Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-AAA Commands | 225.11 KB |
Table of Contents
local-user password-display-mode
data-flow-format (RADIUS scheme view)
display stop-accounting-buffer
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
retry stop-accounting (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
stop-accounting-buffer enable (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
l Support of the H3C WA series WLAN access points (APs) for commands may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
AAA Configuration Commands
aaa nas-id profile
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
View
System view
Default Level
2: System level
Parameters
profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Description
Use the aaa nas-id profile command to create a NAS ID profile and enter its view.
Use the undo aaa nas-id profile command to remove a NAS ID profile.
Related commands: nas-id bind vlan.
Examples
# Create a NAS ID profile named aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
access-limit
Syntax
access-limit max-user-number
undo access-limit
View
Local user view
Default Level
3: Manage level
Parameters
max-user-number: Maximum number of user connections using the current username, in the range 1 to 1024.
Description
Use the access-limit command to enable the limit on the number of user connections using the current username and set the allowed maximum number.
Use the undo access-limit command to remove the limitation.
By default, there is no limit to the number of user connections using the same username.
The access-limit command takes effect only when local accounting is configured.
Related commands: display local-user.
Examples
# Enable the limit on the number of user connections using the username abc and set the allowed maximum number to 5.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] access-limit 5
access-limit enable
Syntax
access-limit enable max-user-number
undo access-limit enable
View
ISP domain view
Default Level
2: System level
Parameters
max-user-number: Maximum number of online users in the current ISP domain. The value ranges from 1 to 2147483646.
Description
Use the access-limit enable command to set the maximum number of accessing users allowed by an ISP domain.
Use the undo access-limit enable command to restore the default.
By default, there is no limit to the amount of accessing users in an ISP domain.
Because the accessing users may compete for network resources, setting a proper limit to the amount of accessing users helps in providing a reliable system performance. New users will be denied when the limit is reached in the ISP domain.
Examples
# Set a limit of 500 accessing users for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] access-limit enable 500
accounting default
Syntax
accounting default { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting default
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting default command to specify the default accounting method for all types of users.
Use the undo accounting default command to restore the default.
By default, the accounting method is local.
The RADIUS scheme specified for the current ISP domain must have been configured.
The accounting method specified with the accounting default command is for all types of users and has a priority lower than that for a specific access mode.
Local accounting is only for managing the local user connection number; it does not provide the statistics function. The local user connection number management is only for local accounting; it does not affect local authentication and authorization.
Related commands: authentication default, authorization default, and radius scheme.
Examples
# Configure the default ISP domain system to use the local accounting method for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting default local
# Configure the default ISP domain test to use RADIUS accounting scheme rd for all types of users and to use the local accounting as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
accounting lan-access
Syntax
accounting lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting lan-access command to specify the accounting method for LAN access users.
Use the undo accounting lan-access command to restore the default.
By default, the default accounting method configured by command accounting default is used for LAN access users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: accounting default and radius scheme.
Examples
# Configure the default ISP domain system to use the local accounting method for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting lan-access local
# Configure the default ISP domain test to use RADIUS accounting scheme rd for LAN access users and to use local accounting as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
accounting login
Syntax
accounting login { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting login
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting. It is not used for charging purposes, but for collecting statistics on and limiting the number of local user connections.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting login command to specify the accounting method for login users.
Use the undo accounting login command to restore the default.
By default, the default accounting method is used for login users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Accounting is not supported for login users’ FTP services.
Related commands: accounting default and radius scheme.
Examples
# Configure the default ISP domain system to use local accounting for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting login local
# Configure the default ISP domain test to use RADIUS accounting scheme rd for login users and to use local accounting as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Default Level
2: System level
Parameters
None
Description
Use the accounting optional command to enable the accounting optional feature.
Use the undo accounting optional command to disable the feature.
By default, the feature is disabled.
With the accounting optional command configured, a user that will be disconnected otherwise can use the network resources when there is no accounting server available or communication with the current accounting server fails, but the AP will not send real-time accounting updates for the user any more. This command applies to scenarios where authentication is required but accounting is not.
If you configure the accounting optional command for a domain, the AP does not send real-time accounting updates for users of the domain any more after accounting fails.
With the accounting optional command configured, the limit on the number of local user connections configured by the attribute access-limit command is not effective.
Examples
# Enable the accounting optional feature for users in domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting optional
accounting ppp
Syntax
accounting ppp { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting ppp
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the accounting ppp command to specify the accounting method for PPP users.
Use the undo accounting ppp command to restore the default.
By default, the default accounting method is used for PPP users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: accounting default and radius scheme.
Examples
# Configure the default ISP domain system to use local accounting for PPP users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] accounting ppp local
# Configure the default ISP domain test to use RADIUS accounting scheme rd for PPP users and to use local accounting as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp radius-scheme rd local
authentication default
Syntax
authentication default { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication default
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication default command to specify the default authentication method for all types of users.
Use the undo authentication default command to restore the default.
By default, the authentication method is local.
The RADIUS scheme specified for the current ISP domain must have been configured.
The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode.
Related commands: authorization default, accounting default, and radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication default local
# Configure the default ISP domain test to use RADIUS authentication scheme rd for all types of users and to use local authentication as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
authentication lan-access
Syntax
authentication lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication lan-access command to specify the authentication method for LAN access users.
Use the undo authentication login command to restore the default.
By default, the default authentication method is used for LAN access users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default and radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication lan-access local
# Configure the default ISP domain test to use RADIUS authentication scheme rd for LAN access users and to use local authentication as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication login
Syntax
authentication login { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication login
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication login command to specify the authentication method for login users.
Use the undo authentication login command to restore the default.
By default, the default authentication method is used for login users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default and radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication login local
# Configure the default ISP domain test to use RADIUS authentication scheme rd for login users and to use local authentication as the backup scheme.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
authentication ppp
Syntax
authentication ppp { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication ppp
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authentication ppp command to specify the authentication method for PPP users.
Use the undo authentication ppp command to restore the default.
By default, the default authentication method is used for PPP users.
The RADIUS scheme specified for the current ISP domain must have been configured.
Related commands: authentication default and radius scheme.
Examples
# Configure the default ISP domain system to use local authentication for PPP users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication ppp local
# Configure the default ISP domain test to use RADIUS authentication scheme rd for PPP users and to use local authentication as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp radius-scheme rd local
authentication super
Syntax
authentication super radius-scheme radius-scheme-name
undo authentication super
View
ISP domain view
Default Level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a case-insensitive string of 1 to 32 characters.
Description
Use the authentication super command to configure the authentication method for user privilege level switching.
Use the undo authentication super command to restore the default.
By default, the default authentication method is used for user privilege level switching authentication.
The specified RADIUS authentication scheme must have been configured.
Related commands: radius scheme (AAA in the Security Command Reference); super (Basic System Configuration in the Fundamentals Command Reference).
Examples
# Configure ISP domain test to use RADIUS scheme tac for user level switching authentication.
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super radius-scheme tac
authorization command
Syntax
authorization command { local | none }
undo authorization command
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the corresponding default rights.
Description
Use the authorization command command to configure the command line authorization method.
Use the undo authorization command command to restore the default.
By default, the default authorization method is used for command line users.
For local authorization, the local users must have been configured for the command line users on the AP, and the level of the commands authorized to a local user must be lower than or equal to that of the local user. Otherwise, local authorization will fail.
Related commands: authorization default.
Examples
# Configure the default ISP domain system to use local command line authorization.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization command local
authorization default
Syntax
authorization default { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization default
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization default command to specify the authorization method for all types of users.
Use the undo authorization default command to restore the default.
By default, the authorization method for all types of users is local.
The RADIUS scheme specified for the current ISP domain must have been configured.
The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode.
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. In addition, if a RADIUS authorization fails, the error message returned to the NAS says that the server is not responding.
Related commands: authentication default, accounting default, and radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for all types of users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization default local
# Configure the default ISP domain test to use RADIUS authorization scheme rd for all types of users and to use local authorization as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
authorization lan-access
Syntax
authorization lan-access { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization lan-access
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization lan-access command to specify the authorization method for LAN access users.
Use the undo authorization lan-access command to restore the default.
By default, the default authorization method is used for LAN access users.
The RADIUS scheme specified for the current ISP domain must have been configured.
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default and radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for LAN access users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system]authorization lan-access local
# Configure the default ISP domain test to use RADIUS authorization scheme rd for LAN access users and to use local authorization as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization login
Syntax
authorization login { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization login
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization login command to specify the authorization method for login users.
Use the undo authorization login command to restore the default.
By default, the default authorization method is used for login users.
The RADIUS scheme specified for the current ISP domain must have been configured.
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default and radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for login users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization login local
# Configure the default ISP domain test to use RADIUS authorization scheme rd for login users and to use local authorization as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
authorization ppp
Syntax
authorization ppp { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization ppp
View
ISP domain view
Default Level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization. In this case, an authenticated user is automatically authorized with the default right.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
Description
Use the authorization ppp command to specify the authorization method for PPP users.
Use the undo authorization ppp command to restore the default.
By default, the default authorization method is used for PPP users.
The RADIUS scheme specified for the current ISP domain must have been configured.
RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme. If the RADIUS authorization scheme is different from the RADIUS authentication scheme, RADIUS authorization will fail.
Related commands: authorization default and radius scheme.
Examples
# Configure the default ISP domain system to use local authorization for PPP users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authorization ppp local
# Configure the default ISP domain test to use RADIUS authorization scheme rd for PPP users and to use local authorization as the backup method.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp radius-scheme rd local
authorization-attribute
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | level | vlan | work-directory } *
View
Local user view
Default Level
3: Manage level
Parameters
acl: Specifies the authorization ACL of the local user(s).
acl-number: Authorization ACL for the local user(s), in the range 2000 to 5999.
callback-number: Specifies the authorization PPP callback number of the local user(s).
callback-number: Authorization PPP callback number for the local user(s), a case-sensitive string of 1 to 64 characters.
idle-cut: Specifies the idle cut function for the local user(s). With the idle cut function enabled, an online user whose idle period exceeds the specified idle time will be logged out.
minute: Idle time allowed, in the range from 1 minute to 120 minutes.
level: Specifies the level of the local user(s).
level: Level of the local user(s), which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. The default is 0.
vlan: Specifies the authorized VLAN of the local user(s).
vlan-id: Authorized VLAN for the local user(s), in the range 1 to 4094.
work-directory: Specifies the authorized work directory of the local user(s), if the user or users are authorized the FTP or SFTP service type.
directory-name: Authorized work directory, a case-insensitive string of 1 to 135 characters. This directory must already exist.
Description
Use the authorization-attribute command to configure authorization attributes for the local user. After the local user passes authentication, the AP will assign these attributes to the user.
Use the undo authorization-attribute command to remove authorization attributes.
By default, no authorization attribute is configured for a local user.
Every configurable authorization attribute has its definite application environments and purposes. However, the assignment of local user authorization attributes does not take the service type into account. Therefore, when configuring authorization attributes for a local user, consider what attributes are needed. For example, for PPP users, you do not need to configure the work directory attribute.
If you specify to perform no authentication or perform password authentication, the levels of commands that a user can access after login depends on the level of the user interface. For information about user interface login authentication method, see the authentication-mode command in Logging In to the AP in the Fundamentals Command Reference. If the authentication method requires users to provide usernames and passwords, the levels of commands that a user can access after login depends on the level of the user.
If you remove the specified work directory from the file system, the FTP/SFTP user(s) will not be able to access the directory.
If the specified work directory carries backup card slot information, the FTP/SFTP user(s) will not be able to access the directory after a switchover between the main card and the backup card occurs. Therefore, specifying slot information for the work directory is not recommended.
Examples
# Configure the authorized VLAN of local user abc as VLAN 3.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] authorization-attribute vlan 3
bind-attribute
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number| ip | location | mac | vlan } *
View
Local user view
Default Level
3: Manage level
Parameters
call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters.
subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address of the user.
location: Specifies the port binding attribute of the user.
port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument is in the range 0 to 1024, the subslot-number argument is in the range 0 to 15, and the port-number argument is in the range 0 to 255. Only the numbers make sense here; port types are not taken into account.
mac mac-address: Specifies the MAC address of the user in the format of H-H-H.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range 1 to 4094.
Description
Use the bind-attribute command to configure binding attributes for a local user.
Use the undo bind-attribute command to remove binding attributes of a local user.
By default, no binding attribute is configured for a local user.
Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the checking will fail and the user will fail the authentication as a result. In addition, such binding attribute checking does not take the service types of the users into account. That is, a configured binding attribute is effective on all types of users. Therefore, be cautious when deciding which binding attributes should be configured for which type of local users.
The bind-attribute ip command applies only when the authentication method (802.1X, for example) supports IP address upload. If you configure the command when the authentication method (MAC address authentication, for example) does not support IP address upload, local authentication will fail.
The bind-attribute mac command applies to only LAN users, for example, 802.1X users. If you configure it for other types of users, such as FTP or Telnet users, local authentication of the users will fail.
Examples
# Configure the bound IP of local user abc as 3.3.3.3.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] bind-attribute ip 3.3.3.3
cut connection
Syntax
cut connection { all | domain isp-name | ucibindex ucib-index | user-name user-name }
View
System view
Default Level
2: System level
Parameters
all: Specifies all user connections.
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.
ucibindex ucib-index: Specifies a user connection by connection index. The value ranges from 0 to 4294967295.
user-name user-name: Specifies a user connection by username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. The system assumes that a username entered contains the domain name.
Description
Use the cut connection command to tear down the specified connections forcibly.
At present, this command applies to only LAN access and PPP user connections.
Related commands: display connection and service-type.
Examples
# Tear down all connections in ISP domain test.
<Sysname> system-view
[Sysname] cut connection domain test
display connection
Syntax
display connection [ domain isp-name | ucibindex ucib-index | user-name user-name ]
View
Any view
Default Level
1: Monitor level
Parameters
domain isp-name: Specifies all user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
ucibindex ucib-index: Specifies all user connections using the specified connection index. The value ranges from 0 to 4294967295.
user-name user-name: Specifies all user connections using the specified username. The user-name argument is a case-sensitive string of 1 to 80 characters and must contain the domain name. The system assumes that a username entered contains the domain name.
Description
Use the display connection command to display information about specified or all AAA user connections.
With no parameter specified, the command displays brief information about all AAA user connections.
If you specify the ucibindex ucib-index combination, the command displays detailed information; otherwise, the command displays brief information.
This command does not apply to FTP user connections.
Related commands: cut connection.
Examples
# Display information about all AAA user connections.
<Sysname> display connection
Index=1 ,Username=telnet@system
IP=10.0.0.1
Total 1 connection(s) matched.
Table 1-1 display connection command output description
|
Field |
Description |
|
Index |
Index number |
|
Username |
Username of the connection, in the format username@domain |
|
IP |
IP address of the user |
|
Total 1 connection(s) matched. |
Total number of user connections |
display domain
Syntax
display domain [ isp-name ]
View
Any view
Default Level
1: Monitor level
Parameters
isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.
Description
Use the display domain command to display the configuration information of a specified ISP domain or all ISP domains.
Related commands: access-limit enable, domain, and state.
Examples
# Display the configuration information of all ISP domains.
0 Domain : system
State : Active
Access-limit : Disabled
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
1 Domain : test
State : Active
Access-limit : Disable
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Default Domain Name: system
Total 2 domain(s).
Table 1-2 display domain command output description
|
Field |
Description |
|
Domain |
Domain name |
|
State |
Status of the domain (active or block) |
|
Access-limit |
Limit on the number of accessing users (disabled) |
|
Accounting method |
Accounting method (either required or optional) |
|
Domain User Template |
Template for users in the domain |
|
Idle-cut |
Whether idle cut is enabled |
|
Self-service |
Whether self service is enabled |
display local-user
Syntax
display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | | vlan vlan-id ]
View
Any view
Default Level
1: Monitor level
Parameters
idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.
service-type: Specifies the local users of a type.
l ftp refers to users using FTP;
l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users;
l ppp refers to users using PPP;
l ssh refers to users using SSH;
l telnet refers to users using Telnet;
l terminal refers to users logging in through the console port or Asyn port.
state { active | block }: Specifies all local users in the state of active or block. A local user in the state of active can access network services, while a local user in the state of blocked cannot.
user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.
Description
Use the display local-user command to display information about specified or all local users.
Related commands: local-user.
Examples
# Display information about all local users.
<Sysname> display local-user
The contents of local user abc:
State: Active
ServiceType: lan-access
Idle-cut: Disable
Access-limit: Enable Current AccessNum: 0
Max AccessNum: 300
Bind attributes:
IP address: 1.2.3.4
Bind location: 0/4/1 (SLOT/SUBSLOT/PORT)
MAC address: 0001-0002-0003
Vlan ID: 100
Authorization attributes:
Idle TimeOut: 10(min)
Work Directory: flash:/
User Privilege: 3
Acl ID: 2000
Vlan ID: 100
Expiration date: 12:12:12-2018/09/16
Total 1 local user(s) matched.
Table 1-3 display local-user command output description
|
Field |
Description |
|
State |
Status of the local user, active or block |
|
ServiceType |
Service types that the user can use (ftp, lan-access, ppp, and telnet) |
|
Idle-cut |
Whether idle cut is enabled |
|
Access-limit |
Accessing user connection limit |
|
Current AccessNum |
Number of users currently accessing network services |
|
Max AccessNum |
Maximum number of users |
|
Bind location |
Port the user is bound with |
|
VLAN ID |
VLAN to which the user belongs |
|
IP address |
IP address of the user |
|
MAC address |
MAC address of the user |
|
Work Directory |
Directory that the FTP/SFTP user can access |
domain
Syntax
domain isp-name
undo domain isp-name
View
System view
Default Level
3: Manage level
Parameters
isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.
Description
Use the domain isp-name command to create an ISP domain and/or enter ISP domain view.
Use the domain default command to specify the default ISP domain and enter ISP domain view.
Use the undo domain command to remove an ISP domain.
By default, the system uses the domain of system. You can view its settings by executing the display domain command.
If the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state after they are created.
The default domain cannot be deleted but can be changed. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain. For more information about the default ISP domain, see domain default enable.
Related commands: access-limit, state, and display domain.
Examples
# Create ISP domain test, and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test]
domain default enable
Syntax
domain default enable isp-name
undo domain default enable
View
System view
Default Level
3: Manage level
Parameters
isp-name: Name of the ISP, a string of 1 to 24 characters.
Description
Use the domain default enable command to manually configure the system default ISP domain.
Use the undo domain default enable command to restore the default.
By default, the default ISP domain is named system.
There must be only one default ISP domain.
The specified domain must exist; otherwise, users without any domain name carried in the user name will fail to be authenticated.
The specified domain must exist before you can manually configure it.
The default ISP domain configured cannot be deleted unless you cancel it as a default domain first.
Related commands: state and display domain.
Examples
# Create a new ISP domain named test, and configure it as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
expiration-date
Syntax
expiration-date time
undo expiration-date
View
Local user view
Default Level
3: Manage level
Parameters
time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH ranges from 0 to 23, MM and SS range from 0 to 59. YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals to 02:02:00-2008/02/02.
Description
Use the expiration-date command to configure the expiration time of a local user.
Use the undo expiration-date command to remove the configuration.
By default, a local user has no expiration time and no time validity checking is performed.
When some users need to access the network temporarily, you can create a guest account and specify an expiration time for the account. When a user uses the guest account for local authentication and passes the authentication, the AP checks whether the current system time is within the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.
If you change the system time manually or the system time is changed in any other way, the AP uses the new system time for time validity checking.
Examples
# Configure the expiration time of user abc to be 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31
idle-cut enable
Syntax
idle-cut enable minute flow
undo idle-cut enable
View
ISP domain view
Default Level
2: System level
Parameters
minute: Maximum idle duration allowed, in the range 1 to 120 minutes.
flow: User idle threshold, in the range 1 to 10240000 bytes.
Description
Use the idle-cut enable command to enable the idle cut function and set the relevant parameter. With the idle cut function enabled for a domain, the system will log out any user in the domain whose traffic is less than the specified user idle threshold during the maximum idle duration.
Use the undo idle-cut command to restore the default.
By default, the function is disabled.
You can also set the maximum idle duration parameter on the server. In this case, if you enable the idle cut function and set the relevant parameters on the AP, the settings on the AP will take effect; if you disable the function on the AP, the setting of the maximum idle duration parameter on the server will take effect.
The user idle threshold parameter can only be set on the AP. The server always assigns a user idle threshold of 10240 bytes to a user.
Related commands: domain.
Examples
# Enable the idle cut function and set the idle threshold to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] idle-cut enable 50 1024
ip pool
Syntax
ip pool pool-number low-ip-address [ high-ip-address ]
undo ip pool pool-number
View
System view, ISP domain view
Default Level
2: System level
Parameters
pool-number: Address pool number, in the range 0 to 99.
low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there will be only one IP address in the pool, namely the start IP address.
Description
Use the ip pool command to configure an address pool for assigning addresses to PPP users.
Use the undo ip pool command to delete an address pool.
By default, no IP address pool is configured for PPP users.
l Configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.
l You can also configure an IP address pool in ISP domain view for assigning IP addresses to the PPP users in the ISP domain. This applies to the scenario where an interface serves a great amount of PPP users but the address resources are inadequate. For example, an Ethernet interface running PPPoE can accommodate up to 4096 users. However, only one address pool with up to 1024 addresses can be configured on its virtual template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to the PPP users by domain.
Related commands: remote address (PPP in the Layer 2 – WAN Command Reference).
Examples
# Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10
local-user
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | ppp | ssh | telnet | terminal } ] }
View
System view
Default Level
3: Manage level
Parameters
user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical line (|), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>) and the @ sign and cannot be a, al, or all.
all: Specifies all users.
service-type: Specifies the users of a type.
l ftp refers to users using FTP.
l lan-access refers to users accessing the network through an Ethernet, such as 802.1X users.
l ppp refers to users using PPP.
l ssh refers to users using SSH.
l telnet refers to users using Telnet.
l terminal refers to users logging in through the console port or Asyn port.
Description
Use the local-user command to add a local user and enter local user view.
Use the undo local-user command to remove the specified local users.
By default, no local user is configured.
Related commands: display local-user and service-type.
Examples
# Add a local user named user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1]
local-user password-display-mode
Syntax
local-user password-display-mode { auto | cipher-force }
undo local-user password-display-mode
View
System view
Default Level
2: System level
Parameters
auto: Displays the password of a user based on the configuration of the user by using the password command.
cipher-force: Displays the passwords of all users in cipher text.
Description
Use the local-user password-display-mode command to set the password display mode for all local users.
Use the undo local-user password-display-mode command to restore the default.
The default mode is auto.
With the cipher-force mode configured:
l A local user password is always displayed in cipher text, regardless of the configuration of the password command.
l If you use the save command to save the configuration, all existing local user passwords will still be displayed in cipher text after the AP restarts, even if you restore the display mode to auto.
Related commands: display local-user and password.
Examples
# Specify to display the passwords of all users in cipher text.
<Sysname> system-view
[Sysname] local-user password-display-mode cipher-force
nas-id bind vlan
Syntax
nas-id nas-identifier bind vlan vlan-id
undo nas-id nas-identifier bind vlan vlan-id
View
NAS ID profile view
Default Level
2: System level
Parameters
nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters
vlan-id: ID of the VLAN to be bound with the NAS ID, in the range 1 to 4094.
Description
Use the nas-id bind vlan command to bind a NAS ID with a VLAN.
Use the undo nas-id bind vlan command to remove a NAS ID-VLAN binding.
By default, no NAS ID-VLAN binding exists.
In a NAS ID profile view, you can bind the NAS ID with more than one VLAN.
A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect.
Related commands: aaa nas-id profile.
Examples
# Bind NAS ID 222 with VLAN 2.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
password
Syntax
password { cipher | simple } password
undo password
View
Local user view
Default Level
2: System level
Parameters
cipher: Specifies to display the password in cipher text.
simple: Specifies to display the password in simple text.
password: Password for the local user.
l In simple text, it must be a string of 1 to 63 characters that contains no blank space, for example, aabbcc.
l In cipher text, it must be a string of 24 or 88 characters, for example, (TT8F]Y\5SQ=^Q`MAF4<1!!.
l With the simple keyword, you must specify the password in simple text. With the cipher keyword, you can specify the password in either simple or cipher text.
Description
Use the password command to configure a password for a local user.
Use the undo password command to delete the password of a local user.
With the local-user password-display-mode cipher-force command configured, the password is always displayed in cipher text, regardless of the configuration of the password command.
With the cipher keyword specified, a password of up to 16 characters in plain text will be encrypted into a password of 24 characters in cipher text, and a password of 16 to 63 characters in plain text will be encrypted into a password of 88 characters in cipher text. For a password of 24 characters, if the system can decrypt the password, the system treats it as a password in cipher text. Otherwise, the system treats it as a password in plain text.
Related commands: display local-user.
Examples
# Set the password of user1 to 1234567890 and specify to display the password in plain text.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple 1234567890
self-service-url enable
Syntax
self-service-url enable url-string
undo self-service-url enable
View
ISP domain view
Default Level
2: System level
Parameters
url-string: URL of the self-service server for changing user password, a string of 1 to 64 characters that starts with http:// and cannot contain any question mark.
Description
Use the self-service-url enable command to enable the self-service server localization function and specify the URL of the self-service server for changing user password.
Use the undo self-service-url enable command to disable the self-service server localization function.
By default, the function is disabled.
A self-service RADIUS server, for example, CAMS or iMC, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server.
After you configure the self-service-url enable command, a user can locate the self-service server by selecting [Service/Change Password] from the 802.1X client. The client software automatically launches the default browser, IE or Netscape, and opens the URL page of the self-service server for changing the user password. A user can change his or her password through the page.
Only authenticated users can select [Service/Change Password] from the 802.1X client. The option is gray and unavailable for unauthenticated users.
Examples
# Enable the self-service server localization function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice/modPasswd1x.jsp|userName for the default ISP domain system.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] self-service-url enable http://10.153.89.94/selfservice/modPasswd1x.jsp|userName
service-type
Syntax
service-type { ftp | lan-access | { ssh | telnet | terminal } * | ppp }
undo service-type{ ftp | lan-access | { ssh | telnet | terminal } * | ppp }
View
Local user view
Default Level
3: Manage level
Parameters
ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default.
lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service, allowing the user to login through the console port or Asyn port.
ppp: Authorizes the user to use the PPP service.
Description
Use the service-type command to specify the service types that a user can use.
Use the undo service-type command to delete one or all service types configured for a user.
By default, a user is authorized with no service.
Examples
# Authorize user user1 to use the Telnet service.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet
state
Syntax
state { active | block }
undo state
View
ISP domain view, local user view
Default Level
2: System level
Parameters
active: Places the current ISP domain or local user in the active state, allowing the users in the current ISP domain or the current local user to request network services.
block: Places the current ISP domain or local user in the blocked state, preventing users in the current ISP domain or the current local user from requesting network services.
Description
Use the state command to configure the status of the current ISP domain or local user.
Use the undo state command to restore the default.
By default, an ISP domain is active when created. So is a local user.
By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. Note that the online users are not affected.
By blocking a user, you disable the user from requesting network services. No other users are affected.
Related commands: domain.
Examples
# Place the current ISP domain test to the state of blocked.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
# Place the current user user1 to the state of blocked.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] state block
RADIUS Configuration Commands
accounting-on enable
Syntax
accounting-on enable
undo accounting-on enable
View
RADIUS scheme view
Default Level
2: System level
Parameters
None
Description
Use the accounting-on enable command to enable the accounting-on function. After doing so, when the AP reboots, an accounting-on message will be sent to the RADIUS server to force the users of the AP to log out.
Use the undo accounting-on enable command to disable the accounting-on function.
By default, the accounting-on function is disabled.
Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable send.
When you execute the accounting-on enable command, if the system has no authentication scheme enabled with the accounting-on function, you need to save the configuration and restart the AP so that the command takes effect. Otherwise, the command takes effect immediately.
Related commands: radius scheme.
Examples
# Enable the accounting-on function for RADIUS authentication scheme rd.
<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable
accounting-on enable interval
Syntax
accounting-on enable interval seconds
undo accounting-on interval
View
RADIUS scheme view
Default Level
2: System level
Parameters
seconds: Time interval to retransmit accounting-on packet in seconds, ranging from 1 to 15.
Description
Use the accounting-on enable interval command to configure the retransmission interval of accounting-on packets.
Use the undo accounting-on enable interval command to restore the default.
By default, the retransmission interval of accounting-on packets is 3 seconds.
Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable. That is, execution of the undo accounting-on enable interval command will not disable the accounting-on function.
The retransmission interval configured with this command takes effect immediately.
Related commands: radius scheme and accounting-on enable.
Examples
# In RADIUS scheme rd, set the retransmission interval of accounting-on packet to 5 seconds.
<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable interval 5
accounting-on enable send
Syntax
accounting-on enable send send-times
undo accounting-on send
View
RADIUS scheme view
Default Level
2: System level
Parameters
send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255.
Description
Use the accounting-on enable send command to set the maximum number of accounting-on packet transmission attempts.
Use the undo accounting-on enable send command to restore the default.
By default, the maximum number of accounting-on packet transmission attempts is 5.
Execution of this command does not affect the results of other accounting-on related commands such as accounting-on enable. That is, execution of the undo accounting-on enable interval command will not disable the accounting-on function.
The maximum number of accounting-on packet transmission attempts configured with this command takes effect immediately.
Related commands: radius scheme and accounting-on enable.
Examples
# In RADIUS scheme rd, set the maximum number of accounting-on packet transmission attempts to 10.
<Sysname> system-view
[Sysname] radius scheme rd
[Sysname-radius-rd] accounting-on enable send 10
attribute 25 car
Syntax
attribute 25 car
undo attribute 25 car
View
RADIUS scheme view
Default Level
2: System level
Parameters
None
Description
Use the attribute 25 car command to specify the scheme to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use the undo attribute 25 car command to restore the default.
By default, RADIUS attribute 25 is not interpreted as CAR parameters.
Related commands: display radius scheme and display connection.
Examples
# Specify to interpret RADIUS attribute 25 as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
data-flow-format (RADIUS scheme view)
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
View
RADIUS scheme view
Default Level
2: System level
Parameters
data: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Description
Use the data-flow-format command to specify the unit for data flows or packets to be sent to a RADIUS server.
Use the undo data-flow-format command to restore the default.
By default, the unit for data flows is byte and that for data packets is one-packet.
The specified unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of the RADIUS server. Otherwise, accounting cannot be performed correctly.
You can use these commands to change the settings only when no user is using the RADIUS scheme.
Related commands: display radius scheme.
Examples
# Define RADIUS scheme radius1 to send data flows and packets destined for the RADIUS server in kilobytes and kilo-packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
Syntax
display radius scheme [ radius-scheme-name ]
View
Any view
Default Level
2: System level
Parameters
radius-scheme-name: RADIUS scheme name, a string of 1 to 32 characters.
Description
Use the display radius scheme command to display the configuration information of a specified RADIUS scheme or all RADIUS schemes.
If no RADIUS scheme is specified, the command will display the configurations of all RADIUS schemes.
Related commands: radius scheme.
Examples
# Display the configurations of all RADIUS schemes.
<Sysname> display radius scheme
------------------------------------------------------------------
Index : 0 Type : extended
IP: 1.1.1.1 Port: 1812 State: block
IP: 1.1.1.1 Port: 1813 State: block
IP: N/A Port: 1812 State: block
IP: N/A Port: 1813 State: block
Auth Server Encryption Key : 123
Acct Server Encryption Key : Not configured
Accounting-On packet disable, send times : 5 , interval : 3s
Interval for timeout(second) : 3
Retransmission times for timeout : 3
Interval for realtime accounting(minute) : 12
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one
NAS-IP address : 1.1.1.1
Attribute 25 : car
------------------------------------------------------------------
Total 1 RADIUS scheme(s).
Table 1-4 display radius scheme command output description
|
Field |
Description |
|
SchemeName |
Name of the RADIUS scheme |
|
Index |
Index number of the RADIUS scheme |
|
Type |
Type of the RADIUS server |
|
IP |
IP address of the server. N/A means not configured. |
|
Port |
Service port of the server. If no port configuration is performed, the default port number is displayed. |
|
State |
Status of the server, active or block. |
|
Auth Server Encryption Key |
Shared key of the authentication server |
|
Acct Server Encryption Key |
Shared key of the accounting server |
|
Accounting-On packet disable |
The accounting-on function is disabled |
|
send times |
Retransmission times of accounting-on packets |
|
interval |
Interval to retransmit accounting-on packets |
|
Interval for timeout(second) |
Timeout time in seconds |
|
Retransmission times for timeout |
Times of retransmission in case of timeout |
|
Interval for realtime accounting(minute) |
Interval for realtime accounting in minutes |
|
Retransmission times of realtime-accounting packet |
Retransmission times of realtime-accounting packet |
|
Retransmission times of stop-accounting packet |
Retransmission times of stop-accounting packet |
|
Quiet-interval(min) |
Quiet interval for the primary server |
|
Username format |
Format of the username |
|
Data flow unit |
Unit of data flows |
|
Packet unit |
Unit of packets |
|
NAS-IP address |
Source IP address for RADIUS packets to be sent |
|
Backup-NAS-IP address |
Backup source IP address for RADIUS packets to be sent. Support for this output information depends on the AP model. |
|
Attribute 25 |
Interprets RADIUS attribute 25 as the CAR parameters. |
display radius statistics
Syntax
display radius statistics
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display radius statistics command to display statistics about RADIUS packets.
Related commands: radius scheme.
Examples
# Display statistics about RADIUS packets.
<Sysname> display radius statistics
state statistic(total=128):
DEAD = 128 AuthProc = 0 AuthSucc = 0
AcctStart = 0 RLTSend = 0 RLTWait = 0
AcctStop = 0 OnLine = 0 Stop = 0
Received and Sent packets statistic:
Sent PKT total = 1547 Received PKT total = 23
Resend Times Resend total
1 508
2 508
Total 1016
RADIUS received packets statistic:
Code = 2 Num = 15 Err = 0
Code = 3 Num = 4 Err = 0
Code = 5 Num = 4 Err = 0
Code = 11 Num = 0 Err = 0
Running statistic:
RADIUS received messages statistic:
Normal auth request Num = 24 Err = 0 Succ = 24
EAP auth request Num = 0 Err = 0 Succ = 0
Account request Num = 4 Err = 0 Succ = 4
Account off request Num = 503 Err = 0 Succ = 503
PKT auth timeout Num = 15 Err = 5 Succ = 10
PKT acct_timeout Num = 1509 Err = 503 Succ = 1006
Realtime Account timer Num = 0 Err = 0 Succ = 0
PKT response Num = 23 Err = 0 Succ = 23
Session ctrl pkt Num = 0 Err = 0 Succ = 0
Normal author request Num = 0 Err = 0 Succ = 0
Set policy result Num = 0 Err = 0 Succ = 0
RADIUS sent messages statistic:
Auth accept Num = 10
Auth reject Num = 14
EAP auth replying Num = 0
Account success Num = 4
Account failure Num = 3
Server ctrl req Num = 0
RecError_MSG_sum = 0
SndMSG_Fail_sum = 0
Timer_Err = 0
Alloc_Mem_Err = 0
State Mismatch = 0
Other_Error = 0
No-response-acct-stop packet = 1
Discarded No-response-acct-stop packet for buffer overflow = 0
Table 1-5 display radius statistics command output description
|
Field |
Description |
|
state statistic(total=2048) |
state statistics |
|
DEAD |
Number of idle users |
|
AuthProc |
Number of users waiting for authentication |
|
AuthSucc |
Number of users who have passed authentication |
|
AcctStart |
Number of users for whom accounting has been started |
|
RLTSend |
Number of users for whom the system sends real-time accounting packets |
|
RLTWait |
Number of users waiting for real-time accounting |
|
AcctStop |
Number of users in the state of accounting waiting stopped |
|
OnLine |
Number of online users |
|
Stop |
Number of users in the state of stop |
|
Received and Sent packets statistic |
Number of packets sent and received |
|
Sent PKT total |
Number of packets sent |
|
Received PKT total |
Number of packets received |
|
Resend Times |
Number of retransmission attempts |
|
Resend total |
Number of packets retransmitted |
|
RADIUS received packets statistic |
Statistics of packets received by RADIUS |
|
Code |
Packet type |
|
Num |
Total number of packets |
|
Err |
Number of error packets |
|
Running statistic |
RADIUS operation message statistics |
|
RADIUS received messages statistic |
Number of messages received by RADIUS |
|
Normal auth request |
Number of normal authentication requests |
|
EAP auth request |
Number of EAP authentication requests |
|
Account request |
Number of accounting requests |
|
Account off request |
Number of stop-accounting requests |
|
PKT auth timeout |
Number of authentication timeout messages |
|
PKT acct_timeout |
Number of accounting timeout messages |
|
Realtime Account timer |
Number of realtime accounting requests |
|
PKT response |
Number of responses |
|
Session ctrl pkt |
Number of session control messages |
|
Normal author request |
Number of normal authorization requests |
|
Succ |
Number of acknowledgement messages |
|
Set policy result |
Number of responses to the Set policy packets |
|
RADIUS sent messages statistic |
Number of messages that have been sent by RADIUS |
|
Auth accept |
Number of accepted authentication packets |
|
Auth reject |
Number of rejected authentication packets |
|
EAP auth replying |
Number of replying packets of EAP authentication |
|
Account success |
Number of accounting succeeded packets |
|
Account failure |
Number of accounting failed packets |
|
Server ctrl req |
Number of server control requests |
|
RecError_MSG_sum |
Number of received packets in error |
|
SndMSG_Fail_sum |
Number of packets that failed to be sent out |
|
Timer_Err |
Number of timer errors |
|
Alloc_Mem_Err |
Number of memory errors |
|
State Mismatch |
Number of errors for mismatching status |
|
Other_Error |
Number of errors of other types |
|
No-response-acct-stop packet |
Number of times that no response was received for stop-accounting packets |
|
Discarded No-response-acct-stop packet for buffer overflow |
Number of stop-accounting packets that were buffered but then discarded due to full memory |
display stop-accounting-buffer
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
Any view
Default Level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, which is a string of 1 to 32 characters.
session-id session-id: Specifies a session by its ID. The ID is a string of 1 to 50 characters.
time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user by the user name, which is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must match that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.
Description
Use the display stop-accounting-buffer command to display information about the stop-accounting requests buffered in the AP by scheme, session ID, time range, user name, or slot.
If receiving no response after sending a stop-accounting request to a RADIUS server, the AP buffers the request and retransmits it. You can use the retry stop-accounting command to set the number of allowed transmission attempts.
Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, and retry stop-accounting.
Examples
# Display information about the buffered stop-accounting requests from 0:0:0 to 23:59:59 on August 31, 2006.
<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006
Total find 0 records (0)
key (RADIUS scheme view)
Syntax
key { accounting | authentication } string
undo key { accounting | authentication }
View
RADIUS scheme view
Default Level
2: System level
Parameters
accounting: Sets the shared key for RADIUS accounting packets.
authentication: Sets the shared key for RADIUS authentication/authorization packets.
string: Shared key, a case-sensitive string of 1 to 64 characters.
Description
Use the key command to set the shared key for RADIUS authentication/authorization or accounting packets.
Use the undo key command to restore the default.
By default, no shared key is configured.
You must ensure that the same shared key is set on the AP and the RADIUS server.
You can use the commands to change the settings only when no user is using the RADIUS scheme.
Related commands: display radius scheme.
Examples
# Set the shared key for authentication/authorization packets to hello for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key authentication hello
# Set the shared key for accounting packets to ok for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting ok
nas-ip (RADIUS scheme view)
Syntax
nas-ip { ip-address | ipv6 ipv6-address }
undo nas-ip
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IPv4 address in dotted decimal notation. It must be an address of the AP and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the AP and must be a unicast address that is neither a loopback one nor a link-local one.
Description
Use the nas-ip command to specify source IP address of RADIUS packets to be sent to the server.
Use the undo nas-ip command to restore the default.
By default, the source IP address of a packet sent to the server is that configured with the radius nas-ip command in system view.
Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the AP due to physical interface failure. The address of a loopback interface is recommended.
The nas-ip command in RADIUS scheme view applies to the current RADIUS scheme, while the radius nas-ip command in system view applies to all RADIUS schemes. However, the nas-ip command takes precedence over the radius nas-ip command.
The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration will not take effect.
You can use the commands to change the setting only when no user is using the RADIUS scheme.
Related commands: radius nas-ip.
Examples
# Set the source IP address of the RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme test1
[Sysname-radius-test1] nas-ip 10.1.1.1
primary accounting (RADIUS scheme view)
Syntax
primary accounting { ip-address | ipv6 ipv6-address } [ port-number ]
undo primary accounting
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IPv4 address of the primary accounting server.
ipv6 ipv6-address: IPv6 address of the primary accounting server.
port-number: UDP port number of the primary accounting server, which ranges from 1 to 65535 and defaults to 1813.
Description
Use the primary accounting command to specify the primary RADIUS accounting server.
Use the undo primary accounting command to remove the configuration.
By default, no primary RADIUS accounting server is specified.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
The RADIUS service port configured on the AP and that of the RADIUS server must be consistent.
The IP addresses of the primary and secondary accounting servers must be of the same IP version.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.
You can use the commands to change the settings only when no user is using the RADIUS scheme.
Related commands: key, radius scheme, and state.
Examples
# Set the IP address of the primary accounting server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813
primary authentication (RADIUS scheme view)
Syntax
primary authentication { ip-address | ipv6 ipv6-address } [ port-number ]
undo primary authentication
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IPv4 address of the primary authentication/authorization server.
ipv6 ipv6-address: IPv6 address of the primary authentication/authorization server.
port-number: UDP port number of the primary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.
Description
Use the primary authentication command to specify the primary RADIUS authentication/authorization server.
Use the undo primary authentication command to remove the configuration.
By default, no primary RADIUS authentication/authorization server is specified.
After creating a RADIUS scheme, you are supposed to configure the IP address and UDP port of each RADIUS server (primary/secondary authentication /authorization or accounting server). Ensure that at least one authentication /authorization server and one accounting server are configured, and that the RADIUS service port settings on the AP are consistent with the port settings on the RADIUS servers.
The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.
The IP addresses of the primary and secondary authentication/authorization servers must be of the same IP version.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
You can use the commands to change the settings only when no user is using the RADIUS scheme.
Related commands: key, radius scheme, and state.
Examples
# Set the IP address of the primary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812
radius client
Syntax
radius client enable
undo radius client
View
System view
Default Level
2: System level
Parameters
None
Description
Use the radius client enable command to enable the listening port of the RADIUS client.
Use the undo radius client command to disable the listening port of the RADIUS client.
By default, the listening port is enabled.
When the listening port of the RADIUS client is disabled:
l The RADIUS client can either accept authentication, authorization or accounting requests or process timer messages. However, it fails to transmit and receive packets to and from the RADIUS server.
l The end account packets of online users cannot be sent out and buffered. This may cause a problem that the RADIUS server still has the user record after a user goes offline for a period of time.
l The authentication, authorization and accounting turn to the local scheme after the RADIUS request fails if the RADIUS scheme and the local authentication, authorization and accounting scheme are configured.
l The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached.
Examples
# Enable the listening port of the RADIUS client.
<Sysname> system-view
[Sysname] radius client enable
radius nas-ip
Syntax
radius nas-ip { ip-address | ipv6 ipv6-address }
undo radius nas-ip
View
System view
Default Level
2: System level
Parameters
ip-address: IPv4 address in dotted decimal notation. It must be an address of the AP and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the AP and must be a unicast address that is neither a loopback one nor a link-local one.
Description
Use the radius nas-ip command to specify the source IP address of the RADIUS packets to be sent to the server.
Use the undo radius nas-ip command to remove the configuration.
By default, the source IP address of a packet sent to the server is the IP address of the outbound port.
Specifying a source address for the RADIUS packets to be sent to the server can avoid the situation where the packets sent back by the RADIUS server cannot reach the AP as the result of physical interface failure.
If you configure the command for more than one time, the last configuration takes effect.
The nas-ip command in RADIUS scheme view applies to the current RADIUS scheme, while the radius nas-ip command in system view applies to all RADIUS schemes. However, the nas-ip command takes precedence over the radius nas-ip command.
The source IP address specified for RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS schemes that use the specified source IP address. Otherwise, the source IP address configuration will not take effect.
Related commands: nas-ip.
Examples
# Set the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
radius scheme
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Default Level
3: Manage level
Parameters
radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Description
Use the radius scheme command to create a RADIUS scheme and enter RADIUS scheme view.
Use the undo radius scheme command to delete a RADIUS scheme.
By default, no RADIUS scheme is defined.
The RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify the IP addresses and UDP ports of the RADIUS authentication/authorization/accounting servers and the parameters necessary for a RADIUS client to interact with the servers.
A RADIUS scheme can be referenced by more than one ISP domain at the same time.
You cannot remove the RADIUS scheme being used by online users with the undo radius scheme command.
Related commands: key, retry realtime-accounting, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius scheme, and display radius statistics.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
radius trap
Syntax
radius trap { accounting-server-down | authentication-server-down }
undo radius trap { accounting-server-down | authentication-server-down }
View
System view
Default Level
2: System level
Parameters
accounting-server-down: RADIUS trap for accounting servers.
authentication-server-down: RADIUS trap for authentication servers.
Description
Use the radius trap command to enable the RADIUS trap function.
Use the undo radius trap command to disable the function.
By default, the RADIUS trap function is disabled.
If a NAS sends an accounting or authentication request to the RADIUS server but gets no response, the NAS retransmits the request. With the RADIUS trap function enabled, when the NAS transmits the request for half of the specified maximum number of transmission attempts, it sends a trap message; when the NAS transmits the request for the specified maximum number, it sends another trap message.
If the specified maximum number of transmission attempts is odd, the half of the number refers to the smallest integer greater than the half of the number.
Examples
# Enable the RADIUS trap function for accounting servers.
<Sysname> system-view
[Sysname] radius trap accounting-server-down
reset radius statistics
Syntax
reset radius statistics
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset radius statistics command to clear RADIUS statistics.
Related commands: display radius scheme.
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }
View
User view
Default Level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a string of 1 to 32 characters.
session-id session-id: Specifies a session by its ID, a string of 1 to 50 characters.
time-range start-time stop-time: Specifies a time range by its start time and end time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user name based on which to reset the stop-accounting buffer. The username is a case-sensitive string of 1 to 80 characters. The format of the user-name argument (for example, whether the domain name should be included) must comply with that specified for usernames to be sent to the RADIUS server in the RADIUS scheme.
Description
Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests, which get no responses.
Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, and display stop-accounting-buffer.
Examples
# Clear the buffered stop-accounting requests for user user0001@test.
<Sysname> reset stop-accounting-buffer user-name user0001@test
# Clear the buffered stop-accounting requests in the time range from 0:0:0 to 23:59:59 on August 31, 2006.
<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006
retry
Syntax
retry retry-times
undo retry
View
RADIUS scheme view
Default Level
2: System level
Parameters
retry-times: Maximum number of retransmission attempts, in the range 1 to 20.
Description
Use the retry command to set the maximum number of RADIUS retransmission attempts.
Use the undo retry command to restore the default.
The default value for the retry-times argument is 3.
Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the AP does not receive a response to its request from the RADIUS server within the response time-out time, it will retransmit the RADIUS request. If the number of retransmission attempts exceeds the limit but the AP still receives no response from the RADIUS server, the AP regards that the authentication fails.
The maximum number of retransmission attempts defined by this command refers to the sum of all retransmission attempts sent by the AP to the primary server and the secondary server. For example, assume that the maximum number of retransmission attempts is N and both the primary server and secondary RADIUS server are specified and exist, the AP will send a request to the other server if the current server does not respond after the sum of retransmission attempts reaches N/2 (if N is an even number) or (N+1)/2 (if N is an odd number).
The maximum number of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.
Related commands: radius scheme and timer response-timeout.
Examples
# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS scheme view
Default Level
2: System level
Parameters
retry-times: Maximum number of accounting request transmission attempts. It ranges from 1 to 255 and defaults to 5.
Description
Use the retry realtime-accounting command to set the maximum number of accounting request transmission attempts.
Use the undo retry realtime-accounting command to restore the default.
A RADIUS server usually checks whether a user is online by a timeout timer. If it receives from the NAS no real-time accounting packet for a user in the timeout period, it considers that there may be a line or device failure and stops accounting for the user. This may happen when some unexpected failure occurs. In this case, the NAS is required to disconnect the user in accordance. This is done by the maximum number of accounting request transmission attempts. Once the limit is reached but the NAS still receives no response, the NAS disconnects the user.
Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 3 (set with the retry command), and the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting request transmission attempts is 5 (set with the retry realtime-accounting command). In such a case, the AP generates an accounting request every 12 minutes, and retransmits the request when receiving no response within 3 seconds. The accounting is deemed unsuccessful if no response is received within 3 requests. Then the AP sends a request every 12 minutes, and if for 5 times it still receives no response, the AP will cut the user connection.
Related commands: radius scheme and timer realtime-accounting.
Examples
# Set the maximum number of accounting request transmission attempts to 10 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
retry stop-accounting (RADIUS scheme view)
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS scheme view
Default Level
2: System level
Parameters
retry-times: Maximum number of stop-accounting request transmission attempts. It ranges from 10 to 65,535 and defaults to 500.
Description
Use the retry stop-accounting command to set the maximum number of stop-accounting request transmission attempts.
Use the undo retry stop-accounting command to restore the default.
l Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the timeout retransmission attempts is 5 (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). This means that for each stop-accounting request, if the AP receives no response within 3 seconds, it will initiate a new request. If still no responses are received within 5 renewed requests, the stop-accounting request is deemed unsuccessful. Then the AP will temporarily store the request in the AP and resend a request and repeat the whole process described above. Only when 20 consecutive attempts fail will the AP discard the request.
Related commands: reset stop-accounting-buffer, radius scheme, and display stop-accounting-buffer.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 1,000 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry stop-accounting 1000
secondary accounting (RADIUS scheme view)
Syntax
secondary accounting { ip-address | ipv6 ipv6-address } [ port-number ]
undo secondary accounting
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IPv4 address of the secondary accounting server, in dotted decimal notation. The default is 0.0.0.0.
ipv6 ipv6-address: IPv6 address of the secondary accounting server.
port-number: UDP port number of the secondary accounting server, which ranges from 1 to 65535 and defaults to 1813.
Description
Use the secondary accounting command to specify the secondary RADIUS accounting server.
Use the undo secondary accounting command to remove the configuration.
By default, no secondary RADIUS accounting server is specified.
The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
The RADIUS service port configured on the AP and that of the RADIUS server must be consistent.
The IP addresses of the primary and secondary accounting servers must be of the same IP version.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.
You can use the commands to change the settings only when no user is using the RADIUS scheme.
Related commands: key, radius scheme, and state.
Examples
# Set the IP address of the secondary accounting server for RADIUS scheme radius1 to 10.110.1.1 and the UDP port of the server to 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
secondary authentication (RADIUS scheme view)
Syntax
secondary authentication { ip-address | ipv6 ipv6-address } [ port-number ]
undo secondary authentication
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IPv4 address of the secondary authentication/authorization server, in dotted decimal notation. The default is 0.0.0.0.
ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server.
port-number: UDP port number of the secondary authentication/authorization server, which ranges from 1 to 65535 and defaults to 1812.
Description
Use the secondary authentication command to specify the secondary RADIUS authentication/authorization server.
Use the undo secondary authentication command to remove the configuration.
By default, no secondary RADIUS authentication/authorization server is specified.
The IP addresses of the primary and secondary authentication/authorization servers cannot be the same. Otherwise, the configuration fails.
The RADIUS service port configured on the AP and that of the RADIUS server must be consistent.
The IP addresses of the primary and secondary authentication/authorization servers must be of the same IP version.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
You can use the commands to change the settings only when no user is using the RADIUS scheme.
Related commands: key, radius scheme, and state.
Examples
# Set the IP address of the secondary authentication/authorization server for RADIUS scheme radius1 to 10.110.1.2 and the UDP port of the server to 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
security-policy-server
Syntax
security-policy-server ip-address
undo security-policy-server { ip-address | all }
View
RADIUS scheme view
Default Level
2: System level
Parameters
ip-address: IP address of a security policy server.
all: All IP addresses
Description
Use the security-policy-server command to specify a security policy server.
Use the undo security-policy-server command to remove one or all security policy servers.
By default, no security policy server is specified.
If more than one interface of the AP is enabled with user access authentication, the interfaces may use different security policy servers. You can specify up to eight security policy servers for a RADIUS scheme.
The specified security policy server must be a security policy server or RADIUS server that is correctly configured and working normally. Otherwise, the AP will regard it as an illegal server.
You can use the commands to change the setting only when no user is using the RADIUS scheme.
Related commands: radius nas-ip.
Examples
# For RADIUS scheme radius1, set the IP address of a security policy server to 10.110.1.2.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] security-policy-server 10.110.1.2
server-type
Syntax
server-type { extended | standard }
undo server-type
View
RADIUS scheme view
Default Level
2: System level
Parameters
extended: Specifies the extended RADIUS server (generally CAMS or iMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the private RADIUS protocol.
standard: Specifies the standard RADIUS server, which requires the RADIUS client end and RADIUS server to interact according to the regulation and packet format of the standard RADIUS protocol (RFC 2865/2866 or newer).
Description
Use the server-type command to specify the RADIUS server type supported by the AP.
Use the undo server-type command to restore the default.
By default, the supported RADIUS server type is standard.
You can use the commands to change the setting only when no user is using the RADIUS scheme.
Related commands: radius scheme.
Examples
# Set the RADIUS server type of RADIUS scheme radius1 to standard.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-type standard
state
Syntax
state { primary | secondary } { accounting | authentication } { active | block }
View
RADIUS scheme view
Default Level
2: System level
Parameters
primary: Sets the status of the primary RADIUS server.
secondary: Sets the status of the secondary RADIUS server.
accounting: Sets the status of the RADIUS accounting server.
authentication: Sets the status of the RADIUS authentication/authorization server.
active: Sets the status of the RADIUS server to active, namely the normal operation state.
block: Sets the status of the RADIUS server to block.
Description
Use the state command to set the status of a RADIUS server.
By default, every RADIUS server configured with an IP address in the RADIUS scheme is in the state of active.
When a primary server, authentication/authorization server or accounting server, fails, the AP automatically turns to the secondary server.
Once the primary server fails, the primary server turns into the state of block, and the AP turns to the secondary server. In this case, if the secondary server is available, the AP triggers the primary server quiet timer. After the quiet timer times out, the status of the primary server is active again and the status of the secondary server remains the same. If the secondary server fails, the AP restores the status of the primary server to active immediately.
If the primary server has resumed, the AP turns to use the primary server and stops communicating with the secondary server. After accounting starts, the communication between the client and the secondary server remains unchanged.
When both the primary server and the secondary server are in the state of blocked, you need to set the status of the secondary server to active to use the secondary server for authentication. Otherwise, the switchover will not occur.
If one server is in the active state while the other is blocked, the switchover will not take place even if the active server is not reachable.
You can use this command to change the settings only when no user is using the RADIUS scheme.
Related commands: radius scheme, primary authentication, secondary authentication, primary accounting, and secondary accounting.
Examples
# Set the status of the secondary server in RADIUS scheme radius1 to active.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication active
stop-accounting-buffer enable (RADIUS scheme view)
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS scheme view
Default Level
2: System level
Parameters
None
Description
Use the stop-accounting-buffer enable command to enable the AP to buffer stop-accounting requests getting no responses.
Use the undo stop-accounting-buffer enable command to disable the AP from buffering stop-accounting requests getting no responses.
By default, the AP is enabled to buffer stop-accounting requests getting no responses.
Since stop-accounting requests affect the charge to users, a NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission retries reaches the configured limit. In the latter case, the NAS discards the packet.
You can use the commands to change the setting only when no user is using the RADIUS scheme.
Related commands: reset stop-accounting-buffer, radius scheme, and display stop-accounting-buffer.
Examples
# In RADIUS scheme radius1, enable the AP to buffer the stop-accounting requests getting no responses.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-buffer enable
timer quiet (RADIUS scheme view)
Syntax
timer quiet minutes
undo timer quiet
View
RADIUS scheme view
Default Level
2: System level
Parameters
minutes: Primary server quiet period, in minutes. It ranges from 1 to 255 and defaults to 5.
Description
Use the timer quiet command to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.
Use the undo timer quiet command to restore the default.
Related commands: display radius scheme.
Examples
# Set the quiet timer for the primary server to 10 minutes.
<Sysname> system-view
[Sysname] radius scheme test1
[Sysname-radius-test1] timer quiet 10
timer realtime-accounting (RADIUS scheme view)
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
RADIUS scheme view
Default Level
2: System level
Parameters
minutes: Real-time accounting interval in minutes, zero or a multiple of 3 and in the range 3 to 60, with the default value being 12.
Description
Use the timer realtime-accounting command to set the real-time accounting interval.
Use the undo timer realtime-accounting command to restore the default.
For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command is for setting the interval.
When the real-time accounting interval on the AP is zero, the AP will send online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or will not send online user accounting information.
The setting of the real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval means higher accounting precision but requires higher performance. You are therefore recommended to adopt a longer interval when there are a large number of users (1000 or more).
The following table lists the recommended ratios of the interval to the number of users.
Table 1-6 Recommended ratios of the accounting interval to the number of users
|
Number of users |
Real-time accounting interval (minute) |
|
1 to 99 |
3 |
|
100 to 499 |
6 |
|
500 to 999 |
12 |
|
1000 or more |
15 or more |
Related commands: retry realtime-accounting and radius scheme.
Examples
# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
timer response-timeout (RADIUS scheme view)
Syntax
timer response-timeout seconds
undo timer response-timeout
View
RADIUS scheme view
Default Level
2: System level
Parameters
seconds: RADIUS server response timeout period in seconds. It ranges from 1 to 10 and defaults to 3.
Description
Use the timer response-timeout command to set the RADIUS server response timeout timer.
Use the undo timer command to restore the default.
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it has to resend the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
A proper value for the RADIUS server response timeout timer can help improve the system performance. Set the timer based on the network conditions.
The maximum total number of all types of retransmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.
Related commands: radius scheme and retry.
Examples
# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
user-name-format (RADIUS scheme view)
Syntax
user-name-format { keep-original | with-domain | without-domain }
View
RADIUS scheme view
Default Level
2: System level
Parameters
keep-original: Sends the username to the RADIUS server as it is input.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Description
Use the user-name-format command to specify the format of the username to be sent to a RADIUS server.
By default, the ISP domain name is included in the username.
A username is generally in the format of userid@isp-name, of which isp-name is used by the AP to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the AP must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.
For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the AP does not change the usernames from clients before forwarding them to the RADIUS server.
If the RADIUS scheme is for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.
You can use this command to change the setting only when no user is using the RADIUS scheme.
Related commands: radius scheme.
Examples
# Specify the AP to include the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
