enable max-user-number: Specifies that the system limits the number of access users in the current ISP domain. max-user-number is the maximum number of access users in the current ISP domain. The valid range from 1 to 4094.

Description

Use the access-limit enable command to set the maximum number of access users allowed by an ISP domain. After the number of user connections reaches the maximum number allowed, no more users will be accepted.

Use the undo access-limit or access-limit disable command to remove the limitation.

By default, there is no limit to the amount of access users in an ISP domain.

As the access users may compete for network resources, setting a proper limit to the number of access users helps provide a reliable system performance.

Examples

# Set a limit of 500 access users for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] access-limit enable 500

accounting default

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting default command to specify the default accounting scheme for all types of users.

Use the undo accounting default command to restore the default.

By default, the accounting scheme is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The accounting scheme specified with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.

l Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.

l With the access mode of login, accounting is not supported for FTP services.

Related commands: authentication default, authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for all types of users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting default radius-scheme rd local

accounting lan-access

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting lan-access command to specify the accounting scheme for LAN access users.

Use the undo accounting lan-access command to restore the default.

By default, the default accounting scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for LAN access users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting lan-access radius-scheme rd local

accounting login

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections,

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting login command to specify the accounting scheme for login users.

Use the undo accounting login command to restore the default.

By default, the default accounting scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local accounting scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login local

# Configure the default ISP domain system to use RADIUS accounting scheme rd for login users and to use the local accounting scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting login radius-scheme rd local

accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Default Level

2: System level

Parameters

None

Description

Use the accounting optional command to enable the accounting optional feature.

Use the undo accounting optional command to disable the feature.

By default, the feature is disabled.

Note that:

l With the accounting optional command configured, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used when authentication is required but accounting is not.

l If you configure the accounting optional command for a domain, the device does not send real-time accounting updates for users of the domain any more after accounting fails.

l With the accounting optional command configured, the limit on the number of local user connections configured by the attribute access-limit command is not effective.

Examples

# Enable the accounting optional feature for users in domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] accounting optional

accounting portal

Syntax

accounting portal { none | radius-scheme radius-scheme-name }

undo accounting portal

View

ISP domain view

Default Level

2: System level

Parameters

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the accounting portal command to specify the accounting scheme for portal users.

Use the undo accounting portal command to restore the default.

By default, the default accounting scheme is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: accounting default, radius scheme.

Examples

# In the default ISP domain system, specify the accounting scheme for portal users to RADIUS scheme, with the name rd.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] accounting portal radius-scheme rd

attribute

Syntax

attribute { access-limit max-user-number | idle-cut minute | ip ip-address | location { [ nas-ip ip-address ] port slot-number subslot-number port-number } | mac mac-address | vlan vlan-id } *

undo attribute { access-limit | idle-cut | ip | location | mac |vlan } *

View

Local user view

Default Level

2: System level

Parameters

access-limit max-user-number: Specifies the maximum number of concurrent users that can log in using the current username, which ranges from 1 to 1024.

idle-cut minute: Configures the idle cut function. The idle cut period ranges from 1 to 120, in minutes.

ip ip-address: Specifies the IP address of the user.

location: Specifies the port binding attribute of the user.

nas-ip ip-address: Specifies the IP address of the port of the remote access server bound by the user. The default is 127.0.0.1, that is, the device itself. This keyword and argument combination is required only when the user is bound to a remote port.

port slot-number subslot-number port-number: Specifies the port to which the user is bound. The value of slot-number and subslot-number both range from 0 to 15. The value of port-number ranges from 0 to 255. The ports bound are determined by port number, regardless of port type.

mac mac-address: Specifies the MAC address of the user in the format of H-H-H.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to 4094.

Description

Use the attribute command to set some of the attributes for a LAN access user.

Use the undo attribute command to remove the configuration.

Note that:

l The attribute access-limit command for local users is effective only after local accounting scheme is configured.

l The attribute ip command for local users is applicable only to the authentication supporting IP address upload, for example, 802.1X authentication. If this command is configured for the authentication that does not support IP address upload, for example, MAC authentication, local authentication may fail.

l The idle-cut command in user interface view applies to LAN users only.

Related commands: display local-user.

Examples

# Set the IP address of local user user1 to 10.110.50.1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] attribute ip 10.110.50.1

authentication default

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication default command to specify the default authentication scheme for all types of users.

Use the undo authentication default command to restore the default.

By default, the authentication scheme is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authentication scheme specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.

Related commands: authorization default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for all types of users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication default radius-scheme rd local

authentication lan-access

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication lan-access command to specify the authentication scheme for LAN access users.

Use the undo authentication login command to restore the default.

By default, the default authentication scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for LAN access users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication lan-access radius-scheme rd local

authentication login

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication login command to specify the authentication scheme for login users.

Use the undo authentication login command to restore the default.

By default, the default authentication scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authentication scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login local

# Configure the default ISP domain system to use RADIUS authentication scheme rd for login users and to use the local authentication scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication login radius-scheme rd local

authentication portal

Syntax

authentication portal { none | radius-scheme radius-scheme-name }

undo authentication portal

View

ISP domain view

Default Level

2: System level

Parameters

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authentication portal command to specify the authentication scheme for portal users.

Use the undo authentication portal command to restore the default.

By default, the default authentication scheme is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authentication default, radius scheme.

Examples

# In the default ISP domain system, specify the authentication scheme for portal users to RADIUS scheme, with the name rd.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication portal radius-scheme rd

authorization command

Syntax

authorization command hwtacacs-scheme hwtacacs-scheme-name

undo authorization command

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization command command to specify the authorization scheme for command line users.

Use the undo authorization command command to restore the default.

By default, the default authorization scheme is used for command line users.

Note that the HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme.

Examples

# Configure the default ISP domain system to use HWTACACS authorization scheme hw for command line users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization command hwtacacs-scheme hw

authorization default

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization default command to specify the authorization scheme for all types of users.

Use the undo authorization default command to restore the default.

By default, the authorization scheme for all types of users is local.

Note that:

l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

l The authorization scheme specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.

l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.

Related commands: authentication default, accounting default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for all types of users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for all types of users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization default radius-scheme rd local

authorization lan-access

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

View

ISP domain view

Default Level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization lan-access command to specify the authorization scheme for LAN access users.

Use the undo authorization lan-access command to restore the default.

By default, the default authorization scheme is used for LAN access users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for LAN access users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system]authorization lan-access local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for LAN access users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization lan-access radius-scheme rd local

authorization login

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

View

ISP domain view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization login command to specify the authorization scheme for login users.

Use the undo authorization login command to restore the default.

By default, the default authorization scheme is used for login users.

Note that the RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, hwtacacs scheme, radius scheme.

Examples

# Configure the default ISP domain system to use the local authorization scheme for login users.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login local

# Configure the default ISP domain system to use RADIUS authorization scheme rd for login users and to use the local authorization scheme as the backup scheme.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization login radius-scheme rd local

authorization portal

Syntax

authorization portal { none | radius-scheme radius-scheme-name }

undo authorization portal

View

ISP domain view

Default Level

2: System level

Parameters

none: None authorization, which means the user is trusted completely. Here, the user is assigned with the default privilege.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

Description

Use the authorization portal command to specify the authorization scheme for portal users.

Use the undo authorization portal command to restore the default.

By default, the default authorization scheme is used for portal users.

Note that the RADIUS scheme specified for the current ISP domain must have been configured.

Related commands: authorization default, radius scheme.

Examples

# In the default ISP domain system, specify the authorization scheme for portal users to RADIUS scheme, with the name rd.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authorization portal radius-scheme rd

cut connection

Syntax

cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]

View

System view

Default Level

2: System level

Parameters

access-type: Specifies user connections of an access mode.

l dot1x: Specifies 802.1X authentication user connections.

l mac-authentication: Specifies MAC authentication user connections.

l portal: Specifies portal authentication user connections.

all: Specifies all user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies all user connections of an interface.

ip ip-address: Specifies a user connection by IP address.

mac mac-address: Specifies a user connection by MAC address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies a user connection by connection index. The value range from 0 to 4294967295.

user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.

vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies the connections on a slot.

Description

Use the cut connection command to tear down the specified connecitons forcibly.

At present, this command applies to only LAN access and portal user connections.

Related commands: display connection, service-type.

Examples

# Tear down all connections in ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] cut connection domain aabbcc.net

display connection

Syntax

display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

access-type { dot1x | mac-authentication | portal }: Specifies user connections of an access mode, that is, 802.1X user connections, MAC authentication user connections, or portal authentication user connections.

domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

interface interface-type interface-number: Specifies all user connections of an interface.

ip ip-address: Specifies all user connections using the specified IP address.

mac mac-address: Specifies all user connections using the specified MAC address. The MAC address must be in the format of H-H-H.

ucibindex ucib-index: Specifies all user connections using the specified connection index. The value range 0 to 4294967295.

user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.

vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies the connections on a slot.

Description

Use the display connection command to display information about specified or all AAA user connections.

This command does not apply to FTP user connections.

Related commands: cut connection.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Index=1 ,Username=telnet@system

IP=10.0.0.1

Total 1 connection(s) matched.

Table 1-1 display connection command output description

Field	Description
Index	Index number
Username	Username of the connection, in the format username@domain
IP	IP address of the user
Total 1 connection(s) matched.	Total number of user connections

display domain

Syntax

display domain [ isp-name ]

View

Any view

Default Level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

Description

Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains.

Related commands: access-limit, domain, state.

Examples

# Display the configuration information of all ISP domains.

<Sysname> display domain

0 Domain = aabbcc

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius=test, local

Lan-access authorization scheme : hwtacacs=hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut = Disabled

Self-service = Disabled

1 Domain = system

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut = Disabled

Self-service = Disabled

Default Domain Name: system

Total 2 domain(s)

Table 1-2 display domain command output description

Field	Description
Domain	Domain name
State	Status of the domain (active or block)
Access-limit	Limit on the number of access users
Accounting method	Accounting method (either required or optional)
Default authentication scheme	Default authentication scheme
Default authorization scheme	Default authorization scheme
Default accounting scheme	Default accounting scheme
Lan-access authentication scheme	Authentication scheme for LAN users
Lan-access authorization scheme	Authentication scheme for LAN users
Lan-access accounting scheme	Accounting scheme for LAN users
Domain User Template	Template for users in the domain
Idle-cut	Whether idle cut is enabled
Self-service	Whether self service is enabled
Default Domain Name	Default ISP domain name
Total 2 domain(s).	2 ISP domains in total

display local-user

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users of a type.

l ftp refers to users using FTP;

l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users;

l ssh refers to users using SSH;

l telnet refers to users using Telnet;

l terminal refers to users logging in through the console port, AUX port.

state { active | block }: Specifies all local users in the state of active or block. A local user in the state of active can access network services, while a local user in the state of blocked cannot.

user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.

slot slot-number: Specifies all local users in the slot where the interface card is inserted.

Description

Use the display local-user command to display information about specified or all local users.

Related commands: local-user.

Examples

# Display the information of local user bbb on the card installed on slot 1.

<Sysname> display local-user user-name bbb slot 0

Slot: 0

The contents of local user bbb:

State: Active

ServiceType: lan-access

Idle-cut: Disable

Access-limit: Enable Current AccessNum: 100

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

FTP Directory: flash:

User Privilege: 0

Total 1 local user(s) matched.

Table 1-3 display local-user command output description (for distributed device)

Field	Description
Slot	Slot number of the card
State	Status of the local user, active or block
ServiceType	Service types that the user can use, including ftp, lan-access, ssh, telnet, and terminal.
Idle-cut	Whether idle cut is enabled
Access-limit	Access user connection limit
Current AccessNum	Number of users currently accessing network services, either for all cards or for a specified card.
Bind location	Whether bound with a port
VLAN ID	VLAN to which the user belongs
IP address	IP address of the user
MAC address	MAC address of the user
FTP Directory	Directory accessible to the FTP user
User Privilege	Local user level
Total 1 local user(s) matched.	1 local user in total

domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Default Level

3: Manage level

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.

Description

Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.

Use the undo domain command to remove an ISP domain.

Note that:

l If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

l There is a default domain in the system, which cannot be deleted and can only be changed. A user providing no ISP domain name is considered in the default domain. For details about the default domain, refer to command domain default enable.

Related commands: state, display domain.

Examples

# Create ISP domain aabbcc.net, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net]

domain default

Syntax

domain default { disable | enable isp-name }

View

System view

Default Level

3: Manage level

Parameters

disable: Restores the specified default ISP domain to a non-default one.

enable: Configures the specified ISP domain as the default one.

isp-name: Name of the ISP, a string of 1 to 24 characters.

Description

Use the domain default command to manually configure the system default ISP domain.

By default, there is a default ISP domain named system.

Note that:

l There must be only one default ISP domain.

l The specified domain must have existed.

l The default domain configured cannot be deleted unless you cancel it as a default domain first.

Related commands: state, display domain.

Examples

# Create a new ISP domain named aabbcc.net, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] quit

[Sysname] domain default enable aabbcc.net

idle-cut

Syntax

idle-cut { disable | enable minute }

View

ISP domain view

Default Level

2: System level

Parameters

disable: Disables the idle cut function.

enable minute: Enables the idle cut function. The minute argument refers to the allowed idle duration, in the range 1 to 120 minutes.

Description

Use the idle-cut command to enable or disable the idle cut function.

By default, the function is disabled.

Related commands: domain.

Examples

# Enable the idle cut function and set the idle threshold to 50 minutes for ISP domain aabbcc.net.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] idle-cut enable 50

level

Syntax

level level

undo level

View

Local user view

Default Level

3: Manage level

Parameters

level: Level of the user, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level.

Description

Use the level command to set the level of a user.

Use the undo level command to restore the default.

By default, the user level is 0.

Note that:

l If you specify not to perform authentication or use password authentication, the level of the commands that a user can use after logging in depends on the level of the user interface. For details about the authentication, refer to command authentication-mode in User Interface Commands of the System Volume.

l If you specify an authentication method that requires the username and password, the level of the commands that a user can use after logging in depends on the level of the user. For an SSH user using RSA public key authentication, the commands that can be used depend on the level configured on the user interface.

Related commands: local-user.

Examples

# Set the level of user user1 to 3.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] level 3

local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal } ] }

View

System view

Default Level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a, al, or all.

all: Specifies all users.

service-type: Specifies the users of a type.

l ftp refers to users using FTP;

l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users;

l ssh refers to users using SSH;

l telnet refers to users using Telnet;

l terminal refers to users logging in through the console port, AUX port.

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to remove the specified local users.

By default, no local user is configured.

Related commands: display local-user, service-type.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

local-user password-display-mode

Syntax

local-user password-display-mode { auto | cipher-force }

undo local-user password-display-mode

View

System view

Default Level

2: System level

Parameters

auto: Displays the password of a user based on the configuration of the user by using the password command.

cipher-force: Displays the passwords of all users in cipher text.

Description

Use the local-user password-display-mode command to set the password display mode for all local users.

Use the undo local-user password-d isplay-mode command to restore the default.

The default mode is auto.

With the cipher-force mode configured:

l A local user password is always displayed in cipher text, regardless of the configuration of the password command.

l If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto.

Related commands: display local-user, password.

Examples

# Specify to display the passwords of all users in cipher text.

<Sysname> system-view

[Sysname] local-user password-display-mode cipher-force

password

Syntax

password { cipher | simple } password

undo password

View

Local user view

Default Level

2: System level

Parameters

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in simple text.

password: Password for the local user.

l In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.

l In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

l With the simple keyword, you must specify the password in simple text. With the cipher keyword, you can specify the password in either simple or cipher text.

Description

Use the password command to configure a password for a local user.

Use the undo password command to delete the password of a local user.

Note that:

l With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.

l With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.

Related commands: display local-user.

Examples

# Set the password of user1 to 123456 and specify to display the password in plain text.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 123456

self-service-url

Syntax

self-service-url { disable | enable url-string }

undo self-service-url

View

ISP domain view

Default Level

2: System level

Parameters

disable: Disable the self-service server localization function.

enable url-string: Enable the self-service server localization function. The url-string argument refers to the URL of the self-service server for changing user password. The URL is a string of 1 to 64 characters that starts with http:// and cannot contain any question mark.

Description

Use the self-service-url enable command to enable the self-service server localization function and specify the URL of the self-service server for changing user password.

Use the self-service-url disable command or the undo self-service-url command to disable the self-service server localization function.

By default, the function is disabled.

Note that:

l A self-service RADIUS server, for example, iMC, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.

l After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1X client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.

l Only authenticated users can select [Service/Change Password] from the 802.1X client. The option is gray and unavailable for unauthenticated users.

Examples

# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

service-type

Syntax

service-type { ssh | telnet | terminal } * [ level level ]

undo service-type { ssh | telnet | terminal } *

View

Local user view

Default Level

3: Manage level

Parameters

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, AUX port.

level level: Sets the user level of a Telnet, terminal, or SSH user. The level argument is an integer in the range 0 to 3 and defaults to 0.

Description

Use the service-type command to specify the service types that a user can use.

Use the undo service-type command to delete one or all service types configured for a user.

By default, a user is authorized with no service.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

service-type ftp

Syntax

service-type ftp

undo service-type ftp

View

Local user view

Default Level

3: Manage level

Parameters

None

Description

Use the service-type ftp command to authorize a user to use the FTP service.

Use the undo service-type ftp command to disable a user from using the FTP service.

By default, no service is authorized to a user and anonymous access to FTP service is not allowed. If you authorize a user to use the FTP service but do not specify a directory that the user can access, the user can access the root directory of the device by default.

Related commands: work-directory.

Examples

# Authorize user user1 to use the FTP service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type ftp

service-type lan-access

Syntax

service-type lan-access

undo service-type lan-access

View

Local user view

Default Level

2: System level

Parameters

None

Description

Use the service-type lan-access command to specify the lan-access service for an Ethernet access user, for example 802.1X user.

Use the undo service-type lan-access command to remove the lan-access service settings for the user.

By default, no service is authorized to users.

Examples

# Specify the lan-access service for a user.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type lan-access

state

Syntax

state { active | block }

View

ISP domain view, local user view

Default Level

2: System level

Parameters

active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.

block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.

Description

Use the state command to configure the status of the current ISP domain or local user.

By default, an ISP domain is active when created. So is a local user.

By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.

By blocking a user, you disable the user from requesting network services. No other users are affected.

Related commands: domain.

Examples

# Place the current ISP domain aabbcc.net to the state of blocked.

<Sysname> system-view

[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] state block

# Place the current user user1 to the state of blocked.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-user-user1] state block

work-directory

Syntax

work-directory directory-name

undo work-directory

View

Local user view

Default Level

3: Manage level

Parameters

directory-name: Name of the directory that FTP/SFTP users are authorized to access, a case-insensitive string of 1 to 135 characters.

Description

Use the work-directory command to specify the directory accessible to FTP/SFTP users.

Use the undo work-directory command to restore the default.

By default, FTP/SFTP users can access the root directory of the device.

Note that:

l The specified directory accessible to users must exist.

l If you use a file system command to delete the specified directory, FTP/SFTP users will no longer access the directory.

l If the specified directory carries information about the slot where the secondary board is inserted, FTP/SFTP users cannot log in after primary-to-secondary switching. It is not recommended to carry slot information when you specify a work directory.

Examples

# Specify the directory accessible to FTP/SFTP users.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] work-directory flash:

2 RADIUS Configuration Commands

RADIUS Configuration Commands

data-flow-format (RADIUS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

RADIUS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Note that the specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.

Related commands: display radius scheme.

Examples

# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

display radius scheme

Syntax

display radius scheme [ radius-scheme-name ] [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the display radius scheme command to display the configuration information of a specified RADIUS scheme or all RADIUS schemes.

Note that:

l If no RADIUS scheme is specified, the command will display the configurations of all RADIUS schemes.

l If no slot number is specified, the command will display the configurations of the RADIUS schemes on only the main processing unit.

Related commands: radius scheme.

Examples

# Display the configurations of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName = radius1

Index=0 Type=extended

Primary Auth IP = 1.1.1.1 Port = 1812 State = active

Primary Acct IP = 1.1.1.1 Port = 1813 State = active

Second Auth IP = 0.0.0.0 Port = 1812 State = block

Second Acct IP = 0.0.0.0 Port = 1813 State = block

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

Interval for timeout(second) =3

Retransmission times for timeout =3

Interval for realtime accounting(minute) =12

Retransmission times of realtime-accounting packet =5

Retransmission times of stop-accounting packet =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =one

nas-ip address = 10.1.1.1

------------------------------------------------------------------

Total 1 RADIUS scheme(s)

Table 2-1 display radius scheme command output description

Field	Description
SchemeName	Name of the RADIUS scheme
Index	Index number of the RADIUS scheme
Type	Type of the RADIUS server
Primary Auth IP/ Port/ State	IP address/access port number/current status of the primary authentication server: (active or block) If there is no primary authentication server specified, the IP address is 0.0.0.0 and the port number is the default. This rule is also applicable to the following three fields.
Primary Acct IP/ Port/ State	IP address/access port number/current status of the primary accounting server: (active or block)
Second Auth IP/ Port/ State	IP address/access port number/current status of the secondary authentication server: (active or block)
Second Acct IP/ Port/ State	IP address/access port number/current status of the secondary accounting server: (active or block)
Auth Server Encryption Key	Shared key of the authentication server
Acct Server Encryption Key	Shared key of the accounting server
Interval for timeout(second)	Timeout time in seconds
Retransmission times for timeout	Times of retransmission in case of timeout
Interval for realtime accounting(minute)	Interval for realtime accounting in minutes
Retransmission times of realtime-accounting packet	Retransmission times of realtime-accounting packet
Retransmission times of stop-accounting packet	Retransmission times of stop-accounting packet
Quiet-interval(min)	Quiet interval for the primary server
Username format	Format of the username
Data flow unit	Unit of data flows
Packet unit	Unit of packets
nas-ip address	The IP address for the device to use as the source address of the RADIUS packets to be sent to the server
Total 1 RADIUS scheme(s)	1 RADIUS scheme in total

display radius statistics

Syntax

display radius statistics [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the display radius statistics command to display statistics about RADIUS packets.

Related commands: radius scheme.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics

Slot 0:state statistic(total=4096):

DEAD = 4096 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

Received and Sent packets statistic:

Sent PKT total = 1547 Received PKT total = 23

Resend Times Resend total

1 508

2 508

Total 1016

RADIUS received packets statistic:

Code = 2 Num = 15 Err = 0

Code = 3 Num = 4 Err = 0

Code = 5 Num = 4 Err = 0

Code = 11 Num = 0 Err = 0

Running statistic:

RADIUS received messages statistic:

Normal auth request Num = 24 Err = 0 Succ = 24

EAP auth request Num = 0 Err = 0 Succ = 0

Account request Num = 4 Err = 0 Succ = 4

Account off request Num = 503 Err = 0 Succ = 503

PKT auth timeout Num = 15 Err = 5 Succ = 10

PKT acct_timeout Num = 1509 Err = 503 Succ = 1006

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 23 Err = 0 Succ = 23

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

Set policy result Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 10

Auth reject Num = 14

EAP auth replying Num = 0

Account success Num = 4

Account failure Num = 3

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 1

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 2-2 display radius statistics command output description

Field	Description
state statistic(total=4096)	state statistic
DEAD	Number of idle users
AuthProc	Number of users waiting for authentication
AuthSucc	Number of users that have passed authentication
AcctStart	Number of users for whom for whom accounting has been started
RLTSend	Number of users for whom the system sends real-time accounting packets
RLTWait	Number of users waiting for real-time accounting
AcctStop	Number of users in the state of accounting waiting stopped
OnLine	Number of online users
Stop	Number of users in the state of stop
Received and Sent packets statistic	Number of packets sent and received
Sent PKT total	Number of packets sent
Received PKT total	Number of packets received
RADIUS received packets statistic	Statistic of packets received by RADIUS
Code	Type of packet
Num	Total number of packets
Err	Number of error packets
Running statistic	Statistics of running packets
RADIUS received messages statistic	Number of messages received by RADIUS
Normal auth request	Number of normal authentication requests
EAP auth request	Number of EAP authentication requests
Account request	Number of accounting requests
Account off request	Number of stop-accounting requests
PKT auth timeout	Number of authentication timeout packets
PKT acct_timeout	Number of accounting timeout packets
Realtime Account timer	Number of realtime accounting requests
PKT response	Number of responses
Session ctrl pkt	Number of session control packets
Normal author request	Number of normal authorization packets
Succ	Number of successful packets
Set policy result	Number of responses to the Set policy packets
RADIUS sent messages statistic	Number of messages that have been sent by RAIUDS
Auth accept	Number of accepted authentication packets
Auth reject	Number of rejected authentication packets
EAP auth replying	Number of replying packets of EAP authentication
Account success	Number of accounting succeeded packets
Account failure	Number of accounting failed packets
Server ctrl req	Number of server control requests
RecError_MSG_sum	Number of received packets in error
SndMSG_Fail_sum	Number of packets that failed to be sent out
Timer_Err	Number of timer errors
Alloc_Mem_Err	Number of memory errors
State Mismatch	Number of errors for mismatching status
Other_Error	Number of errors of other types
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory

display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user by the user name, which is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device by scheme, session ID, time range, user name, or slot.

Note that if receiving no response after sending a stop-accounting request to a RADIUS server, the device buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests on the interface board in slot 1 from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006 slot 1

Slot 1

Total 0 record(s) Matched

key (RADIUS scheme view)

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for RADIUS accounting packets.

authentication: Sets the shared key for RADIUS authentication/authorization packets.

string: Shared key, a case-sensitive string of 1 to 64 characters.

Description

Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default.

By default, no shared key is configured.

Note that:

l You must ensure that the same shared key is set on the device and the RADIUS server.

l If authentication/authorization and accounting are performed on two servers with different shared keys, you must set separate shared key for each on the device.

Related commands: display radius scheme.

Examples

# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication hello

# Set the shared key for accounting packets to ok for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

nas-ip (RADIUS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo nas-ip command to to restore the default.

By default, the source IP address of a packet sent to the server is that configured by the radius nas-ip command in system view.

Note that:

l Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the device as the result of a physical interface failure. The address of a loopback interface is recommended.

l The nas-ip command in RADIUS scheme view is only for the current RADIUS scheme, while the radius nas-ip command in system view is for all RADIUS schemes. However, the nas-ip command in RADIUS scheme view overwrites the configuration of the radius nas-ip command.

Related commands: radius nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] nas-ip 10.1.1.1

primary accounting (RADIUS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary accounting server.

port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the primary accounting command to specify the primary RADIUS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Specify the IP address of the primary accounting server for RADIUS scheme radius1 as 10.110.1.2 and the UDP port of the server as 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

primary authentication (RADIUS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the primary authentication/authorization server.

port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the primary authentication command to specify the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to remove the configuration.

By default, no primary RADIUS authentication/authorization server is specified.

Note that:

l After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). Ensure that at least one authentication/authorization server and one accounting server are configured, and that the RADIUS service port settings on the device are consistent with the port settings on the RADIUS servers.

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

Related commands: key, radius scheme, state.

Examples

# Specify the primary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

radius client

Syntax

radius client enable

undo radius client

View

System view

Default Level

2: System level

Parameters

None

Description

Use the radius client enable command to enable the listening port of the RADIUS client.

Use the undo radius client command to disable the listening port of the RADIUS client.

By default, the listening port is enabled.

Note that when the listening port of the RADIUS client is disabled:

l The RADIUS client can either accept authentication, authorization or accounting requests or process timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.

l The end account packets of online users cannot be sent out and buffered. This may cause a problem that the RADIUS server still has the user record after a user goes offline for a period of time.

l The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.

l The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached.

Examples

# Enable the listening port of the RADIUS client.

<Sysname> system-view

[Sysname] radius client enable

radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the radius nas-ip command to set the IP address for the device to use as the source address of the RADIUS packets to be sent to the server.

Use the undo radius nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Default Level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.

Use the undo radius scheme command to delete a RADIUS scheme.

By default, no RADIUS scheme is defined.

Note that:

l The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.

l A RADIUS scheme can be referenced by more than one ISP domain at the same time.

l You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.

Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, display radius statistics.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Default Level

2: System level

Parameters

accounting-server-down: RADIUS trap for accounting servers.

authentication-server-down: RADIUS trap for authentication servers.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the function.

By default, the RADIUS trap function is disabled.

Note that:

l If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message; when the NAS transmits the request for the specified maximum number, it sends another trap message.

l If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.

Examples

# Enable the RADIUS trap function for accounting servers.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

reset radius statistics

Syntax

reset radius statistics [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the reset radius statistics command to clear RADIUS statistics.

Related commands: display radius scheme.

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.

time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user name based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for user user0001@aabbcc.net.

<Sysname> reset stop-accounting-buffer user-name user0001@aabbcc.net

# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of retransmission attempts, in the range 1 to 20.

Description

Use the retry command to set the maximum number of RADIUS retransmission attempts.

Use the undo retry command to restore the default.

The default value for the retry-times argument is 3.

Note that:

l Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response time-out time, it will retransmit the RADIUS request. If the number of retransmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device regards that the authentication fails.

l The maximum number of retransmission attempts defined by this command refers to the sum of all retransmission attempts sent by the device to the primary server and the secondary server. For example, assume that the maximum number of retransmission attempts is N and both the primary server and secondary RADIUS server are specified and exist, the device will send a request to the other server if the current server does not respond after the sum of retransmission attempts reaches N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).

l The maximum number of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, timer response-timeout.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.

Description

Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.

Use the undo retry realtime-accounting command to restore the default.

Note that:

l A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the device generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the device sends a request every 12 minutes, and if for 5 times it still receives no response, the device will cut the user connection.

Related commands: radius scheme, timer realtime-accounting.

Examples

# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

retry stop-accounting (RADIUS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the device receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the device will temporarily store the request in the device and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the device discard the request.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

secondary accounting (RADIUS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.

Description

Use the secondary accounting command to specify the secondary RADIUS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary RADIUS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Specify the secondary accounting server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

secondary authentication (RADIUS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.

port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.

Description

Use the secondary authentication command to specify the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary RADIUS authentication/authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.

l The RADIUS service port configured on the device and that of the RADIUS server must be consistent.

Related commands: key, radius scheme, state.

Examples

# Specify the secondary authentication/authorization server for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

security-policy-server

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

View

RADIUS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of a security policy server.

all: All IP addresses

Description

Use the security-policy-server command to specify a security policy server.

Use the undo security-policy-server command to remove one or all security policy servers.

By default, no security policy server is specified.

Note that:

l If more than one interface of the device is configured with user access authentication functions, the interfaces may use different security policy servers. You can specify up to eight security policy servers for a RADIUS scheme.

l The specified security policy server must be a security policy server or RADIUS server that is correctly configured and working normally. Otherwise, the device will regard it as an illegal server.

Related commands: radius nas-ip.

Examples

# For RADIUS scheme radius1, set the IP address of a security policy server to 10.110.1.2.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Default Level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally iMC ), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).

Description

Use the server-type command to specify the RADIUS server type supported by the device.

Use the undo server-type command to restore the default.

By default, the supported RADIUS server type is standard.

Related commands: radius scheme.

Examples

# Set the RADIUS server type of RADIUS scheme radius1 to standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

state

Syntax

state { primary | secondary } { accounting | authentication } { active | block }

View

RADIUS scheme view

Default Level

2: System level

Parameters

primary: Sets the status of the primary RADIUS server.

secondary: Sets the status of the secondary RADIUS server.

accounting: Sets the status of the RADIUS accounting server.

authentication: Sets the status of the RADIUS authentication/authorization server.

active: Sets the status of the RADIUS server to active, namely the normal operation state.

block: Sets the status of the RADIUS server to block.

Description

Use the state command to set the status of a RADIUS server.

By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.

Note that:

l When a primary server, authentication/authorization server or accounting server, fails, the device automatically turns to the secondary server.

l Once the primary server fails, the primary server turns into the blocked state, and the device turns to the secondary server. In this case, if the secondary server is available, the device triggers the primary server quiet timer. After the quiet timer times out, the status of the primary server is active again and the status of the secondary server remains the same. If the secondary server fails, the device restores the status of the primary server to active immediately. If the primary server has resumed, the device turns to use the primary server and stops communicating with the secondary server. After accounting starts, the communication between the client and the secondary server remains unchanged.

l When both the primary server and the secondary server are in the state of blocked, you need to set the status of the secondary server to active to use the secondary server for authentication. Otherwise, the switchover will not occur.

l If one server is in the active state while the other is blocked, the switchover will not take place even if the active server is not reachable.

Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Examples

# Set the status of the secondary server in RADIUS scheme radius1 to active.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication active

stop-accounting-buffer enable (RADIUS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Examples

# In RADIUS scheme radius1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

timer quiet (RADIUS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display radius scheme.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme test1

[Sysname-radius-test1] timer quiet 10

timer realtime-accounting (RADIUS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes, must be a multiple of 3 and in the range 3 to 60, with the default value being 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 2-3 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Related commands: retry realtime-accounting, radius scheme.

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

timer response-timeout (RADIUS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Default Level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.

Description

Use the timer response-timeout command to set the RADIUS server response timeout timer.

Use the undo timer command to restore the default.

Note that:

l If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

l A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.

l The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Related commands: radius scheme, retry.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

user-name-format (RADIUS scheme view)

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Default Level

2: System level

Parameters

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

l If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.

Related commands: radius scheme.

Examples

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

3 HWTACACS Configuration Commands

HWTACACS Configuration Commands

data-flow-format (HWTACACS scheme view)

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Description

Use the data-flow-format command to specify the unit for data flows or packets to be sent to a HWTACACS server.

Use the undo data-flow-format command to restore the default.

By default, the unit for data flows is byte and that for data packets is one-packet.

Related commands: display hwtacacs.

Examples

# Define HWTACACS scheme hwt1 to send data flows and packets destined for the TACACS server in kilobytes and kilo-packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name.

statistics: Displays complete statistics about the HWTACACS server.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the display hwtacacs command to display configuration information or statistics of the specified or all HWTACACS schemes.

Note that:

l If no HWTACACS scheme is specified, the command will display the configuration information of all HWTACACS schemes.

l If no slot number is specified, the command will display the configuration information of the HWTACACS scheme on the main processing unit.

Related commands: hwtacacs scheme.

Examples

# Display configuration information about HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP-address : 0.0.0.0

key authentication : 790131

key authorization : 790131

key accounting : 790131

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Domain-included : Yes

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

Table 3-1 display hwtacacs command output description

Field	Description
HWTACACS-server template name	Name of the HWTACACS scheme
Primary-authentication-server	IP address and port number of the primary authentication server. If there is no primary authentication server specified, the value of this field is 0.0.0.0:0. This rule is also applicable to the following eight fields.
Primary-authorization-server	IP address and port number of the primary authorization server
Primary-accounting-server	IP address and port number of the primary accounting server
Secondary-authentication-server	IP address and port number of the secondary authentication server
Secondary-authorization-server	IP address and port number of the secondary authorization server
Secondary-accounting-server	IP address and port number of the secondary accounting server
Current-authentication-server	IP address and port number of the currently used authentication server
Current-authorization-server	IP address and port number of the currently used authorization server
Current-accounting-server	IP address and port number of the currently used accounting server
NAS-IP-address	IP address of the NAS If no NAS is specified, the value of this field is 0.0.0.0.
key authentication	Key for authentication
key authorization	Key for authorization
key accounting	Key for accounting
Quiet-interval	Quiet interval for the primary server
Realtime-accounting-interval	Real-time accounting interval
Response-timeout-interval	Server response timeout period
Acct-stop-PKT retransmit times	Number of stop-accounting packet transmission retries
Domain-included	Whether a user name includes the domain name
Data traffic-unit	Unit for data flows
Packet traffic-unit	Unit for data packets

display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]

View

Any view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the device.

Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, retry stop-accounting.

Examples

# Display information about the buffered stop-accounting requests for HWTACACS scheme hwt1 on the interface board in slot 1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1 slot 1

Slot 1

Total 0 record(s) Matched

hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the hwtacacs nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo hwtacacs nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l Specifying a source address for the HWTACACS packets to be sent to the server can avoid the situation where the packets sent back by the HWTACACS server cannot reach the device as the result of a physical interface failure.

l If you configure the command for more than one time, the last configuration takes effect.

l The nas-ip command in HWTACACS scheme view is only for the current HWTACACS scheme, while the hwtacacs nas-ip command in system view is for all HWTACACS schemes. However, the nas-ip command in HWTACACS scheme view overwrites the configuration of the hwtacacs nas-ip command.

Related commands: nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Default Level

3: Manage level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter HWTACACS scheme view.

Use the undo hwtacacs scheme command to delete an HWTACACS scheme.

By default, no HWTACACS scheme exists.

Note that you cannot delete an HWTACACS scheme with online users.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

key (HWTACACS scheme view)

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS scheme view

Default Level

2: System level

Parameters

accounting: Sets the shared key for HWTACACS accounting packets.

authentication: Sets the shared key for HWTACACS authentication packets.

authorization: Sets the shared key for HWTACACS authorization packets.

string: Shared key, a string of 1 to 16 characters.

Description

Use the key command to set the shared key for HWTACACS authentication, authorization, or accounting packets.

Use the undo key command to remove the configuration.

By default, no shared key is configured.

Related commands: display hwtacacs.

Examples

# Set the shared key for HWTACACS accounting packets to hello for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

nas-ip (HWTACACS scheme view)

Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be all 0s address, all 1s address, a class D address, a class E address or a loopback address.

Description

Use the nas-ip command to set the IP address for the device to use as the source address of the HWTACACS packets to be sent to the server.

Use the undo nas-ip command to remove the configuration.

By default, the source IP address of a packet sent to the server is the IP address of the outbound port.

Note that:

l If you configure the command for more than one time, the last configuration takes effect.

Related commands: hwtacacs nas-ip.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

primary accounting (HWTACACS scheme view)

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary accounting command to specify the primary HWTACACS accounting server.

Use the undo primary accounting command to remove the configuration.

By default, no primary HWTACACS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Specify the primary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

primary authentication (HWTACACS scheme view)

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to specify the primary HWTACACS authentication server.

Use the undo primary authentication command to remove the configuration.

By default, no primary HWTACACS authentication server is specified.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Specify the primary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to specify the primary HWTACACS authorization server.

Use the undo primary authorization command to remove the configuration.

By default, no primary HWTACACS authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the primary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]

View

User view

Default Level

1: Monitor level

Parameters

accounting: Clears HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears HWTACACS authentication statistics.

authorization: Clears HWTACACS authorization statistics.

slot slot-number: Clears HWTACACS statistics on the interface card in the specified slot.

Description

Use the reset hwtacacs statistics command to clear HWTACACS statistics.

Related commands: display hwtacacs.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]

View

User view

Default Level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies a HWTACACS scheme by its name, a string of 1 to 32 characters.

slot slot-number: Specifies the slot where the interface card is inserted.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that get no responses.

Related commands: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Examples

# Clear the buffered stop-accounting requests for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

retry stop-accounting (HWTACACS scheme view)

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.

Use the undo retry stop-accounting command to restore the default.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

secondary accounting (HWTACACS scheme view)

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary accounting command to specify the secondary HWTACACS accounting server.

Use the undo secondary accounting command to remove the configuration.

By default, no secondary HWTACACS accounting server is specified.

Note that:

l The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an accounting server only when no active TCP connection for sending accounting packets is using it.

Examples

# Specify the secondary accounting server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

secondary authentication (HWTACACS scheme view)

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authentication command to specify the secondary HWTACACS authentication server.

Use the undo secondary authentication command to remove the configuration.

By default, no secondary HWTACACS authentication server is specified.

Note that:

l The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authentication server only when no active TCP connection for sending authentication packets is using it.

Related commands: display hwtacacs.

Examples

# Specify the secondary authentication server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View

HWTACACS scheme view

Default Level

2: System level

Parameters

ip-address: IP address of the server, a valid unicast address in dotted decimal notation. The default is 0.0.0.0.

port-number: Port number of the server. It ranges from 1 to 65535 and defaults to 49.

Description

Use the secondary authorization command to specify the secondary HWTACACS authorization server.

Use the undo secondary authorization command to remove the configuration.

By default, no secondary HWTACACS authorization server is specified.

Note that:

l The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

l The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent.

l If you configure the command for more than one time, the last configuration takes effect.

l You can remove an authorization server only when no active TCP connection for sending authorization packets is using it.

Related commands: display hwtacacs.

Examples

# Configure the secondary authorization server.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

stop-accounting-buffer enable (HWTACACS scheme view)

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

HWTACACS scheme view

Default Level

2: System level

Parameters

None

Description

Use the stop-accounting-buffer enable command to enable the device to buffer stop-accounting requests getting no responses.

Use the undo stop-accounting-buffer enable command to disable the device from buffering stop-accounting requests getting no responses.

By default, the device is enabled to buffer stop-accounting requests getting no responses.

Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.

Related commands: reset stop-accounting-buffer, hwtacacs scheme, display stop-accounting-buffer.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests getting no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

timer quiet (HWTACACS scheme view)

Syntax

timer quiet minutes

undo timer quiet

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.

Description

Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.

Use the undo timer quiet command to restore the default.

Related commands: display hwtacacs.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

timer realtime-accounting (HWTACACS scheme view)

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

HWTACACS scheme view

Default Level

2: System level

Parameters

minutes: Real-time accounting interval in minutes. It is a multiple of 3 in the range 3 to 60 and defaults to 12.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default.

Note that:

l For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.

l The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the HWTACACS server: a shorter interval requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the recommended ratios of the interval to the number of users.

Table 3-2 Recommended ratios of the accounting interval to the number of users

Number of users	Real-time accounting interval (minute)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or more

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

timer response-timeout (HWTACACS scheme view)

Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS scheme view

Default Level

2: System level

Parameters

seconds: HWTACACS server response timeout period in seconds. It ranges from 1 to 300 and defaults to 5.

Description

Use the timer response-timeout command to set the HWTACACS server response timeout timer.

Use the undo timer command to restore the default.

As HWTACACS is based on TCP, the timeout of the server response timeout timer and/or the TCP timeout timer will cause the device to be disconnected from the HWTACACS server.

Related commands: display hwtacacs.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

user-name-format (HWTACACS scheme view)

Syntax

user-name-format { with-domain | without-domain }

View

HWTACACS scheme view

Default Level

2: System level

Parameters

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Description

Use the user-name-format command to specify the format of the username to be sent to a HWTACACS server.

By default, the ISP domain name is included in the username.

Note that:

l A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a HWTACACS server, the device must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a HWTACACS server.

l If a HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, thus avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.

Related commands: hwtacacs scheme.

Examples

# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

07-Security Volume

access-limit

accounting default

accounting lan-access

accounting login

accounting optional

attribute

authentication default

authentication lan-access

authentication login

authentication portal

authorization default

authorization lan-access

authorization login

authorization portal

display connection

display domain

display local-user

domain default

level

local-user

password

service-type

service-type lan-access

state

2 RADIUS Configuration Commands

data-flow-format (RADIUS scheme view)

display radius scheme

display radius statistics

display stop-accounting-buffer

key (RADIUS scheme view)

nas-ip (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius nas-ip

radius scheme

reset radius statistics

retry

retry realtime-accounting

retry stop-accounting (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

security-policy-server

state

stop-accounting-buffer enable (RADIUS scheme view)

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

display hwtacacs

display stop-accounting-buffer

hwtacacs nas-ip

hwtacacs scheme

nas-ip (HWTACACS scheme view)

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

reset stop-accounting-buffer

retry stop-accounting (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us