01-AAA Commands
Chapters Download (163.85 KB)
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
View
System view
Default Level
2: System level
Parameters
profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Description
Use the aaa nas-id profile command to create a NAS ID profile and enter its view.
Use the undo aaa nas-id profile command to remove a NAS ID profile.
Related commands: nas-id bind vlan.
Examples
# Create a NAS ID profile named aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Syntax
access-limit enable max-user-number
undo access-limit enable
View
ISP domain view
Default Level
2: System level
Parameters
max-user-number: Maximum number of user connections for the current ISP domain, in the range 1 to 2147483646.
Description
Use the access-limit enable command to enable the limit on the number of user connections in an ISP domain and set the allowed maximum number. After the number of user connections reaches the maximum number allowed, no more users will be accepted.
Use the undo access-limit enable command to restore the default.
By default, there is no limit to the number of user connections in an ISP domain.
As user connections may compete for network resources, setting a proper limit to the number of user connections helps provide a reliable system performance.
Examples
# Set a limit of 500 user connections for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] access-limit enable 500
Syntax
access-limit max-user-number
undo access-limit
View
Local user view
Default Level
3: Manage level
Parameters
max-user-number: Maximum number of user connections using the current username, in the range 1 to 1024.
Description
Use the access-limit command to enable the limit on the number of user connections using the current username and set the allowed maximum number.
Use the undo access-limit command to remove the limitation.
By default, there is no limit to the number of user connections using the same username.
Note that the access-limit command takes effect only when local accounting is configured.
Related commands: display local-user.
Examples
# Enable the limit on the number of user connections using the username abc and set the allowed maximum number to 5.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] access-limit 5
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting command command to specify the command line accounting method.
Use the undo accounting command command to restore the default.
By default, the default accounting method that the accounting default command prescribes is used for command line accounting.
Note that:
l The HWTACACS scheme specified for the current ISP domain must have been configured.
l Currently, only HWTACACS schemes support command line accounting.
Related commands: accounting default, hwtacacs scheme in HWTACACS Commands of the Command Reference - Part 8 - Security.
Examples
# Configure the ISP domain test to use HWTACACS scheme hwtac for command line accounting.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Syntax
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting default
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting default command to configure the default accounting method for all types of users.
Use the undo accounting default command to restore the default.
By default, the accounting method is local.
Note that:
l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.
l The accounting method configured with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.
l Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.
Related commands: authentication default, authorization default, hwtacacs scheme, radius scheme in RADIUS Commands of the Command Reference - Part 8 - Security.
Examples
# Configure the default ISP domain system to use the local accounting method for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting default local
# Configure ISP domain test to use RADIUS accounting scheme rd for all types of users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
Syntax
accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting lan-access command to configure the accounting method for LAN access users.
Use the undo accounting lan-access command to restore the default.
By default, the default accounting method that the accounting default command prescribes is used for LAN access users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: accounting default, radius scheme.
Examples
# Configure the default ISP domain system to use the local accounting method for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting lan-access local
# Configure ISP domain test to use RADIUS accounting scheme rd for LAN access users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
Syntax
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting login
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting login command to configure the accounting method for login users.
Use the undo accounting login command to restore the default.
By default, the default accounting method is used for login users.
Note that:
l The RADIUS or HWTACACS scheme specified for the current ISP domain must have been configured.
l Accounting is not supported for login users’ FTP services.
Related commands: accounting default, hwtacacs scheme, radius scheme.
Examples
# Configure the default ISP domain system to use the local accounting method for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting login local
# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Default Level
2: System level
Parameters
None
Description
Use the accounting optional command to enable the accounting optional feature.
Use the undo accounting optional command to disable the feature.
By default, the feature is disabled.
Note that with the accounting optional command configured for a domain:
l A user that will be disconnected otherwise can use the network resources when there is no accounting server available or communication with the current accounting server fails, but the device will not send real-time accounting updates for the user any more. This command applies to scenarios where authentication is required but accounting is not.
l The limit on the number of local user connections configured by using the access-limit command in local user view is not effective.
Examples
# Enable the accounting optional feature for users in domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting optional
Syntax
accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting portal command to configure the accounting method for portal users.
Use the undo accounting portal command to restore the default.
By default, the default accounting method is used for portal users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: accounting default, radius scheme.
Examples
# Configure the default ISP domain system to use the local accounting method for portal users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting portal local
# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal radius-scheme rd local
Syntax
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication default
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication default command to configure the default authentication method for all types of users.
Use the undo authentication default command to restore the default.
By default, the authentication method is local.
Note that:
l The RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.
l The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.
Related commands: authorization default, accounting default, hwtacacs scheme, radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication default local
# Configure ISP domain test to use RADIUS authentication scheme rd for all types of users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
Syntax
authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication lan-access command to configure the authentication method for LAN access users.
Use the undo authentication login command to restore the default.
By default, the default authentication method is used for LAN access users.
Note that the RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default, radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local
# Configure ISP domain test to use RADIUS authentication scheme rd for LAN access users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
Syntax
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication login
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication login command to configure the authentication method for login users.
Use the undo authentication login command to restore the default.
By default, the default authentication method is used for login users.
Note that the RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default, hwtacacs scheme, radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication login local
# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
Syntax
authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication portal command to configure the authentication method for portal users.
Use the undo authentication portal command to restore the default.
By default, the default authentication method is used for portal users.
Note that the RADIUS scheme specified must have been configured.
Related commands: authentication default, radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for portal users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication portal local
# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal radius-scheme rd local
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }
undo authentication super
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
Description
Use the authentication super command to configure the authentication method for user privilege level switching.
Use the undo authentication super command to restore the default.
By default, the default authentication method is used for user privilege level switching authentication.
Note that the specified RADIUS/HWTACACS authentication scheme must have been configured.
Related commands: hwtacacs scheme; radius scheme; super in the Login Commands of the Command Reference - Part 1 - Login.
Examples
# Configure ISP domain test to use HWTACACS authentication scheme tac for user level switching authentication.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
Syntax
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }
undo authorization command
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.
Description
Use the authorization command command to configure the command line authorization method.
Use the undo authorization command command to restore the default.
By default, the default authorization method is used for command line authorization.
Note that:
l The HWTACACS scheme specified for the current ISP domain must have been configured.
l For local authorization, the local users must have been configured for the command line users on the device, and the level of the commands authorized to a local user must be lower than or equal to that of the local user. Otherwise, local authorization will fail.
Related commands: authorization default, hwtacacs scheme.
Examples
# Configure the default ISP domain system to use local command line authorization.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization command local
# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Syntax
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization default
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization default command to configure the authorization method for all types of users.
Use the undo authorization default command to restore the default.
By default, the authorization method for all types of users is local.
Note that:
l The RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.
l The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.
l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.
Related commands: authentication default, accounting default, hwtacacs scheme, radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization default local
# Configure ISP domain test to use RADIUS authorization scheme rd for all types of users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Syntax
authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization lan-access command to configure the authorization method for LAN access users.
Use the undo authorization lan-access command to restore the default.
By default, the default authorization method is used for LAN access users.
Note that:
l The RADIUS scheme specified for the current ISP domain must have been configured.
l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default, radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization lan-access local
# Configure ISP domain test to use RADIUS authorization scheme rd for LAN access users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
Syntax
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization login
View
ISP domain view
Default Level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, which is a string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default rights.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization login command to configure the authorization method for login users.
Use the undo authorization login command to restore the default.
By default, the default authorization method is used for login users.
Note that:
l The RADIUS, HWTACACS scheme specified for the current ISP domain must have been configured.
l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default, hwtacacs scheme, radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization login local
# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
Syntax
authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization portal
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: None authorization, which means the user is trusted completely. Here, the user is assigned with the default privilege.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization portal command to configure the authorization method for portal users.
Use the undo authorization portal command to restore the default.
By default, the default authorization method is used for portal users.
Note that:
l The RADIUS scheme specified for the current ISP domain must have been configured.
l RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default, radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for portal users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization portal local
# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal radius-scheme rd local
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | vlan | work-directory } *
View
Local user view, user group view
Default Level
3: Manage level
Parameters
acl: Specifies the authorization ACL of the local user(s).
acl-number: Authorization ACL for the local user(s), in the range 2000 to 5999.
callback-number: Specifies the authorization PPP callback number of the local user(s).
callback-number: Authorization PPP callback number for the local user(s), a case-sensitive string of 1 to 64 characters.
idle-cut: Specifies the idle cut function for the local user(s). With the idle cut function enabled, an online user whose idle period exceeds the specified idle time will be logged out.
minute: Idle time allowed, in the range 1 to 120 minutes.
level: Specifies the level of the local user(s).
level: Level of the local user(s), which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. The default is 0.
user-profile: Specifies the authorization user profile of the local user(s).
profile-name: Name of the authorization user profile for the local user(s), a case-sensitive string of 1 to 32 characters. It can consist of English letters, digits, and underlines and must start with an English letter.
vlan: Specifies the authorized VLAN of the local user(s).
vlan-id: Authorized VLAN for the local user(s), in the range 1 to 4094.
work-directory: Specifies the authorized work directory of the local user(s), if the user or users are authorized the FTP or SFTP service type.
directory-name: Authorized work directory, a case-insensitive string of 1 to 135 characters. This directory must already exist.
Description
Use the authorization-attribute command to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device will assign these attributes to the user.
Use the undo authorization-attribute command to remove authorization attributes.
By default, no authorization attribute is configured for a local user or user group.
Note that:
l Every configurable authorization attribute has its definite application environments and purposes. However, the assignment of local user authorization attributes does not take the service type into account. Therefore, when configuring authorization attributes for a local user, consider what attributes are needed.
l Authorization attributes configured for a user group are effective on all local users of the group.
l An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
l If you specify to perform no authentication or perform password authentication, the levels of commands that a user can access after login depends on the level of the user interface. For information about user interface login authentication method, refer to the authentication-mode command in Login Commands of the Command Reference - Part 1 - Login. If the authentication method requires users to provide usernames and passwords, the levels of commands that a user can access after login depends on the level of the user. For an SSH user authenticated with an RSA public key, which commands are available depends on the level specified on the user interface.
l If you remove the specified work directory from the file system, the FTP/SFTP user(s) will not be able to access the directory.
Examples
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
Syntax
authorization-attribute user-profile profile-name
undo authorization-attribute user-profile
View
ISP domain view
Default Level
3: Manage level
Parameters
profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For details about user profile configuration, refer to User Profile Configuration in the Configuration Guide - Part 7 - ACL - QoS.
Description
Use the authorization-attribute user-profile command to specify the default authorization user profile for an ISP domain.
Use the undo authorization-attribute user-profile command to restore the default.
By default, an ISP domain has no default authorization user profile.
After a user of an ISP domain passes authentication, if the server (or the access device in the case of local authentication) does not authorize any user profile to the ISP domain, the system uses the user profile specified by the authorization-attribute user-profile command as that of the ISP domain.
Note that if you configure the authorization-attribute user-profile command repeatedly, only the last one takes effect.
Examples
# Specify the default authorization user profile for domain test as profile1.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization-attribute user-profile profile1
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number| ip | location | mac | vlan } *
View
Local user view
Default Level
3: Manage level
Parameters
call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters.
subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address of the user.
location: Specifies the port binding attribute of the user.
port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument is in the range 0 to 255, the subslot-number argument is in the range 0 to 15, and the port-number argument is in the range 0 to 255. Only the numbers make sense here; port types are not taken into account.
mac mac-address: Specifies the MAC address of the user in the format of H-H-H.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to 4094.
Description
Use the bind-attribute command to configure binding attributes for a local user.
Use the undo bind-attribute command to remove binding attributes of a local user.
By default, no binding attribute is configured for a local user.
Note that:
l Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the checking will fail and the user will fail the authentication as a result. In addition, such binding attribute checking does not take the service types of the users into account. That is, a configured binding attribute is effective on all types of users. Therefore, be cautious when deciding which binding attributes should be configured for which type of local users.
l The bind-attribute ip command applies only when the authentication method (802.1X, for example) supports IP address upload. If you configure the command when the authentication method (MAC address authentication, for example) does not support IP address upload, local authentication will fail.
l The bind-attribute mac command applies to only LAN users, for example, 802.1X users. If you configure it for other types of users, such as FTP or Telnet users, local authentication of the users will fail.
Examples
# Configure the bound IP of local user abc as 3.3.3.3.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] bind-attribute ip 3.3.3.3
Syntax
cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]
View
System view
Default Level
2: System level
Parameters
access-type: Specifies user connections of an access mode.
l dot1x: Specifies 802.1x authentication user connections.
l mac-authentication: Specifies MAC authentication user connections.
l portal: Specifies portal authentication user connections.
all: Specifies all user connections.
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.
interface interface-type interface-number: Specifies all user connections of an interface.
ip ip-address: Specifies a user connection by IP address.
mac mac-address: Specifies a user connection by MAC address. The MAC address must be in the format of H-H-H.
ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to 4294967295.
user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.
vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the cut connection command to tear down the specified connections forcibly.
At present, this command applies to only LAN access and portal user connections.
Related commands: display connection, service-type.
Examples
# Tear down all connections of ISP domain test.
<Sysname> system-view
[Sysname] cut connection domain test
Syntax
display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ]
View
Any view
Default Level
1: Monitor level
Parameters
access-type: Specifies user connections of an access mode.
l dot1x: Specifies 802.1x authentication user connections.
l mac-authentication: Specifies MAC authentication user connections.
l portal: Specifies portal authentication user connections.
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
interface interface-type interface-number: Specifies all user connections of an interface.
ip ip-address: Specifies a user connection by IP address.
mac mac-address: Specifies a user connection by MAC address. The MAC address must be in the format of H-H-H.
ucibindex ucib-index: Specifies all user connections using the specified connection index. The value ranges from 0 to 4294967295.
user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. If you enter a username without any domain name, the system assumes that the default domain name is used for the username.
vlan vlan-id: Specifies all user connections in a VLAN. The VLAN ID ranges from 1 to 4094.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the display connection command to display information about specified or all AAA user connections.
Note that:
l With no parameter specified, the command displays brief information about all AAA user connections.
l If you specify the ucibindex ucib-index combination, the command displays detailed information; otherwise, the command displays brief information.
l This command does not apply to FTP user connections.
Related commands: cut connection.
Examples
# Display information about all AAA user connections.
<Sysname> display connection
Slot: 1
Index=827 , Username= telnet@system
IP=3.3.3.3
MAC=0017-9ac0-2d65
Total 1 connection(s) matched on slot 1.
Total 1 connection(s) matched.
Table 1-1 display connection command output description
|
Field |
Description |
|
Slot |
Member number in the IRF virtual device or current device number |
|
Index |
Index number |
|
Username |
Username of the connection, in the format username@domain |
|
IP |
IP address of the user |
Syntax
display domain [ isp-name ]
View
Any view
Default Level
1: Monitor level
Parameters
isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.
Description
Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains.
Related commands: access-limit enable, domain, state.
Examples
# Display the configuration information of all ISP domains.
0 Domain : system
State : Active
Access-limit : Disabled
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes:
1 Domain : test
State : Active
Access-limit : Disabled
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Lan-access authentication scheme : radius:test, local
Lan-access authorization scheme : hwtacacs:hw, local
Lan-access accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes :
User-profile : profile1
Default Domain Name: system
Total 2 domain(s)
Table 1-2 display domain command output description
|
Field |
Description |
|
Domain |
Domain name |
|
State |
Status of the domain (active or block) |
|
Access-limit |
Limit on the number of user connections |
|
Accounting method |
Accounting method (either required or optional) |
|
Default authentication scheme |
Default authentication method |
|
Default authorization scheme |
Default authorization method |
|
Default accounting scheme |
Default accounting method |
|
Lan-access authentication scheme |
Authentication method for LAN users |
|
Lan-access authorization scheme |
Authentication method for LAN users |
|
Lan-access accounting scheme |
Accounting method for LAN users |
|
Domain User Template |
Template for users in the domain |
|
Idle-cut |
Whether idle cut is enabled |
|
Self-service |
Whether self service is enabled |
|
User-profile |
Default authorization user profile |
|
Default Domain Name |
Default ISP domain name |
|
Total 2 domain(s). |
2 ISP domains in total |
Syntax
display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ]
View
Any view
Default Level
1: Monitor level
Parameters
idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.
service-type: Specifies the local users of a type.
l ftp refers to users using FTP.
l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users.
l portal refers to users using Portal.
l ssh refers to users using SSH.
l telnet refers to users using Telnet.
l terminal refers to users logging in through the console port, AUX port.
state { active | block }: Specifies all local users in the state of active or block. A local user in the state of active can access network services, while a local user in the state of blocked cannot.
user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.
slot slot-number: Specifies the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.
Description
Use the display local-user command to display information about specified or all local users.
Related commands: local-user.
Examples
# Display information about all local users.
<Sysname> display local-user
The contents of local user abc:
State: Active
ServiceType: lan-access
Access-limit: Enable Current AccessNum: 0
Max AccessNum: 10
User-group: system
Bind attributes:
Authorization attributes:
Total 1 local user(s) matched.
Table 1-3 display local-user command output description
|
Field |
Description |
|
State |
Status of the local user, Active or Block |
|
ServiceType |
Service types that the local user can use, including FTP, LAN, Portal, SSH, Telnet, and terminal. |
|
Access-limit |
Limit on the number of user connections using the current username |
|
Current AccessNum |
Current number of user connections using the current username |
|
Max AccessNum |
Maximum number of user connections using the current username |
|
Authorization attributes |
Authorization attributes of the local user |
Syntax
display user-group [ group-name ]
View
Any view
Default Level
2: System level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
Description
Use the display user-group command to display configuration information about one or all user groups.
Related commands: user-group.
Examples
# Display configuration information about user group abc.
<Sysname> display user-group abc
The contents of user group abc:
Authorization attributes:
Idle-cut: 120(min)
Work Directory: FLASH:
Level: 1
Acl Number: 2000
Vlan ID: 1
User-Profile: 1
Callback-number: 1
Total 1 user group(s) matched.
Syntax
domain isp-name
undo domain isp-name
View
System view
Default Level
3: Manage level
Parameters
isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.
Description
Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.
Use the undo domain command to remove an ISP domain.
By default, a default ISP domain named system exists in the system.
Note that:
l If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.
l The default domain cannot be deleted and can only be changed.
Related commands: state, display domain.
Examples
# Create ISP domain test, and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test]
Syntax
domain default enable isp-name
undo domain default enable
View
System view
Default Level
3: Manage level
Parameters
isp-name: Name of the default ISP domain, a string of 1 to 24 characters.
Description
Use the domain default enable command to configure the system default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.
Use the undo domain default enable command to restore the default.
By default, there is a default ISP domain named system.
Note that:
l There must be only one default ISP domain.
l The specified domain must have existed; otherwise, users without any domain name carried in the user name will fail to be authenticated.
l The default ISP domain configured cannot be deleted unless you configure it as a non-default domain again.
Related commands: state, display domain.
Examples
# Create a new ISP domain named test, and configure it as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Syntax
expiration-date time
undo expiration-date
View
Local user view
Default Level
3: Manage level
Parameters
time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02.
Description
Use the expiration-date command to configure the expiration time of a local user.
Use the undo expiration-date command to remove the configuration.
By default, a local user has no expiration time and no time validity checking is performed.
When some users need to access the network temporarily, you can create a guest account and specify an expiration time for the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is within the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.
Note that if you change the system time manually or the system time is changed in any other way, the access device uses the new system time for time validity checking.
Examples
# Configure the expiration time of user abc to be 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31
Syntax
group group-name
undo group
View
Local user view
Default Level
3: Manage level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
Description
Use the group command to specify the user group for the local user to belong to.
Use the undo group command to restore the default.
By default, a local user belongs to user group system, which is automatically created by the device.
Examples
# Specify that local user 111 belongs to user group abc.
<Sysname> system-view
[Sysname] local-user 111
[Sysname-luser-111] group abc
Syntax
idle-cut enable minute [ flow ]
undo idle-cut enable
View
ISP domain view
Default Level
2: System level
Parameters
minute: Maximum idle duration allowed, in the range 1 to 120 minutes.
flow: User idle threshold, in the range 1 to 10240000 bytes and defaults to 10240.
Description
Use the idle-cut enable command to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the system will log out any user in the domain whose traffic is less than the specified user idle threshold during the maximum idle duration.
Use the undo idle-cut enable command to restore the default.
By default, the function is disabled.
Note that:
l You can also set the maximum idle duration parameter on the server. In this case, if you enable the idle cut function and set the relevant parameters on the device, the settings on the device will take effect; if you disable the function on the device, the setting of the maximum idle duration parameter on the server will take effect.
l The user idle threshold parameter can only be set on the device. The server always assigns a user idle threshold of 10240 bytes to a user. If you set the parameter on the device, the device uses your setting; otherwise, the device uses that assigned by the server.
Related commands: domain.
Examples
# Enable the idle cut function and set the idle duration threshold to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] idle-cut enable 50 1024
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ssh | telnet | terminal } ] }
View
System view
Default Level
3: Manage level
Parameters
user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a, al, or all.
all: Specifies all users.
service-type: Specifies the users of a type.
l ftp refers to users using FTP.
l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users.
l portal refers to users using Portal.
l ssh refers to users using SSH.
l telnet refers to users using Telnet.
l terminal refers to users logging in through the console port, AUX port.
Description
Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to remove the specified local users.
By default, no local user is configured.
Related commands: display local-user, service-type.
Examples
# Add a local user named user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1]
Syntax
local-user password-display-mode { auto | cipher-force }
undo local-user password-display-mode
View
System view
Default Level
2: System level
Parameters
auto: Displays the password of a user based on the configuration of the user by using the password command.
cipher-force: Displays the passwords of all users in cipher text.
Description
Use the local-user password-display-mode command to set the password display mode for all local users.
Use the undo local-user password-display-mode command to restore the default.
The default mode is auto.
With the cipher-force mode configured:
l A local user password is always displayed in cipher text, regardless of the configuration of the password command.
l If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the device restarts, even if you restore the display mode to auto.
Related commands: display local-user, password.
Examples
# Specify to display the passwords of all users in cipher text.
<Sysname> system-view
[Sysname] local-user password-display-mode cipher-force
Syntax
nas-id nas-identifier bind vlan vlan-id
undo nas-id nas-identifier bind vlan vlan-id
View
NAS ID profile view
Default Level
2: System level
Parameters
nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters
vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.
Description
Use the nas-id bind vlan command to bind a NAS ID with a VLAN.
Use the undo nas-id bind vlan command to remove a NAS ID-VLAN binding.
By default, no NAS ID-VLAN binding exists.
Note that:
l In a NAS ID profile view, you can bind the NAS ID with more than one VLAN.
l A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect.
Related commands: aaa nas-id profile.
Examples
# Bind NAS ID 222 with VLAN 2.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
Syntax
password { cipher | simple } password
undo password
View
Local user view
Default Level
2: System level
Parameters
cipher: Specifies to display the password in cipher text.
simple: Specifies to display the password in simple text.
password: Password for the local user.
l In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.
l In cipher text, it must be a string of 24 or 88 characters, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
l With the simple keyword, you must specify the password in simple text. With the cipher keyword, you can specify the password in either simple or cipher text.
Description
Use the password command to configure a password for a local user.
Use the undo password command to delete the password of a local user.
Note that:
l With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.
l With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.
Related commands: display local-user.
Examples
# Set the password of user1 to 123456 and specify to display the password in plain text.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple 123456
Syntax
self-service-url enable url-string
undo self-service-url enable
View
ISP domain view
Default Level
2: System level
Parameters
url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters. It must start with http:// and contain no question mark.
Description
Use the self-service-url enable command to enable the self-service server localization function and specify the URL of the self-service server for changing user password.
Use the undo self-service-url enable command to restore the default.
By default, the function is disabled.
Note that:
l A self-service RADIUS server, for example, iMC, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.
l After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1X client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.
l Only authenticated users can select [Service/Change Password] from the 802.1X client. The option is gray and unavailable for unauthenticated users.
Examples
# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
Syntax
service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal }
undo service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal }
View
Local user view
Default Level
3: Manage level
Parameters
ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default.
lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service, allowing the user to login from the console, AUX port.
portal: Authorizes the user to use the Portal service.
Description
Use the service-type command to specify the service types that a user can use.
Use the undo service-type command to delete one or all service types configured for a user.
By default, a user is authorized with no service.
Examples
# Authorize user user1 to use the Telnet service.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet
Syntax
state { active | block }
undo state
View
ISP domain view, local user view
Default Level
2: System level
Parameters
active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.
block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.
Description
Use the state command to configure the status of the current ISP domain or local user.
Use the undo state command to restore the default.
By default, an ISP domain is active when created. So is a local user.
By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.
By blocking a user, you disable the user from requesting network services. No other users are affected.
Related commands: domain.
Examples
# Place the current ISP domain test to the state of blocked.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
# Place the current user user1 to the state of blocked.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] state block
Syntax
user-group group-name
undo user-group group-name
View
System view
Default Level
3: Manage level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
Description
Use the user-group command to create a user group and enter its view.
Use the undo user-group command to remove a user group.
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Currently, you can configure authorization attributes for a user group.
Note that:
l A user group with one or more local users cannot be removed.
l The default system user group system cannot be removed but you can change its configurations.
Related commands: display user-group.
Examples
# Create a user group named abc and enter its view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
