, the FTP/SFTP user(s) will not be able to access the directory.

l If the specified work directory carries slot information, the FTP/SFTP user(s) will not be able to access the directory after a switchover occurs. Therefore, specifying slot information for the work directory is not recommended.

Examples

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

bind-attribute

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number| ip | location | mac | vlan } *

View

Local user view

Default Level

3: Manage level

Parameters

call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters.

subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.

ip ip-address: Specifies the IP address of the user.

location: Specifies the port binding attribute of the user.

port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument is in the range 0 to 15, the subslot-number argument is in the range 0 to 15, and the port-number argument is in the range 0 to 255. Only the numbers make sense here; port types are not taken into account.

mac mac-address: Specifies the MAC address of the user in the format of H-H-H.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to 4094.

Description

Use the bind-attribute command to configure binding attributes for a local user.

Use the undo bind-attribute command to remove binding attributes of a local user.

By default, no binding attribute is configured for a local user.

Note that:

l Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the checking will fail and the user will fail the authentication as a result. In addition, such binding attribute checking does not take the service types of the users into account. That is, a configured binding attribute is effective on all types of users. Therefore, be cautious when deciding which binding attributes should be configured for which type of local users.

l The bind-attribute ip command applies only when the authentication method supports IP address upload. If you configure the command when the authentication method does not support IP address upload, local authentication will fail.

Examples

# Configure the bound IP of local user abc as 3.3.3.3.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] bind-attribute ip 3.3.3.3

cut connection

Syntax

cut connection { all | domain isp-name | ucibindex ucib-index | user-name user-name }

View

System view

Default Level

2: System level

Parameters

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.

ucibindex ucib-index: Specifies a user connection by connection index. The value range is from 0 to 4294967295.

user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.

Description

Use the cut connection command to tear down the specified connections forcibly.

At present, this command applies to only LAN access user connections.

Related commands: display connection, service-type.

Examples

# Tear down all connections in ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] cut connection domain aabbcc.net

display connection

Syntax

display connection [ domain isp-name | ucibindex ucib-index | user-name user-name ]

View

Any view

Default Level

1: Monitor level

Parameters

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

ucibindex ucib-index: Specifies all user connections using the specified connection index. The value range is from 0 to 4294967295.

user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.

Description

Use the display connection command to display information about specified or all AAA user connections.

Note that:

l With no parameter specified, the command displays brief information about all AAA user connections.

l If you specify the ucibindex ucib-index combination, the command displays detailed information; otherwise, the command displays brief information.

l This command does not apply to FTP user connections.

Related commands: cut connection.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Index=1 ,Username=telnet@system

IP=10.0.0.1

Total 1 connection(s) matched.

Table 1-1 display connection command output description

Field	Description
Index	Index number
Username	Username of the connection, in the format username@domain
IP	IP address of the user
Total 1 connection(s) matched.	Total number of user connections

display domain

Syntax

display domain [ isp-name ]

View

Any view

Default Level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

Description

Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains.

Related commands: access-limit enable, domain, state.

Examples

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain = system

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut = Disabled

Self-service = Disabled

1 Domain = aabbcc

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius=test, local

Lan-access authorization scheme : hwtacacs=hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut = Disabled

Self-service = Disabled

Default Domain Name: system

Total 2 domain(s)

Table 1-2 display domain command output description

Field	Description
Domain	Domain name
State	Status of the domain (active or block)
Access-limit	Limit on the number of user connections
Accounting method	Accounting method (either required or optional)
Default authentication scheme	Default authentication method
Default authorization scheme	Default authorization method
Default accounting scheme	Default accounting method
Lan-access authentication scheme	Authentication method for LAN users
Lan-access authorization scheme	Authentication method for LAN users
Lan-access accounting scheme	Accounting method for LAN users
Domain User Template	Template for users in the domain
Idle-cut	Whether idle cut is enabled
Self-service	Whether self service is enabled
Default Domain Name	Default ISP domain name
Total 2 domain(s).	2 ISP domains in total

display local-user

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

View

Any view

Default Level

1: Monitor level

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users of a type.

l ftp refers to users using FTP.

l lan-access refers to users accessing the network through an Ethernet.

l ssh refers to users using SSH.

l telnet refers to users using Telnet.

l terminal refers to users logging in through the console port, AUX port.

state { active | block }: Specifies all local users in the state of active or block. A local user in the state of active can access network services, while a local user in the state of blocked cannot.

user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.

Description

Use the display local-user command to display information about specified or all local users.

Related commands: local-user.

Examples

# Display information about all local users.

<Sysname> display local-user

The contents of local user abc:

State: Active

ServiceType: telnet

Access-limit: Disable Current AccessNum: 0

User-group: system

Bind attributes:

Authorization attributes:

User Privilege: 3

The contents of local user admin:

State: Active

ServiceType: telnet

Access-limit: Disable Current AccessNum: 0

User-group: system

Bind attributes:

Authorization attributes:

User Privilege: 3

Total 2 local user(s) matched.

Table 1-3 display local-user command output description

Field	Description
State	Status of the local user, Active or Block
ServiceType	Service types that the local user can use, including FTP, LAN, SSH, Telnet, and terminal.
Access-limit	Limit on the number of user connections using the current username
Current AccessNum	Current number of user connections using the current username
Authorization attributes	Authorization attributes of the local user

display user-group

Syntax

display user-group [ group-name ]

View

Any view

Default Level

2: System level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the display user-group command to display configuration information about one or all user groups.

Related commands: user-group.

Examples

# Display configuration information about user group abc.

<Sysname> display user-group abc

The contents of user group abc:

Total 1 user group(s) matched.

domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Default Level

3: Manage level

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.

Description

Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.

Use the undo domain command to remove an ISP domain.

Note that:

l If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

l There is a default domain in the system, which cannot be deleted and can only be changed. A user providing no ISP domain name at login is considered in the default domain. For details about the default domain, refer to command domain default enable.

Related commands: state, display domain.

Examples

# Create ISP domain aabbcc.net, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net]

domain default enable

Syntax

domain default enable isp-name

undo domain default enable

View

System view

Default Level

3: Manage level

Parameters

isp-name: Name of the default ISP domain, a string of 1 to 24 characters.

Description

Use the domain default enable command to configure the system default ISP domain.

Use the undo domain default enable command to restore the default.

By default, there is a default ISP domain named system.

Note that:

l There must be only one default ISP domain.

l The specified domain must have existed.

l The default ISP domain configured cannot be deleted unless you configure it as a non-default domain again.

Related commands: state, display domain.

Examples

# Create a new ISP domain named aabbcc.net, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] quit

[Sysname] domain default enable aabbcc.net

eap-profile

Syntax

eap-profile profile-name

undo eap-profile profile-name

View

System view

Default Level

2: System level

Parameters

profile-name: Name of the profile for local EAP authentication, a case-insensitive string of 1 to 16 characters.

Description

Use the eap-profile command to create an EAP profile and/or enter EAP profile view.

Use the undo eap-profile command to remove an EAP profile.

An EAP profile is a collection of local EAP authentication settings, including the authentication method to be used and, for some authentication methods, the SSL server policy to be referenced.

Related commands: eap method, ssl-server-policy.

Examples

# Create an EAP profile and enter its view.

<Sysname> system-view

[Sysname] eap-profile aprf1

[Sysname-eap-prof-aprf1]

expiration-date

Syntax

expiration-date time

undo expiration-date

View

Local user view

Default Level

3: Manage level

Parameters

time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02.

Description

Use the expiration-date command to configure the expiration time of a local user.

Use the undo expiration-date command to remove the configuration.

By default, a local user has no expiration time and no time validity checking is performed.

When some users need to access the network temporarily, you can create a guest account and specify an expiration time for the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is within the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.

Note that if you change the system time manually or the system time is changed in any other way, the access device uses the new system time for time validity checking.

Examples

# Configure the expiration time of user abc to be 12:10:20 on May 31, 2008.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

group

Syntax

group group-name

undo group

View

Local user view

Default Level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the group command to specify the user group for the local user to belong to.

Use the undo group command to restore the default.

By default, a local user belongs to user group system, which is automatically created by the device.

Examples

# Specify that local user 111 belongs to user group abc.

<Sysname> system-view

[Sysname] local-user 111

[Sysname-luser-111] group abc

idle-cut enable

Syntax

idle-cut enable minute

undo idle-cut enable

View

ISP domain view

Default Level

2: System level

Parameters

minute: Maximum idle duration allowed, in the range 1 to 120 minutes.

Description

Use the idle-cut enable command to enable the idle cut function and set the maximum idle duration allowed. With the idle cut function enabled for a domain, the system will log out any user in the domain who has been idle for a period greater than the maximum idle duration.

Use the undo idle-cut command to restore the default.

By default, the function is disabled.

Related commands: domain.

Examples

# Enable the idle cut function and set the idle threshold to 50 minutes for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] idle-cut enable 50

local-server authentication eap-profile

Syntax

local-server authentication eap-profile profile-name

undo local-server authentication eap-profile

View

System view

Default Level

2: System level

Parameters

profile-name: EAP profile name, a case-insensitive string of 1 to 16 characters.

Description

Use the local-server authentication eap-profile command to specify the EAP profile for the local authentication server to use.

Use the undo local-server authentication eap-profile command to remove the configuration.

Note that the specified EAP profile must already exist.

Related commands: eap-profile.

Examples

# Specify the EAP profile for the local authentication server to use as aprf1.

<Sysname> system-view

[Sysname] local-server authentication eap-profile aprf1

local-user

Syntax

local-user user-name

undo local-user { user-name | all service-type { ftp | lan-access | ssh | telnet | terminal } }

View

System view

Default Level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a, al, or all.

all: Specifies all users.

service-type: Specifies the users of a type.

l ftp refers to users using FTP.

l lan-access refers to users accessing the network through an Ethernet.

l ssh refers to users using SSH.

l telnet refers to users using Telnet.

l terminal refers to users logging in through the console port, AUX port.

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to remove the specified local users.

By default, no local user is configured.

Related commands: display local-user, service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

local-user password-display-mode

Syntax

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

View

System view

Default Level

2: System level

Parameters

auto: Displays the password of a user based on the configuration of the user by using the password command.

cipher-force: Displays the passwords of all users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local users.

Use the undo local-user password-d isplay-mode command to restore the default.

The default mode is auto.

With the cipher-force mode configured:

l A local user password is always displayed in cipher text, regardless of the configuration of the password command.

l If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto.

Related commands: display local-user, password.

Examples

# Specify to display the passwords of all users in cipher text.

<Sysname> system-view

[Sysname] local-user password-display-mode cipher-force

method

Syntax

method { md5 | peap-mschapv2 | tls }

undo method { md5 | peap-mschapv2 | tls }

View

EAP profile view

Default Level

2: System level

Parameters

md5: Specifies the Message Digest 5 (MD5) authentication method.

peap-mschapv2: Specifies the Protected Extensible Authentication Protocol (PEAP) together with the MSCHAPv2 for authentication in TLS tunnels.

tls: Specifies the Transport Layer Security (TLS) authentication method.

Description

Use the method command to specify the EAP authentication method.

Use the undo method command to remove the configuration.

By default, no EAP authentication method is specified for an EAP profile.

You can specify more than one EAP authentication method for an EAP profile. An authentication method specified earlier has a higher priority.

When an EAP client and the local server communicate for EAP authentication, they first negotiate the EAP authentication method to be used. During negotiation, the local server prefers the authentication method with the highest priority among the ones specified for it. If the client supports the authentication method, the negotiation succeeds and they proceed with the authentication process. Otherwise, the local server tries the one with the next highest priority until a supported one is found, or if none of the authentication methods are found supported, the local server sends an EAP-Failure packet to the client for notification of the authentication failure.

Examples

# Create an EAP profile and specify authentication methods MD5 and PEAP-MSCHAPv2 for the profile, with PEAP-MSCHAPv2 has a higher priority.

<Sysname> system-view

[Sysname] eap-profile aprf1

[System-eap-prof-aprf1] method peap-mschapv2

[System-eap-prof-aprf1] method md5

password

Syntax

password { cipher | simple } password

undo password

View

Local user view

Default Level

2: System level

Parameters

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in simple text.

password: Password for the local user.

l In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.

l In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

l With the simple keyword, you must specify the password in simple text. With the cipher keyword, you can specify the password in either simple or cipher text.

Description

Use the password command to configure a password for a local user.

Use the undo password command to delete the password of a local user.

Note that:

l With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.

l With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.

Related commands: display local-user.

Examples

# Set the password of user1 to 123456 and specify to display the password in plain text.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 123456

self-service-url enable

Syntax

self-service-url enable url-string

undo self-service-url

View

ISP domain view

Default Level

2: System level

Parameters

url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark.

Description

Use the self-service-url enable command to enable the self-service server localization function and specify the URL of the self-service server for changing user password.

Use the undo self-service-url command to restore the default.

By default, the function is disabled.

Note that:

l A self-service RADIUS server, for example, CAMS, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

l After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1x client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.

l Only authenticated users can select [Service/Change Password] from the 802.1x client. The option is gray and unavailable for unauthenticated users.

Examples

# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

service-type

Syntax

service-type { ftp | lan-access | { ssh | telnet | terminal } * }

undo service-type { ftp | lan-access | { ssh | telnet | terminal } * }

View

Local user view

Default Level

3: Manage level

Parameters

ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default.

lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1x users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, AUX port.

Description

Use the service-type command to specify the service types that a user can use.

Use the undo service-type command to delete one or all service types configured for a user.

By default, a user is authorized with no service.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

ssl-server-policy

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

View

EAP profile view

Default Level

2: System level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.

Description

Use the ssl-server-policy command to specify an SSL server policy for the EAP authentication.

Use the undo ssl-server-policy command to remove the configuration.

By default, no SSL server policy is specified for an EAP profile.

Note that the SSL server policy and the relevant PKI domain settings must have been configured before you specify the policy for an EAP profile. Otherwise, the command does not take effect.

Examples

# Create an EAP profile and specify an SSL server policy for it.

<Sysname> system-view

[Sysname] eap-profile aprf1

[System-eap-prof-aprf1] ssl-server-policy tls-server

state

Syntax

state { active | block }

undo state

View

ISP domain view, local user view

Default Level

2: System level

Parameters

active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.

block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.

Description

Use the state command to configure the status of the current ISP domain or local user.

Use the undo state command to restore the default.

By default, an ISP domain is active when created. So is a local user.

By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.

By blocking a user, you disable the user from requesting network services. No other users are affected.

Related commands: domain.

Examples

# Place the current ISP domain aabbcc.net to the state of blocked.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] state block

# Place the current user user1 to the state of blocked.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-user-user1] state block

user-group

Syntax

user-group group-name

undo user-group group-name

View

System view

Default Level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Description

Use the user-group command to create a user group and enter its view.

Use the undo user-group command to remove a user group.

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Currently, you can configure password control attributes and authorization attributes for a user group.

Note that:

l A user group with one or more local users cannot be removed.

l The default system user group system cannot be removed but you can change its configurations.

Related commands: display user-group.

Examples

# Create a user group named abc and enter its view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

2 RADIUS Configuration Commands

RADIUS Configuration Commands

accounting-on enable

Syntax

accounting-on enable

undo accounting-on enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the accounting-on enable command to enable the accounting-on function. After doing so, when the device reboots, an accounting-on message will be sent to the RADIUS server to log out the online users of the device.

Use the undo accounting-on enable command to disable the accounting-on function.

By default, the accounting-on function is disabled.

Note that:

l Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable send.

l When you execute the accounting-on enable command, if the system has another authentication scheme already enabled with the accounting-on function, the command takes effect immediately. Otherwise, you need to save the configuration by using the save command, so that the command takes effect after the device reboots. For information about the save command, refer to File System Management Commands.

Related commands: radius scheme.

Examples

# Enable the accounting-on function for RADIUS authentication scheme rd.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable

accounting-on enable interval

Syntax

accounting-on enable interval seconds

undo accounting-on interval

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: Time interval to retransmit accounting-on packet in seconds, ranging from 1 to 15.

Description

Use the accounting-on enable interval command to configure the retransmission interval of accounting-on packets.

Use the undo accounting-on enable interval command to restore the default.

By default, the retransmission interval of accounting-on packets is 3 seconds.

Note that:

l Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable. That is, execution of the undo accounting-on enable interval command will not disable the accounting-on function.

l The retransmission interval configured with this command takes effect immediately.

Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the retransmission interval of accounting-on packet to 5 seconds.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable interval 5

accounting-on enable send

Syntax

accounting-on enable send send-times

undo accounting-on send

View

RADIUS scheme view

Default Level

2: System level

Parameters

send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255.

Description

Use the accounting-on enable send command to set the maximum number of accounting-on packet transmission attempts.

Use the undo accounting-on enable send command to restore the default.

By default, the maximum number of accounting-on packet transmission attempts is 5.

Note that:

l The maximum number of accounting-on packet transmission attempts configured with this command takes effect immediately.

Related commands: radius scheme, accounting-on enable.

Examples

# In RADIUS scheme rd, set the maximum number of accounting-on packet transmission attempts to 10.

<Sysname> system-view

[Sysname] radius scheme rd

[Sysname-radius-rd] accounting-on enable send 10

data-flow-format (RADIUS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

RADIUS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Note that:

l The specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: display radius scheme.

Examples

# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

display radius scheme

Syntax

display radius scheme [ radius-scheme-name ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

Description

Use the display radius scheme command to display the configuration information of a specified RADIUS scheme or all RADIUS schemes.

Note that: If no RADIUS scheme is specified, the command will display the configurations of all RADIUS schemes.

Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName : radius1

Index : 0 Type : extended

Primary Auth IP : 1.1.1.1 Port : 1812 State : active

Primary Acct IP : 1.1.1.1 Port : 1813 State : active

Second Auth IP : 0.0.0.0 Port : 1812 State : block

Second Acct IP : 0.0.0.0 Port : 1813 State : block

Auth Server Encryption Key : 123

Acct Server Encryption Key : Not configured

Accounting-On packet disable, send times : 5 , interval : 3s

Interval for timeout(second) : 3

Retransmission times for timeout : 3

Interval for realtime accounting(minute) : 12

Retransmission times of realtime-accounting packet : 5

Retransmission times of stop-accounting packet : 500

Quiet-interval(min) : 5

Username format : without-domain

Data flow unit : Byte

Packet unit : one

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 2-1 display radius scheme command output description

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS server
Primary Auth IP/ Port/ State	IP address/access port number/current status of the primary authentication server: (active or block) If there is no primary authentication server specified, the IP address is 0.0.0.0 and the port number is the default. This rule is also applicable to the following three fields.
Primary Acct IP/ Port/ State	IP address/access port number/current status of the primary accounting server: (active or block)
Second Auth IP/ Port/ State	IP address/access port number/current status of the secondary authentication server: (active or block)
Second Acct IP/ Port/ State	IP address/access port number/current status of the secondary accounting server: (active or block)
Auth Server Encryption Key	Shared key of the authentication server
Acct Server Encryption Key	Shared key of the accounting server
Accounting-On packet disable	The accounting-on function is disabled
send times	Retransmission times of accounting-on packets
interval	Interval to retransmit accounting-on packets
Interval for timeout(second)	Timeout time in seconds
Retransmission times for timeout	Times of retransmission in case of timeout
Interval for realtime accounting(minute)	Interval for realtime accounting in minutes
Retransmission times of realtime-accounting packet	Retransmission times of realtime-accounting packet
Retransmission times of stop-accounting packet	Retransmission times of stop-accounting packet
Quiet-interval(min)	Quiet interval for the primary server
Username format	Format of the username
Data flow unit	Unit of data flows
Packet unit	Unit of packets
Total 1 RADIUS scheme(s)	1 RADIUS scheme in total

display radius statistics

Syntax

display radius statistics

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics

state statistic(total=18000):

DEAD = 18000 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

Received and Sent packets statistic:

Sent PKT total = 1547 Received PKT total = 23

RADIUS received packets statistic:

Code = 2 Num = 15 Err = 0

Code = 3 Num = 4 Err = 0

Code = 5 Num = 4 Err = 0

Code = 11 Num = 0 Err = 0

Running statistic:

RADIUS received messages statistic:

Normal auth request Num = 24 Err = 0 Succ = 24

EAP auth request Num = 0 Err = 0 Succ = 0

Account request Num = 4 Err = 0 Succ = 4

Account off request Num = 503 Err = 0 Succ = 503

PKT auth timeout Num = 15 Err = 5 Succ = 10

PKT acct_timeout Num = 1509 Err = 503 Succ = 1006

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 23 Err = 0 Succ = 23

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

Set policy result Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 10

Auth reject Num = 14

EAP auth replying Num = 0

Account success Num = 4

Account failure Num = 3

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 1

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 2-2 display radius statistics command output description

Field	Description
state statistic	state statistics
DEAD	Number of idle users
AuthProc	Number of users waiting for authentication
AuthSucc	Number of users who have passed authentication
AcctStart	Number of users for whom accounting has been started
RLTSend	Number of users for whom the system sends real-time accounting packets
RLTWait	Number of users waiting for real-time accounting
AcctStop	Number of users in the state of accounting waiting stopped
OnLine	Number of online users
Stop	Number of users in the state of stop
Received and Sent packets statistic	Statistics of packets received and sent
Sent PKT total	Number of packets sent
Received PKT total	Number of packets received
RADIUS received packets statistic	Statistics of packets received by RADIUS
Code	Packet type
Num	Total number of packets
Err	Number of error packets
Running statistic	RADIUS operation message statistics
RADIUS received messages statistic	Number of messages received by RADIUS
Normal auth request	Number of normal authentication requests
EAP auth request	Number of EAP authentication requests
Account request	Number of accounting requests
Account off request	Number of stop-accounting requests
PKT auth timeout	Number of authentication timeout messages
PKT acct_timeout	Number of accounting timeout messages
Realtime Account timer	Number of realtime accounting requests
PKT response	Number of responses
Session ctrl pkt	Number of session control messages
Normal author request	Number of normal authorization requests
Succ	Number of acknowledgement messages
Set policy result	Number of responses to the Set policy packets
RADIUS sent messages statistic	Number of messages that have been sent by RADIUS
Auth accept	Number of accepted authentication packets
Auth reject	Number of rejected authentication packets
EAP auth replying	Number of replying packets of EAP authentication
Account success	Number of accounting succeeded packets
Account failure	Number of accounting failed packets
Server ctrl req	Number of server control requests
RecError_MSG_sum	Number of received packets in error
SndMSG_Fail_sum	Number of packets that failed to be sent out
Timer_Err	Number of timer errors
Alloc_Mem_Err	Number of memory errors
State Mismatch	Number of errors for mismatching status
Other_Error	Number of errors of other types
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory

display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user by the user name, which is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting by the user-name-format command for the RADIUS scheme.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name.

Note that if receiving no response after sending a stop-accounting request to a RADIUS server, the device buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

Total find 0 record (0)

eap offload

Syntax

eap offload method peap-mschapv2

undo eap offload method peap-mschapv2

View

RADIUS scheme view

Default Level

2: System level

Parameters

method peap-mschapv2: Specifies the EAP authentication method. Currently, only PEAP-MSCHAPv2 authentication is supported.

Description

Use the eap offload command to configure the EAP offload function.

Use the undo eap offload command to cancel the EAP offload function.

By default, the EAP offload function is disabled.

As some RADIUS servers do not support EAP authentication, it is necessary to configure the EAP offload function for a RADIUS scheme that uses such a RADIUS server. Later, the access device will process received EAP authentication requests from its clients before forwarding the requests to the RADIUS server for authentication. By default, an access device forwards received EAP authentication requests in pass-through mode; it does not perform offload operations.

Examples

# Configure the EAP offload function for RADIUS scheme rd1.

<Sysname> system-view

[Sysname] radius scheme rd1

[Sysname-radius-rd1] eap offload method peap-mschapv2

key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

Note that:

l You must ensure that the same shared key is set on the device and the RADIUS server.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

nas-ip (RADIUS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is that configured by the radius nas-ip command in system view.

Note that:

l Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. The address of a loopback interface is recommended.

l The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

primary accounting (RADIUS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the primary accounting command to specify the primary RADIUS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state.

Examples

# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2 and the UDP port of the server as 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

primary authentication (RADIUS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the primary authentication command to specify the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to remove the configuration.

By default, no primary RADIUS authentication/authorization server is specified.

Note that:

l After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state.

Examples

# Specify the primary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

radius client

Syntax

radius client enable

undo radius client

View

System view

Default Level

2: System level

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.

Use the undo radius client command to disable the listening port of the RADIUS client.

By default, the listening port is enabled.

Note that when the listening port of the RADIUS client is disabled:

l The RADIUS client can either accept authentication, authorization or accounting requests or process timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.

l The end account packets of online users cannot be sent out and buffered. This may cause a problem that the RADIUS server still has the user record after a user goes offline for a period of time.

l The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.

l The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view

[Sysname] radius client enable

radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the radius nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default Level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, no RADIUS scheme is defined.

Note that:

l The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

l A RADIUS scheme can be referenced by more than one ISP domain at the same time.

l You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.

Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Default Level

2: System level

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the function.

By default, the RADIUS trap function is disabled.

Note that:

l If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message; when the NAS transmits the request for the specified maximum number, it sends another trap message.

l If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

reset radius statistics

Syntax

reset radius statistics

View

User view

Default Level

2: System level

Parameters

None

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user name based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user [email protected].

<Sysname> reset stop-accounting-buffer user-name [email protected]

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of transmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS transmission attempts.

Use the undo retry command to restore the default.

The default value for the retry-times argument is 3.

Note that:

l As RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout time, it will retransmit the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device regards that the authentication fails.

l The maximum number of transmission attempts defined by this command refers to the sum of all transmission attempts sent by the device to the primary server and the secondary server. For example, assume that the maximum number of transmission attempts is N and both the primary server and secondary RADIUS server are specified and exist, the device will send a request to the other server if the current server does not respond after the sum of transmission attempts reaches N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).

l The maximum number of transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.

Use the undo retry realtime-accounting command to restore the default.

Note that:

l A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the device generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still receives no response, the device will cut the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

retry stop-accounting (RADIUS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the device receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will temporarily store the request in the device and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the device discard the request.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

secondary accounting (RADIUS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the secondary accounting command to specify the secondary RADIUS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state.

Examples

# Specify the secondary accounting server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

secondary authentication (RADIUS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the secondary authentication command to specify the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary RADIUS authentication/authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

l You can use the commands to change the settings only when no user is using the RADIUS scheme.

Related commands: key, radius scheme, state.

Examples

# Specify the secondary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default Level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally CAMS), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).

Description

Use the server-type command to specify the RADIUS server type supported by the device.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

Note that you can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Default Level

2: System level

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.

accounting: Sets the status of the RADIUS accounting server.

authentication: Sets the status of the RADIUS authentication/authorization server.

active: Sets the status of the RADIUS server to active, namely the normal operation state.

block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.

Note that:

l When a primary server, authentication/authorization server or accounting server, fails, the device automatically turns to the secondary server.

l Once the primary server fails, the primary server turns into the blocked state, and the device turns to the secondary server. In this case, if the secondary server is available, the device triggers the primary server quiet timer. After the quiet timer times out, the status of the primary server is active again and the status of the secondary server remains the same. If the secondary server fails, the device restores the status of the primary server to active immediately. If the primary server has resumed, the device turns to use the primary server and stops communicating with the secondary server. After accounting starts, the communication between the client and the secondary server remains unchanged.

l When both the primary server and the secondary server are in the state of blocked, you need to set the status of the secondary server to active to use the secondary server for authentication. Otherwise, the switchover will not occur.

l If one server is in the active state while the other is blocked, the switchover will not take place even if the active server is not reachable.

l You can use this command to change the settings only when no user is using the RADIUS scheme.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication active

stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Note that you can use the commands to change the setting only when no user is using the RADIUS scheme.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display radius scheme.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, must be a multiple of 3 and in the range 3 to 60, with the default value being 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval means higher accounting precision but requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (1000 or more). The following table lists the recommended ratios of the interval to the number of users.

Table 2-3 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

Note that:

l If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

l A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

l The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

user-name-format (RADIUS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

RADIUS scheme view

Default Level

2: System level

Parameters

keep-original: Sends the username to the RADIUS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

l If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same user ID as one.

l When 802.1x users use EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients when forwarding them to the RADIUS server.

l If the RADIUS scheme is for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

l You can use this command to change the setting only when no user is using the RADIUS scheme.

Related commands: radius scheme.

Examples

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

3 HWTACACS Configuration Commands

HWTACACS Configuration Commands

data-flow-format (HWTACACS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a HWTACACS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Define HWTACACS scheme hwt1 to send data flows and packets destined for the TACACS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name.

statistics: Displays complete statistics about the HWTACACS server.

Description

Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.

Note that: If no HWTACACS scheme is specified, the command will display the configuration information of all HWTACACS schemes.

Related commands: hwtacacs scheme.

Examples

# Display configuration information about HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Username format : with-domain

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

Table 3-1 display hwtacacs command output description

Field	Description
HWTACACS-server template name	Name of the HWTACACS scheme
Primary-authentication-server	IP address and port number of the primary authentication server. If there is no primary authentication server specified, the value of this field is 0.0.0.0:0. This rule is also applicable to the following eight fields.
Primary-authorization-server	IP address and port number of the primary authorization server
Primary-accounting-server	IP address and port number of the primary accounting server
Secondary-authentication-server	IP address and port number of the secondary authentication server
Secondary-authorization-server	IP address and port number of the secondary authorization server
Secondary-accounting-server	IP address and port number of the secondary accounting server
Current-authentication-server	IP address and port number of the currently used authentication server
Current-authorization-server	IP address and port number of the currently used authorization server
Current-accounting-server	IP address and port number of the currently used accounting server
NAS-IP-address	IP address of the NAS If no NAS is specified, the value of this field is 0.0.0.0.
key authentication	Key for authentication
key authorization	Key for authorization
key accounting	Key for accounting
Quiet-interval	Quiet interval for the primary server
Realtime-accounting-interval	Real-time accounting interval
Response-timeout-interval	Server response timeout period
Acct-stop-PKT retransmit times	Number of stop-accounting packet transmission retries
Username format	Whether a user name includes the domain name
Data traffic-unit	Unit for data flows
Packet traffic-unit	Unit for data packets

display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Total 0 record(s) Matched

hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo hwtacacs nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.

l If you configure the command for more than one time, the last configuration takes effect.

l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Default Level

3: Manage level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

Note that you cannot delete an HWTACACS scheme with online users.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

key (HWTACACS scheme view)

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for HWTACACS accounting packets.

authentication: Sets the shared key for HWTACACS authentication packets.

authorization: Sets the shared key for HWTACACS authorization packets.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.

Use the undo key command to remove the configuration.

By default, no shared key is configured.

Related commands: display hwtacacs.

Examples

# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

nas-ip (HWTACACS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: hwtacacs nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

primary accounting (HWTACACS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to specify the primary HWTACACS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary HWTACACS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Specify the primary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

primary authentication (HWTACACS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to specify the primary HWTACACS authentication server.

Use the undo primary authentication command to remove the configuration.

By default, no primary HWTACACS authentication server is specified.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Specify the primary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to specify the primary HWTACACS authorization server.

Use the undo primary authorization command to remove the configuration.

By default, no primary HWTACACS authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the primary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

View

User view

Default Level

1: Monitor level

Parameters

accounting: Clears HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears HWTACACS authentication statistics.

authorization: Clears HWTACACS authorization statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

User view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

retry stop-accounting (HWTACACS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

secondary accounting (HWTACACS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to specify the secondary HWTACACS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary HWTACACS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Specify the secondary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

secondary authentication (HWTACACS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to specify the secondary HWTACACS authentication server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary HWTACACS authentication server is specified.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Specify the secondary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authorization command to specify the secondary HWTACACS authorization server.

Use the undo secondary authorization command to remove the configuration.

By default, no secondary HWTACACS authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

stop-accounting-buffer enable (HWTACACS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

timer quiet (HWTACACS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

timer realtime-accounting (HWTACACS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes. It is a multiple of 3 in the range 3 to 60 and defaults to 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 3-2 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

timer response-timeout (HWTACACS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Default Level

2: System level

Parameters

seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5.

Description

Use the timer response-timeout command to set the HWTACACS server response timeout timer.

Use the undo timer command to restore the default.

As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.

Related commands: display hwtacacs.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

user-name-format (HWTACACS scheme view)

Syntax

user-name-format { keep-original | with-domain | without-domain }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

keep-original: Sends the username to the HWTACACS server as it is input.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a HWTACACS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a HWTACACS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server.

l If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.

l If the HWTACACS scheme is for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

Related commands: hwtacacs scheme.

Examples

# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.

H3C S3600 Series EPON OLT Switches Command Manual-Release 3103-6W100

Table of Content

24-AAA Commands

access-limit enable

access-limit

accounting lan-access

accounting login

accounting optional

authentication default

authentication lan-access

authentication login

authorization command

authorization default

authorization lan-access

authorization login

authorization-attribute

bind-attribute

display connection

display domain

display local-user

domain

domain default enable

idle-cut enable

local-server authentication eap-profile

method

self-service-url enable

service-type

ssl-server-policy

state

2 RADIUS Configuration Commands

accounting-on enable

data-flow-format (RADIUS scheme view)

display radius scheme

display radius statistics

display stop-accounting-buffer

eap offload

key (RADIUS scheme view)

nas-ip (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius nas-ip

radius scheme

reset radius statistics

retry

retry realtime-accounting

retry stop-accounting (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

server-type

state

stop-accounting-buffer enable (RADIUS scheme view)

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

display hwtacacs

display stop-accounting-buffer

hwtacacs nas-ip

hwtacacs scheme

nas-ip (HWTACACS scheme view)

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

reset stop-accounting-buffer

retry stop-accounting (HWTACACS scheme view)

secondary accounting (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)