Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
| Title | Size | Download |
|---|---|---|
| 01-AAA Commands | 478.51 KB |
Contents
General AAA configuration commands
Local user configuration commands
authorization-attribute (local user view/user group view)
expiration-date (local user view)
data-flow-format (RADIUS scheme view)
display stop-accounting-buffer (for RADIUS)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
reset stop-accounting-buffer (for RADIUS)
retry stop-accounting (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
stop-accounting-buffer enable (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
HWTACACS configuration commands
data-flow-format (HWTACACS scheme view)
display stop-accounting-buffer (for HWTACACS)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
reset stop-accounting-buffer (for HWTACACS)
retry stop-accounting (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
stop-accounting-buffer enable (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
General AAA configuration commands
The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
access-limit enable
Syntax
access-limit enable max-user-number
undo access-limit enable
View
ISP domain view
Default level
2: System level
Parameters
max-user-number: Maximum number of users that the ISP domain can accommodate. The value range is from 1 to 2147483646.
Description
Use access-limit enable to enable limitation of the number of users in an ISP domain and set the allowed maximum number. After the number of users reaches the allowed maximum number, no more users will be accepted.
Use undo access-limit enable to restore the default.
By default, there is no limit to the number of users in an ISP domain.
System resources are limited, and user connections may compete for network resources when there are many users. Setting a proper limit to the number of users helps provide reliable system performance.
Related commands: display domain.
Examples
# Set a limit of 500 user connections for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] access-limit enable 500
accounting command
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
By default, the default accounting method for the ISP domain is used for command line accounting.
The specified HWTACACS scheme must have been configured.
Command line accounting can use only a HWTACACS scheme.
Related commands: accounting default and hwtacacs scheme.
Examples
# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
accounting default
Syntax
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting default
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting default to configure the default accounting method for an ISP domain.
Use undo accounting default to restore the default.
By default, the default accounting method of an ISP domain is local.
The specified RADIUS or HWTACACS scheme must have been configured.
The default accounting method will be used for all users who support the specified accounting method and have no specific accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections; it does not provide the statistics function that the accounting feature generally provides.
Related commands: local-user, hwtacacs scheme, and radius scheme.
Examples
# Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
accounting lan-access
Syntax
accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo accounting lan-access
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting lan-access to configure the accounting method for LAN users.
Use undo accounting lan-access to restore the default.
By default, the default accounting method for the ISP domain is used for LAN users.
The specified RADIUS scheme must have been configured.
Related commands: local-user, accounting default, and radius scheme.
Examples
# Configure ISP domain test to use local accounting for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access local
# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
accounting login
Syntax
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting login
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting login to configure the accounting method for login users through the console port, AUX port, or Telnet.
Use undo accounting login to restore the default.
By default, the default accounting method for the ISP domain is used for login users.
The specified RADIUS or HWTACACS scheme must have been configured.
Accounting is not supported for login users who use FTP.
Related commands: local-user, accounting default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local
# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Default level
2: System level
Parameters
None
Description
Use accounting optional to enable the accounting optional feature.
Use undo accounting optional to disable the feature.
By default, the feature is disabled.
After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or the communication with the current accounting server fails. However, the switch no longer sends real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important.
|
|
NOTE: After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective. |
Examples
# Enable the accounting optional feature for users in domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting optional
accounting portal
Syntax
accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting portal to configure the accounting method for portal users.
Use undo accounting portal to restore the default.
By default, the default accounting method for the ISP domain is used for portal users.
The specified RADIUS scheme must have been configured.
Related commands: local-user, accounting default, and radius scheme.
Examples
# Configure ISP domain test to use local accounting for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal local
# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal radius-scheme rd local
accounting ppp
Syntax
accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting ppp
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use accounting ppp to configure the accounting method for PPP users.
Use undo accounting ppp to restore the default.
By default, the default accounting method for the ISP domain is used for PPP users.
The specified RADIUS or HWTACACS scheme must have been configured.
Related commands: local-user, accounting default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local accounting for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp local
# Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp radius-scheme rd local
authentication default
Syntax
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication default
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication default to configure the default authentication method for an ISP domain.
Use undo authentication default to restore the default.
By default, the default authentication method of an ISP domain is local.
The specified RADIUS or HWTACACS scheme must have been configured.
The default authentication method will be used for all users who support the specified authentication method and have no specific authentication method configured.
Related commands: local-user, hwtacacs scheme, and radius scheme.
Examples
# Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
authentication lan-access
Syntax
authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo authentication lan-access
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication lan-access to configure the authentication method for LAN users.
Use undo authentication lan-access to restore the default.
By default, the default authentication method for the ISP domain is used for LAN users.
The specified RADIUS scheme must have been configured.
Related commands: local-user, authentication default, and radius scheme.
Examples
# Configure ISP domain test to use local authentication for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access local
# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication login
Syntax
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication login
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication login to configure the authentication method for login users through the console port, AUX port, Telnet, or FTP.
Use undo authentication login to restore the default.
By default, the default authentication method for the ISP domain is used for login users.
The specified RADIUS or HWTACACS scheme must have been configured.
Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local
# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
authentication portal
Syntax
authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication portal to configure the authentication method for portal users.
Use undo authentication portal to restore the default.
By default, the default authentication method for the ISP domain is used for portal users.
The specified RADIUS scheme must have been configured.
Related commands: local-user, authentication default, and radius scheme.
Examples
# Configure ISP domain test to use local authentication for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal local
# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal radius-scheme rd local
authentication ppp
Syntax
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication ppp
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication ppp to configure the authentication method for PPP users.
Use undo authentication ppp to restore the default.
By default, the default authentication method for the ISP domain is used for PPP users.
The specified RADIUS or HWTACACS scheme must have been configured.
Related commands: local-user, authentication default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local authentication for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp local
# Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp radius-scheme rd local
authentication super
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }
undo authentication super
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authentication super to configure the authentication method for user privilege level switching.
Use undo authentication super to restore the default.
By default, the default authentication method for the ISP domain is used for user privilege level switching authentication.
The specified RADIUS or HWTACACS authentication scheme must have been configured.
Related commands: hwtacacs scheme and radius scheme; super authentication-mode (Fundamentals Command Reference).
Examples
# Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac
authorization command
Syntax
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }
undo authorization command
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated user can access only commands of Level 0. This keyword is not supported in FIPS mode.
Description
Use authorization command to configure the command line authorization method.
Use undo authorization command to restore the default.
By default, the default authorization method for the ISP domain is used for command line authorization.
The specified HWTACACS scheme must have been configured.
With command line authorization configured, a user who has logged in to the switch can execute only the commands with a level lower than or equal to that of the local user.
Related commands: local-user, authorization default, and hwtacacs scheme.
Examples
# Configure ISP domain test to use local command line authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
authorization default
Syntax
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization default
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the switch, and other login users can access only the commands of Level 0. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authorization default to configure the default authorization method for an ISP domain.
Use undo authorization default to restore the default.
By default, the default authorization method for the ISP domain of an ISP domain is local.
The specified RADIUS or HWTACACS scheme must have been configured.
The default authorization method will be used for all users who support the specified authorization method and have no specific authorization method are configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
Related commands: local-user, hwtacacs scheme, and radius scheme.
Examples
# Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
authorization lan-access
Syntax
authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo authorization lan-access
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access the network directly. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authorization lan-access to configure the authorization method for LAN users.
Use undo authorization lan-access to restore the default.
By default, the default authorization method for the ISP domain is used for LAN users.
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
Related commands: local-user, authorization default, and radius scheme.
Examples
# Configure ISP domain test to use local authorization for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access local
# Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization login
Syntax
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization login
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the switch, and other login users can access only the commands of Level 0. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authorization login to configure the authorization method for login users through the console port, AUX port, Telnet, or FTP.
Use undo authorization login to restore the default.
By default, the default authorization method for the ISP domain is used for login users.
The specified RADIUS or HWTACACS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local
# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
authorization portal
Syntax
authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization portal
View
ISP domain view
Default level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated portal user can access the network directly. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authorization portal to configure the authorization method for portal users.
Use undo authorization portal to restore the default.
By default, the default authorization method for the ISP domain is used for portal users.
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
Related commands: local-user, authorization default, and radius scheme.
Examples
# Configure ISP domain test to use local authorization for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal local
# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal radius-scheme rd local
authorization ppp
Syntax
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization ppp
View
ISP domain view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access the network directly. This keyword is not supported in FIPS mode.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Description
Use authorization ppp to configure the authorization method for PPP users.
Use undo authorization ppp to restore the default.
By default, the default authorization method for the ISP domain is used for PPP users.
The specified RADIUS or HWTACACS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
Related commands: local-user, authorization default, hwtacacs scheme, and radius scheme.
Examples
# Configure ISP domain test to use local authorization for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp local
# Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp radius-scheme rd local
cut connection
Syntax
In standalone mode:
cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ slot slot-number ]
In IRF mode:
cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id } [ chassis chassis-number slot slot-number ]
View
System view
Default level
2: System level
Parameters
access-type: Specifies the user connections of the specified access type.
· dot1x: Indicates 802.1X authentication.
· mac-authentication: Indicates MAC address authentication.
· portal: Indicates portal authentication.
all: Specifies all user connections.
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters.
interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces are supported.
ip ip-address: Specifies the user connections for an IP address.
mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H.
ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range is from 0 to 4294967295.
user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain or the mandatory authentication domain.
vlan vlan-id: Specifies the user connections of a VLAN, with vlan-id ranging from 1 to 4094.
slot slot-number: Specifies the user connections on the card in a slot. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the user connections on a card of a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
Description
Use cut connection to tear down the specified user connections forcibly.
This command applies to LAN and portal user connections.
For 802.1X users whose usernames carry the version number or contain spaces, you cannot cut the connections by username.
For 802.1X users whose usernames use a slash (/) or backslash (\) as the domain name delimiter, you cannot cut their connections by username. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb.
An interface that is configured with a mandatory authentication domain treats users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface will use the domain’s AAA methods for all its 802.1X users. To cut connections of such users, use the cut connection domain isp-name command and specify the mandatory authentication domain.
Related commands: display connection and service-type.
Examples
# Tear down all connections of ISP domain test.
<Sysname> system-view
[Sysname] cut connection domain test
display connection
Syntax
In standalone mode:
display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
access-type: Specifies the user connections of the specified access type.
· dot1x: Indicates 802.1X authentication.
· mac-authentication: Indicates MAC address authentication.
· portal: Indicates portal authentication.
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces are supported.
ip ip-address: Specifies the user connections of an IP address.
mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format H-H-H.
ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range is from 0 to 4294967295.
user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain.
vlan vlan-id: Specifies the user connections of a VLAN, with vlan-id ranging from 1 to 4094.
slot slot-number: Specifies the user connections on the card in a slot. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the user connections on a card of a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display connection to display information about AAA user connections.
This command does not display information about FTP user connections.
With no parameter specified, this command displays brief information about all AAA user connections.
If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information.
If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.
How the device displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login:
· If the username does not contain the at sign (@), the device displays the username in the format username@mandatory authentication domain name.
· If the username contains the at sign (@,) the device displays the entered username. For example, if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom.
For 802.1X users whose usernames use a slash (/) or backslash (\) as the domain name delimiter, you cannot query the connections by username. For example, the display connection user-name aaa\bbb command cannot display the connections of the user aaa\bbb.
Related commands: cut connection.
Examples
# Display information about all AAA user connections.
<Sysname> display connection
Slot: 0
Index=0 , Username=telnet@system
IP=10.0.0.1
Total 1 connection(s) matched on slot 0.
Total 1 connection(s) matched.
# Display information about AAA user connections using the index of 0.
<Sysname> display connection ucibindex 0
Slot: 0
Index=0 , Username=telnet@system
IP=10.0.0.1
IPv6=N/A
Access=Admin ,AuthMethod=PAP
Port Type=Virtual ,Port Name=N/A
Initial VLAN=999, Authorized VLAN=20
ACL Group=Disable
CAR=Disable
Priority=Disable
Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s
Total 1 connection matched.
Slot: 1
Total 0 connection matched.
Slot: 2
Total 0 connection matched.
Table 1 Command output
|
Field |
Description |
|
Chassis |
ID of the IRF member switch. |
|
Username |
Username of the connection, in the format username@domain. |
|
MAC |
MAC address of the user. |
|
IP |
IPv4 address of the user. |
|
IPv6 |
IPv6 address of the user. |
|
Access |
User access type. |
|
ACL Group |
Authorization ACL group. This field displays Disable if no authorization ACL group is assigned. |
|
CAR(kbps) |
Authorized CAR parameters. |
|
UpPeakRate |
Uplink peak rate. |
|
DnPeakRate |
Downlink peak rate. |
|
UpAverageRate |
Uplink average rate. |
|
DnAverageRate |
Downlink average rate. |
display domain
Syntax
display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display domain to display the configuration of ISP domains.
Related commands: access-limit enable, domain, and state.
Examples
# Display the configuration of all ISP domains.
0 Domain : abc
State : Active
Access-limit : Disable
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Self-service = Disabled
Authorization attributes
1 Domain : rs1
State : Active
Access-limit : Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Login authentication scheme : radius: rs1, local
Login authorization scheme : radius: rs1, local
Login accounting scheme : radius: rs1, local
Domain User Template:
Self-service = Disabled
Authorization attributes
2 Domain = system
State = Active
Access-limit = Disable
Accounting method = Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Self-service = Disabled
Authorization attributes
Default Domain Name: system
Total 3 domain(s).
Table 2 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
State |
Status of the ISP domain, active or blocked. Users in an active ISP domain can request network services, and users in a blocked ISP domain cannot. |
|
Access-limit |
Limit on the number of user connections. If there is no limit on the number, this field displays Disable. |
|
Accounting method |
Indicates whether accounting is required. If accounting is required, when no accounting server is available or communication with the accounting server fails, user connections will be torn down. Otherwise, users can continue to use network services. |
|
Default authentication scheme |
Default authentication method. |
|
Default authorization scheme |
Default authorization method. |
|
Default accounting scheme |
Default accounting method. |
|
Login authentication scheme |
Authentication method for login users. |
|
Login authorization scheme |
Authorization method for login users. |
|
Login accounting scheme |
Accounting method for login users. |
|
Domain User Template |
Indicates some functions and attributes set for users in the domain. |
|
Self-service |
Indicates whether the self service function is enabled. With the self service function enabled, users can launch a browser and enter the self service URL in the address bar to access the self service pages and perform self service operations. |
|
Authorization attributes |
Default authorization attributes for the ISP domain. |
domain
Syntax
domain isp-name
undo domain isp-name
View
System view
Default level
3: Manage level
Parameters
isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that contains no slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Description
Use domain to create an ISP domain and enter ISP domain view.
Use undo domain to remove an ISP domain.
By default, there is a system predefined ISP domain named system in the system.
All ISP domains are in active state when they are created.
The system predefined ISP domain system cannot be deleted; you can only modify its configuration.
|
|
NOTE: To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. |
Related commands: state and display domain.
Examples
# Create ISP domain test, and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test]
domain default enable
Syntax
domain default enable isp-name
undo domain default enable
View
System view
Default level
3: Manage level
Parameters
isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters.
Description
Use domain default enable to specify the default ISP domain. Users without any domain name carried in the usernames are considered to be in the default domain.
Use undo domain default enable to restore the default.
By default, the default ISP domain is the system predefined ISP domain system.
There can be only one default ISP domain.
The specified domain must already exist. Otherwise, users without any domain name carried in the username cannot pass authentication.
To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the domain default disable command.
Related commands: domain, state, and display domain.
Examples
# Create a new ISP domain named test, and configure it as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
idle-cut enable
Syntax
idle-cut enable minute [ flow ]
undo idle-cut enable
View
ISP domain view
Default level
2: System level
Parameters
minute: Idle timeout interval, in the range of 1 to 600 minutes.
flow: Minimum traffic during the idle timeout period, which ranges from 1 to 10240000 bytes and defaults to 10240.
Description
Use idle-cut enable to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the switch checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout interval is less than the specified minimum traffic.
Use undo idle-cut enable to restore the default.
By default, the function is disabled.
You can also set the idle timeout interval on the server to make the server log out users whose traffic during the idle timeout interval is less than 10240 bytes, but your setting on the server takes effect only when you disable the idle cut function on the switch.
Related commands: domain.
Examples
# Enable the idle cut function and set the idle timeout interval to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] idle-cut enable 50 1024
ip pool
Syntax
ip pool pool-number low-ip-address [ high-ip-address ]
undo ip pool pool-number
View
ISP domain view
Default level
2: System level
Parameters
pool-number: Address pool number, in the range of 0 to 99.
low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, there will be only one IP address in the pool, namely the start IP address.
Description
Use ip pool to configure an address pool for assigning addresses to PPP users.
Use undo ip pool to delete an address pool.
By default, no IP address pool is configured for PPP users.
You can also configure an address pool for PPP users in system view. An IP address pool configured in system view is used to assign IP addresses to PPP users who do not need to be authenticated. To specify the address pool used for assigning an IP address to the peer device, use the remote address command in interface view.
An IP address pool configured in ISP domain view is used to assign IP addresses to the ISP domain’s PPP users who must be authenticated. Configure IP address pools for ISP domains in scenarios where an interface serves a great amount of PPP users but the address resources are inadequate. For example, an Ethernet interface running PPPoE can accommodate up to 4096 users. However, only one address pool with up to 1024 addresses can be configured on its virtual template (VT). This is obviously far from what is required. To address the issue, configure address pools for ISP domains and assign addresses from them to the PPP users by domain.
Related commands: ip pool and remote address (Layer 2—WAN Command Reference).
Examples
# Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10
self-service-url enable
Syntax
self-service-url enable url-string
undo self-service-url enable
View
ISP domain view
Default level
2: System level
Parameters
url-string: URL of the self-service server, a string of 1 to 64 characters. It must start with http:// and contain no question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation.
Description
Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server.
Use undo self-service-url enable to restore the default.
By default, the self-service server location function is disabled.
With the self-service function, users can manage and control their accounts and passwords. Only the RADIUS server systems provided by CAMS and IMC support the self-service function.
Examples
# For ISP domain test, enable the self-service server location function and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] self-service-url enable http://10.153.89.94/selfservice
state (ISP domain view)
Syntax
state { active | block }
undo state
View
ISP domain view
Default level
2: System level
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Description
Use state to set the status of an ISP domain.
Use undo state to restore the default.
By default, an ISP domain is in active state.
By blocking an ISP domain, you disable users of the domain that are offline from requesting network services. The online users are not affected.
Examples
# Place the current ISP domain test to the state of blocked.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
Local user configuration commands
access-limit
Syntax
access-limit max-user-number
undo access-limit
View
Local user view
Default level
3: Manage level
Parameters
max-user-number: Maximum number of concurrent users of the current local user account, in the range of 1 to 1024.
Description
Use access-limit to limit the number of concurrent users of a local user account.
Use undo access-limit to remove the limitation.
By default, there is no limit to the number of users who concurrently use the same local user account.
This command takes effect only when local accounting is used for the user account.
This limit is not effective for FTP users because accounting is not available for FTP users.
Related commands: display local-user.
Examples
# Limit the maximum number of concurrent users of local user account abc to 5.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] access-limit 5
authorization-attribute (local user view/user group view)
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | user-role | vlan | work-directory } *
View
Local user view, user group view
Default level
3: Manage level
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number must range from 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL.
callback-number callback-number: Specifies the authorization PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the switch uses this number to call the user.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period will be logged out. The minute argument indicates the idle timeout period, in the range of 1 to 120 minutes.
level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. This parameter determines the command level for login users whose user interfaces perform AAA authentication. By default, the user level is 0, and users can use only commands of level 0 after login.
user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. After a user passes authentication and gets online, the switch uses the settings in the user profile to restrict the access behavior of the user. This option is not supported in the current software version and is reserved for future support.
user-role: Specifies the role for the local user. This keyword is available in only local user view. Users playing different roles can access different levels of commands. If you specify no role for a local user, the access right of the user after login depends on other authorization attributes. Supported roles include:
· guest: A guest user account is usually created through the Web interface.
· guest-manager: After passing authentication, a guest manager can only use the Web interface to access guest-related pages to, for example, create, modify, or change guest user accounts.
· security-audit: After passing authentication, a security log administrator can manage security log files, for example, save security log files. For more information about the commands that a security log administrator can use, see Network Management and Monitoring Command Reference.
vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument ranges from 1 to 4094. After passing authentication, a local user can access the resources in this VLAN.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the switch.
Description
Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the switch will assign these attributes to the user.
Use undo authorization-attribute to remove authorization attributes and restore the defaults.
By default, no authorization attribute is configured for a local user or user group.
Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes.
Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency.
An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.
To make sure that FTP and SFTP users can access the directory after a switchover between the main MPU and the backup MPU, do not specify slot information for the work directory.
If only one user is playing the role of security log administrator in the system, you cannot delete the user account, or remove or change the user’s role, unless you configure another user as a security log administrator first.
A local user can play only one role at a moment. If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
bind-attribute
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | ip | location | mac | vlan } *
View
Local user view
Default level
3: Manage level
Parameters
call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address of the user.
location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The slot-number argument ranges from 0 to 255, the subslot-number argument ranges from 0 to 15, and the port-number argument ranges from 0 to 255.
mac mac-address: Specifies the MAC address of the user in the format H-H-H.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument ranges from 1 to 4094. This option applies only to LAN users.
Description
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
By default, no binding attribute is configured for a local user.
Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user cannot pass the check or authentication.
Binding attribute checking does not take the service types of the users into account. A configured binding attribute is effective for all types of users. Be cautious when deciding which binding attributes should be configured for which type of local users. For example, an IP address binding applies only to 802.1X authentication that supports IP address upload. If you configure an IP address binding for an authentication method that does not support IP address upload, for example, MAC authentication, the local authentication fails.
Examples
# Configure the bound IP of local user abc as 3.3.3.3.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] bind-attribute ip 3.3.3.3
display local-user
Syntax
In standalone mode:
display local-user [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display local-user [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
service-type: Specifies the local users who use a specified type of service.
· ftp: FTP users. This keyword is not supported in FIPS mode.
· lan-access: Users accessing the network through Ethernet, such as 802.1X users.
· portal: Portal users.
· ppp: PPP users.
· ssh: SSH users.
· telnet: Telnet users. This keyword is not supported in FIPS mode.
· terminal: Users logging in through the console port or AUX port.
· web: Web users.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters and does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The VLAN ID ranges from 1 to 4094.
slot slot-number: Specifies all local users on the card in a slot by the slot number. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the local users on a card of a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display local-user to display configuration and statistics information about local users.
If you do not specify any slot number, the command displays information about local users on all cards. (In standalone mode)
If you do not specify any IRF member ID, the command displays information about local users on all member switches. (In IRF mode)
Related commands: local-user.
Examples
# Display the information of local user bbb on the card installed in slot 0.
<Sysname> display local-user user-name bbb slot 0
Slot: 0
The contents of local user bbb:
State: Active
ServiceType: ftp
Access-limit: Enable Current AccessNum: 0
Max AccessNum: 300
User-group: system
Bind attributes:
IP address: 1.2.3.4
Bind location: 0/4/1 (SLOT/SUBSLOT/PORT)
MAC address: 00-01-00-02-00-03
Vlan ID: 100
Authorization attributes:
Idle TimeOut: 10(min)
Work Directory: flash:/
User Privilege: 3
Acl ID: 2000
Vlan ID: 100
Total 1 local user(s) matched.
Table 3 Command output
|
Field |
Description |
|
Slot |
Slot number of the card. |
|
State |
Status of the local user, active or blocked. |
|
ServiceType |
Service types that the local user can use, including FTP, LAN access, portal, PPP, SSH, Telnet, terminal, and Web. |
|
Access-limit |
Limit on the number of user connections that use the current username. |
|
Current AccessNum |
Current number of user connections that use the current username, either for all cards or for a specified card. |
|
Max AccessNum |
Maximum number of user connections that use the current username. |
|
User-group |
User group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. |
|
Vlan ID |
VLAN to which the local user is bound. |
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle TimeOut |
Idle timeout period of the user, in minutes. |
|
Work Directory |
Directory accessible to the FTP user. |
|
Vlan ID |
Authorized VLAN of the local user. |
display user-group
Syntax
display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display user-group to display configuration of user groups.
If you do not specify any user group name, the command displays the configuration of all user groups.
Related commands: user-group.
Examples
# Display the configuration of user group abc.
<Sysname> display user-group abc
The contents of user group abc:
Authorization attributes:
Idle-cut: 120(min)
Work Directory: FLASH:
Level: 1
Acl Number: 2000
Vlan ID: 1
Total 1 user group(s) matched.
|
Field |
Description |
|
Idle-cut |
Idle timeout interval, in minutes. |
|
Work Directory |
Directory that FTP/SFTP users in the group can access. |
|
Level |
Level of the local users in the group. |
|
ACL Number |
Authorization ACL for the local users in the group. |
|
VLAN ID |
Authorized VLAN for the local users in the group. |
expiration-date (local user view)
Syntax
expiration-date time
undo expiration-date
View
Local user view
Default level
3: Manage level
Parameters
time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals 02:02:00-2008/02/02.
Description
Use expiration-date to set the expiration time of a local user.
Use undo expiration-date to remove the configuration.
By default, a local user has no expiration time and no time validity checking is performed.
When some users need to access the network temporarily, create a guest account and specify an expiration time for the account to control the validity of the account. When a user uses the guest account for local authentication and passes the authentication, the switch checks whether the current system time is before the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.
Examples
# Set the expiration time of user abc to 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31
group
Syntax
group group-name
undo group
View
Local user view
Default level
3: Manage level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
Description
Use group to assign a local user to a user group.
Use undo group to restore the default.
By default, a local user belongs to the system default user group system.
Examples
# Assign local user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111
[Sysname-luser-111] group abc
group-attribute allow-guest
Syntax
group-attribute allow-guest
undo group-attribute allow-guest
View
User group view
Default level
3: Manage level
Parameters
None
Description
Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group.
Use undo group-attribute allow-guest to restore the default.
By default, the guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group.
The guest attribute is set for the system predefined user group system by default, and you cannot remove the attribute for the user group.
Examples
# Set the guest attribute for user group test.
<Sysname> system-view
[Sysname] user-group test
[Sysname-ugroup-test] group-attribute allow-guest
local-user
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } ] }
View
System view
Default level
3: Manage level
Parameters
user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any backslash (\), slash (/), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all.
all: Specifies all users.
service-type: Specifies the users of a type.
· ftp: FTP users. This keyword is not supported in FIPS mode.
· lan-access: Users accessing the network through an Ethernet, such as 802.1X users.
· portal: Portal users.
· ppp: PPP users.
· ssh: SSH users.
· telnet: Telnet users. This keyword is not supported in FIPS mode.
· terminal: Users logging in through the console port or AUX port.
· web: Web users.
Description
Use local-user to add a local user and enter local user view.
Use undo local-user to remove the specified local users.
By default, no local user is configured.
Related commands: display local-user and service-type.
Examples
# Add a local user named user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1]
password
Syntax
password [ [ hash ] { cipher | simple } password ]
undo password
View
Local user view
Default level
2: System level
Parameters
hash: Enables hash-based encryption. This keyword is not supported in FIPS mode.
{ cipher | simple } password: Specifies a case-sensitive password string. The password length and form requirements vary with the hash, cipher, and simple keyword combinations (see Table 5). The cipher, simple, and password parameters are not supported in FIPS mode.
Table 5 Password length and form requirements for the password argument
|
Keyword combination |
Password string form |
Length (in characters) |
|
hash cipher |
Ciphertext (hashed form) |
1 to 110 |
|
hash simple |
Plain text |
1 to 63 |
|
cipher |
Plain text, ciphertext |
Plain text: 1 to 63 Ciphertext: 1 to 117 |
|
simple |
Plain text |
1 to 63 |
Description
Use password to configure a password for a local user.
Use undo password to delete the password of a local user.
If you do not specify any parameter, you enter the interactive mode to set a plaintext password of 1 to 63 characters.
When the password control feature is globally enabled by using the password-control enable command, local user passwords, such as the length and complexity, are under the restriction of the password control feature, and will not be displayed. You cannot configure a password by using the password hash cipher password command. For more information about password control commands, see "Password control configuration commands."
For secrecy, all passwords, including passwords configured in plain text, are saved in cipher text to the configuration file.
Store the plaintext forms of local user passwords in a safe place. If a local user is password protected, you must provide the password in plain text for local authentication.
Related commands: display local-user.
Examples
# Set the password of local user user1 to 123456.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple 123456
# Set the password of local user user1 to 123456 in interactive mode.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password
Password:******
Confirm :******
service-type
Syntax
service-type { ftp | lan-access | { ssh | telnet | terminal | web } * | portal | ppp }
undo service-type { ftp | lan-access | { ssh | telnet | terminal | web } * | portal | ppp }
View
Local user view
Default level
3: Manage level
Parameters
ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. This keyword is not supported in FIPS mode.
lan-access: Authorizes the user to use the LAN access service. Such users are mainly Ethernet users, for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service. This keyword is not supported in FIPS mode.
terminal: Authorizes the user to use the terminal service, allowing the user to login from the console or AUX port.
web: Authorizes the user to use the Web service.
portal: Authorizes the user to use the portal service.
ppp: Authorizes the user to use the PPP service.
Description
Use service-type to specify the service types that a user can use.
Use undo service-type to delete one or all service types configured for a user.
By default, a user is authorized with no service.
Examples
# Authorize user user1 to use the Telnet service.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet
state (local user view)
Syntax
state { active | block }
undo state
View
Local user view
Default level
2: System level
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Description
Use state to set the status of a local user.
Use undo state to restore the default.
By default, a local user is in active state.
By blocking a user, you disable the user from requesting network services. No other users are affected.
Related commands: local-user.
Examples
# Place local user user1 to the blocked state.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] state block
user-group
Syntax
user-group group-name
undo user-group group-name
View
System view
Default level
3: Manage level
Parameters
group-name: User group name, a case-insensitive string of 1 to 32 characters.
Description
Use user-group to create a user group and enter its view.
Use undo user-group to remove a user group.
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.
A user group with one or more local users cannot be removed.
The system predefined user group system cannot be removed but you can change its configurations.
Related commands: display user-group.
Examples
# Create a user group named abc and enter its view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
validity-date
Syntax
validity-date time
undo validity-date
View
Local user view
Default level
3: Manage level
Parameters
time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals 02:02:00-2008/02/02.
Description
Use validity-date to set the validity time of a local user.
Use undo validity-date to remove the configuration.
By default, a local user has no validity time and no time validity checking is performed.
When some users need to access the network temporarily, create a guest account and specify a validity time and an expiration time for the account to control the validity of the account. When a user uses the guest account for local authentication and passes the authentication, the switch checks whether the current system time is between the validity time and the expiration time. If so, it permits the user to access the network. Otherwise, it denies the access request of the user.
Related command: expiration-date.
Examples
# Set the validity time of user abc to 12:10:20 on April 30, 2008, and the expiration time to 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] validity-date 12:10:20-2008/04/30
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31
RADIUS configuration commands
accounting-on enable
Syntax
accounting-on enable [ interval seconds | send send-times ] *
undo accounting-on enable
View
RADIUS scheme view
Default level
2: System level
Parameters
seconds: Time interval for retransmitting an accounting-on packet in seconds, ranging from 1 to 15. The default setting is 3 seconds.
send-times: Maximum number of accounting-on packet transmission attempts, ranging from 1 to 255. The default setting is 50.
Description
Use accounting-on enable to configure the accounting-on feature. This feature enables the switch to, after rebooting, automatically sends an accounting-on message to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users.
Use undo accounting-on enable to disable the accounting-on feature.
By default, the accounting-on feature is disabled.
Parameters set with the accounting-on enable command take effect immediately.
|
|
NOTE: After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the switch reboots. For information about the save command, see Fundamentals Command Reference. |
Related commands: radius scheme.
Examples
# Enable the accounting-on feature for RADIUS authentication scheme radius1, set the retransmission interval to 5 seconds, and set the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
attribute 25 car
Syntax
attribute 25 car
undo attribute 25 car
View
RADIUS scheme view
Default level
2: System level
Parameters
None
Description
Use attribute 25 car to specify to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use undo attribute 25 car to restore the default.
By default, RADIUS attribute 25 is not interpreted as CAR parameters.
Related commands: display radius scheme and display connection.
Examples
# Specify to interpret RADIUS attribute 25 as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
data-flow-format (RADIUS scheme view)
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
View
RADIUS scheme view
Default level
2: System level
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Description
Use data-flow-format to set the traffic statistics unit for data flows or packets.
Use undo data-flow-format to restore the default.
By default, the unit for data flows is byte and that for data packets is one-packet.
The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly.
Related commands: display radius scheme.
Examples
# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets respectively in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
Syntax
In standalone mode:
display radius scheme [ radius-scheme-name ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display radius scheme [ radius-scheme-name ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
radius-scheme-name: RADIUS scheme name.
slot slot-number: Specifies the RADIUS schemes of the card in a slot by the slot number. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the RADIUS schemes of a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display radius scheme to display the configuration of RADIUS schemes.
If you do not specify any RADIUS scheme, the command displays the configuration of all RADIUS schemes.
If you do not specify any slot number, the command displays the configuration of the RADIUS schemes on the main processing unit. (In standalone mode)
If you do not specify any IRF member ID, the command displays the configuration of the RADIUS schemes on all members of an IRF fabric. (In IRF mode)
Related commands: radius scheme.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
------------------------------------------------------------------
SchemeName : radius1
Index : 0 Type : extended
Primary Auth Server:
IP: 1.1.1.1 Port: 1812 State: active
Encryption Key : ******
VPN instance : 1
Primary Acct Server:
IP: 1.1.1.1 Port: 1813 State: active
Encryption Key : N/A
VPN instance : 1
Second Auth Server:
IP: 1.1.2.1 Port: 1812 State: active
Encryption Key : N/A
VPN instance : N/A
IP: 1.1.3.1 Port: 1812 State: active
Encryption Key : N/A
VPN instance : N/A
Second Acct Server:
IP: 1.1.2.1 Port: 1813 State: block
Encryption Key : N/A
VPN instance : N/A
Auth Server Encryption Key : ******
Acct Server Encryption Key : N/A
VPN instance : vpn2
Accounting-On packet disable, send times : 50 , interval : 3s
Interval for timeout(second) : 3
Retransmission times for timeout : 3
Interval for realtime accounting(minute) : 12
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 5
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one
NAS-IP address : 1.1.1.1
Attribute 25 : car
------------------------------------------------------------------
Total 1 RADIUS scheme(s).
Table 6 Command output
|
Field |
Description |
|
SchemeName |
Name of the RADIUS scheme. |
|
Index |
Index number of the RADIUS scheme. |
|
Type |
Type of the RADIUS server: extended or standard. |
|
Primary Auth Server |
Information about the primary authentication server. |
|
Primary Acct Server |
Information about the primary accounting server. |
|
Second Auth Server |
Information about the secondary authentication server. |
|
Second Acct Server |
Information about the secondary accounting server. |
|
IP |
IP address of the server. |
|
Port |
Service port of the server. If no port configuration is performed, the default port number is displayed. |
|
State |
Status of the server: active or blocked. |
|
Encryption Key |
Shared key for secure authentication or accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. |
|
VPN instance |
MPLS L3VPN to which the server belongs. If no VPN instance is specified for the server, this field displays N/A. |
|
Auth Server Encryption Key |
Shared key for secure authentication communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. |
|
Acct Server Encryption Key |
Shared key for secure accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A. |
|
VPN instance |
MPLS L3VPN to which the scheme belongs. If no VPN instance is specified for the scheme, this field does not appear. |
|
Accounting-On packet disable |
The accounting-on feature is disabled. |
|
send times |
Retransmission times of accounting-on packets. |
|
interval |
Interval at which the device retransmits accounting-on packets. |
|
Interval for timeout(second) |
RADIUS server response timeout period, in seconds. |
|
Retransmission times for timeout |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Interval for realtime accounting(minute) |
Interval for real-time accounting, in minutes. |
|
Retransmission times of realtime-accounting packet |
Maximum number of accounting attempts. |
|
Retransmission times of stop-accounting packet |
Maximum number of stop-accounting attempts. |
|
Quiet-interval(min) |
Quiet interval for the primary server. |
|
Username format |
Format of the usernames to be sent to the RADIUS server. |
|
Data flow unit |
Unit for data flows sent to the RADIUS server. |
|
Packet unit |
Unit for packets sent to the RADIUS server. |
|
NAS-IP address |
Source IP address for RADIUS packets to be sent. |
|
Attribute 25 |
Interprets RADIUS attribute 25 as the CAR parameters. |
display radius statistics
Syntax
In standalone mode:
display radius statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display radius statistics [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
slot slot-number: Specifies the RADIUS packets of the card in a slot by the slot number. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the RADIUS packets of a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display radius statistics to display statistics about RADIUS packets.
Related commands: radius scheme.
Examples
# Display statistics about RADIUS packets on the card in slot 0.
<Sysname> display radius statistics slot 0
Slot 0:state statistic(total=4096):
DEAD = 4096 AuthProc = 0 AuthSucc = 0
AcctStart = 0 RLTSend = 0 RLTWait = 0
AcctStop = 0 OnLine = 0 Stop = 0
StateErr = 0
Received and Sent packets statistic:
Sent PKT total = 0
Received PKT total = 0
RADIUS received packets statistic:
Code = 2 Num = 0 Err = 0
Code = 3 Num = 0 Err = 0
Code = 5 Num = 0 Err = 0
Code = 11 Num = 0 Err = 0
Running statistic:
RADIUS received messages statistic:
Normal auth request Num = 0 Err = 0 Succ = 0
EAP auth request Num = 0 Err = 0 Succ = 0
Account request Num = 0 Err = 0 Succ = 0
Account off request Num = 0 Err = 0 Succ = 0
PKT auth timeout Num = 0 Err = 0 Succ = 0
PKT acct_timeout Num = 0 Err = 0 Succ = 0
Realtime Account timer Num = 0 Err = 0 Succ = 0
PKT response Num = 0 Err = 0 Succ = 0
Session ctrl pkt Num = 0 Err = 0 Succ = 0
Normal author request Num = 0 Err = 0 Succ = 0
Set policy result Num = 0 Err = 0 Succ = 0
RADIUS sent messages statistic:
Auth accept Num = 0
Auth reject Num = 0
EAP auth replying Num = 0
Account success Num = 0
Account failure Num = 0
Server ctrl req Num = 0
RecError_MSG_sum = 0
SndMSG_Fail_sum = 0
Timer_Err = 0
Alloc_Mem_Err = 0
State Mismatch = 0
Other_Error = 0
No-response-acct-stop packet = 0
Discarded No-response-acct-stop packet for buffer overflow = 0
Table 7 Command output
|
Field |
Description |
|
slot |
Number of the slot in which the card resides. |
|
state statistic |
User statistics, by state. |
|
DEAD |
Number of idle users. |
|
AuthProc |
Number of users waiting for authentication. |
|
AuthSucc |
Number of users who have passed authentication. |
|
AcctStart |
Number of users for whom accounting has been started. |
|
RLTSend |
Number of users for whom the system sends real-time accounting packets. |
|
RLTWait |
Number of users waiting for real-time accounting. |
|
AcctStop |
Number of users in the state of accounting waiting stopped. |
|
OnLine |
Number of online users. |
|
Stop |
Number of users in the state of stop. |
|
StateErr |
Number of users with unknown errors. |
|
Received and Sent packets statistic |
Statistics for packets received and sent by the RADIUS module. |
|
Sent PKT total |
Number of packets sent. |
|
Received PKT total |
Number of packets received. |
|
RADIUS received packets statistic |
Statistics for packets received by the RADIUS module. |
|
Code |
Packet type. |
|
Num |
Total number of packets. |
|
Err |
Number of packets that the device failed to process. |
|
Succ |
Number of messages that the device successfully processed. |
|
Running statistic |
Statistics for RADIUS messages received and sent by the RADIUS module. |
|
RADIUS received messages statistic |
Statistics for received RADIUS messages. |
|
Normal auth request |
Number of normal authentication requests. |
|
EAP auth request |
Number of EAP authentication requests. |
|
Account request |
Number of accounting requests. |
|
Account off request |
Number of stop-accounting requests. |
|
PKT auth timeout |
Number of authentication timeout messages. |
|
PKT acct_timeout |
Number of accounting timeout messages. |
|
Realtime Account timer |
Number of real-time accounting requests. |
|
PKT response |
Number of responses from servers. |
|
Session ctrl pkt |
Number of session control messages. |
|
Normal author request |
Number of normal authorization requests. |
|
Succ |
Number of acknowledgement messages. |
|
Set policy result |
Number of responses to the Set policy packets. |
|
RADIUS sent messages statistic |
Statistics for sent RADIUS messages. |
|
Auth accept |
Number of accepted authentication packets. |
|
Auth reject |
Number of rejected authentication packets. |
|
EAP auth replying |
Number of replying packets of EAP authentication. |
|
Account success |
Number of accounting succeeded packets. |
|
Account failure |
Number of accounting failed packets. |
|
Server ctrl req |
Number of server control requests. |
|
RecError_MSG_sum |
Number of received packets in error. |
|
SndMSG_Fail_sum |
Number of packets that failed to be sent out. |
|
Timer_Err |
Number of packets for indicating timer startup failures. |
|
Alloc_Mem_Err |
Number of packets for indicating memory allocation failures. |
|
State Mismatch |
Number of packets for indicating mismatching status. |
|
Other_Error |
Number of packets for indicating other types of errors. |
|
No-response-acct-stop packet |
Number of times that no response was received for stop-accounting packets. |
|
Discarded No-response-acct-stop packet for buffer overflow |
Number of stop-accounting packets that were buffered but then discarded due to full memory. |
display stop-accounting-buffer (for RADIUS)
Syntax
In standalone mode:
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS scheme.
slot slot-number: Specifies the stop-accounting requests buffered for a card. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the stop-accounting requests buffered for a card in a certain IRF member device. The chassis-number argument refers to the ID of the IRF member device, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display stop-accounting-buffer to display information about the stop-accounting requests buffered in the switch.
If the switch sends a stop-accounting request to a RADIUS server but receives no response, it retransmits it up to a certain number of times (defined by the retry command). If the switch still receives no response, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. The maximum number of the stop-accounting attempts is defined by the retry stop-accounting command. If all attempts fail, the switch discards the request.
Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, user-name-format, retry, and retry stop-accounting.
Examples
# Display information about the stop-accounting requests buffered for user abc.
<Sysname> display stop-accounting-buffer user-name abc slot 0
Slot 0:
RDIdx Session-ID user name Happened time
1 1000326232325010 abc 23:27:16-08/31/2006
1 1000326232326010 abc 23:33:01-08/31/2006
Total 2 record(s) Matched
key (RADIUS scheme view)
Syntax
key { accounting | authentication } [ cipher | simple ] key
undo key { accounting | authentication }
View
RADIUS scheme view
Default level
2: System level
Parameters
accounting: Sets the shared key for secure RADIUS accounting communication.
authentication: Sets the shared key for secure RADIUS authentication/authorization communication.
{ cipher | simple } key: Specifies a case-sensitive shared key string. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters and a plaintext password is a string of 1 to 64 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 117 characters and a plaintext password is a string of 8 to 64 characters.
Description
Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication.
Use undo key to restore the default.
By default, no shared key is configured.
For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text to the configuration file.
The shared keys specified during the configuration of the RADIUS servers, if any, take precedence.
The shared keys configured on the switch must match those configured on the RADIUS server.
Related commands: display radius scheme.
Examples
# For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$mi8/Wvo2GZBoYXwHtwxI8HwzhZrPEg== in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key authentication cipher $c$3$mi8/Wvo2GZBoYXwHtwxI8HwzhZrPEg==
# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
nas-ip (RADIUS scheme view)
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the switch and must be a unicast address that is neither a loopback address nor a link-local address.
Description
Use nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo nas-ip to restore the default.
By default, the source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command in system view; if the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration will not take effect.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.
|
|
NOTE: The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. |
Related commands: radius nas-ip.
Examples
# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
primary accounting (RADIUS scheme view)
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *
undo primary accounting
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address of the primary accounting server.
ipv6 ipv6-address: IPv6 address of the primary accounting server. It must be a valid global unicast address.
port-number: Service port number of the primary accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.
key [ cipher | simple ] key: Specifies a case-sensitive shared key for communication with the primary RADIUS accounting server. This shared key must be the same as that configured on the RADIUS server. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters and a plaintext password is a string of 1 to 64 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 117 characters and a plaintext password is a string of 8 to 64 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to remove the configuration.
By default, no primary RADIUS accounting server is specified.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.
The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you change the primary accounting server when the device has already sent a start-accounting request to the server, the communication with the primary server will time out, and the device will look for a server in active state from the new primary server on.
If you remove an accounting server being used by users, the device no longer sends real-time accounting requests and stop-accounting requests for the users, and does not buffer the stop-accounting requests.
|
|
NOTE: · The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command. · The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. |
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text to the configuration file.
Related commands: key and vpn-instance (RADIUS scheme view).
Examples
# For RADIUS scheme radius1, set the IP address of the primary accounting server to 10.110.1.2, the UDP port to 1813, and the shared key to $c$3$xlged+OpMjGoGeHu/zRasBe2nKEl in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key cipher $c$3$xlged+OpMjGoGeHu/zRasBe2nKEl
primary authentication (RADIUS scheme view)
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *
undo primary authentication
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address of the primary authentication/authorization server.
ipv6 ipv6-address: IPv6 address of the primary authentication/authorization server. It must be a valid global unicast address.
port-number: Service port number of the primary authentication/authorization server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
key [ cipher | simple ] key: Specifies a case-sensitive shared key for communication with the primary RADIUS authentication/authorization server. This shared key must be the same as that configured on the RADIUS server. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters and a plaintext password is a string of 1 to 64 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 117 characters and a plaintext password is a string of 8 to 64 characters .
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use primary authentication to specify the primary RADIUS authentication/authorization server.
Use undo primary authentication to remove the configuration.
By default, no primary RADIUS authentication/authorization server is specified.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server will time out, and the device will look for a server in active state from the new primary server on.
|
|
NOTE: · The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. · The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. |
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text to the configuration file.
Related commands: key and vpn-instance (RADIUS scheme view).
Examples
# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to 10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello
radius client
Syntax
radius client enable
undo radius client
View
System view
Default level
2: System level
Parameters
None
Description
Use radius client enable to enable the RADIUS client service.
Use undo radius client to disable the RADIUS client service.
By default, the RADIUS client service is enabled.
When the RADIUS client service is disabled:
· No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still considers the user to be online during a certain period of time.
· The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached, affecting the precision of user accounting.
· If local authentication, authorization, or accounting is configured as the backup, the device performs local authentication, authorization, or accounting instead after the RADIUS request fails. Local accounting is only for monitoring and controlling the number of local user connections; it does not provide the statistics function that the accounting feature generally provides.
Examples
# Enable the RADIUS client service.
<Sysname> system-view
[Sysname] radius client enable
radius nas-ip
Syntax
radius nas-ip { ipv4-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }
undo radius nas-ip { ipv4-address [ vpn-instance vpn-instance-name ] | ipv6 ipv6-address }
View
System view
Default level
2: System level
Parameters
ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device that is neither a loopback address nor a link-local address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IPv4 address. With no VPN specified, the command specifies a public-network source IPv4 address.
Description
Use radius nas-ip to specify a source address for outgoing RADIUS packets.
Use undo radius nas-ip to remove the configuration.
By default, the source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
You can specify up to one public-network source IP address and 15 private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address. A private-network source IP address newly specified for a VPN overwrites the previous one.
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
|
|
NOTE: The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. |
Related commands: nas-ip.
Examples
# Set the IP address for the switch to use as the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
radius scheme
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Default level
3: Manage level
Parameters
radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Description
Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.
Use undo radius scheme to delete a RADIUS scheme.
By default, no RADIUS scheme is defined.
A RADIUS scheme can be referenced by more than one ISP domain at the same time.
A RADIUS scheme referenced by ISP domains cannot be removed.
Related commands: display radius scheme.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
radius trap
Syntax
radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }
undo radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }
View
System view
Default level
2: System level
Parameters
accounting-server-down: Sends traps when the reachability of the accounting server changes.
authentication-error-threshold: Sends traps when the number of authentication failures exceed the specified threshold. The threshold is represented by the ratio of the number of failed request transmission attempts to the total number of transmission attempts. It ranges from 1 to 100 and defaults to 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends traps when the reachability of the authentication server changes.
Description
Use radius trap to enable the trap function for RADIUS.
Use undo radius trap to disable the trap function for RADIUS.
By default, the trap function is disabled for RADIUS.
With the trap function for RADIUS, a NAS sends a trap message in the following cases:
· The status of a RADIUS server changes. If a NAS sends a request but receives no response before the maximum number of attempts is exceeded, it places the server to blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.
· The ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold.
Examples
# Enable the switch to send traps in response to accounting server reachability changes.
<Sysname> system-view
[Sysname] radius trap accounting-server-down
reset radius statistics
Syntax
In standalone mode:
reset radius statistics [ slot slot-number ]
In IRF mode:
reset radius statistics [ chassis chassis-number slot slot-number ]
View
User view
Default level
2: System level
Parameters
slot slot-number: Specifies the RADIUS statistics for the card in a slot by the slot number. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the RADIUS statistics for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
Description
Use reset radius statistics to clear RADIUS statistics.
Related commands: display radius statistics.
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
reset stop-accounting-buffer (for RADIUS)
Syntax
In standalone mode:
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ slot slot-number ]
In IRF mode:
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ chassis chassis-number slot slot-number ]
View
User view
Default level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.
time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS scheme.
slot slot-number: Specifies the stop-accounting requests buffered for a card. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the stop-accounting requests buffered for a card in a certain IRF member device. The chassis-number argument refers to the ID of the IRF member device, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
Description
Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses have been received.
Related commands: stop-accounting-buffer enable, retry stop-accounting, user-name-format, and display stop-accounting-buffer.
Examples
# Clear the stop-accounting requests buffered for user user0001@test.
<Sysname> reset stop-accounting-buffer user-name user0001@test
# Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2010.
<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2010 23:59:59-08/31/2010
retry
Syntax
retry retry-times
undo retry
View
RADIUS scheme view
Default level
2: System level
Parameters
retry-times: Maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Description
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
By default, the maximum number of RADIUS packet transmission attempts is 3.
Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the switch does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the switch still receives no response from the RADIUS server, the switch considers the request a failure.
The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.
Related commands: radius scheme and timer response-timeout.
Examples
# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS scheme view
Default level
2: System level
Parameters
retry-times: Maximum number of accounting attempts, in the range of 1 to 255.
Description
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
By default, the maximum number of accounting attempts is 5.
A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user. This may happen when some unexpected failure occurs. To cooperate with this feature of the RADIUS server, the NAS needs to keep pace with the server in disconnecting the user. The maximum number of accounting attempts, together with some other parameters, enables the NAS to promptly disconnect the user.
The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets.
Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within three seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.
Related commands: retry, timer response-timeout, and timer realtime-accounting.
Examples
# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
retry stop-accounting (RADIUS scheme view)
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS scheme view
Default level
2: System level
Parameters
retry-times: Maximum number of stop-accounting attempts, in the range of 10 to 65535.
Description
Use retry stop-accounting to set the maximum number of stop-accounting attempts.
Use undo retry stop-accounting to restore the default.
By default, the maximum number of stop-accounting attempts is 500.
The maximum number of stop-accounting attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.
Suppose that the RADIUS server response timeout period is three seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting attempts is 20 (set with the retry stop-accounting command). For each stop-accounting request, if the device receives no response within three seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. If 20 consecutive attempts fail, the device discards the request.
Related commands: retry, retry stop-accounting, timer response-timeout, and display stop-accounting-buffer.
Examples
# Set the maximum number of stop-accounting attempts to 1000 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry stop-accounting 1000
secondary accounting (RADIUS scheme view)
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *
undo secondary accounting [ ipv4-address | ipv6 ipv6-address ]
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address of the secondary accounting server, in dotted decimal notation.
ipv6 ipv6-address: IPv6 address of the secondary accounting server. It must be a valid global unicast address.
port-number: Service port number of the secondary accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.
key [ cipher | simple ] key: Specifies a case-sensitive shared key for communication with the secondary RADIUS accounting server. This shared key must be the same as that configured on the RADIUS server. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters and a plaintext password is a string of 1 to 64 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 117 characters and a plaintext password is a string of 8 to 64 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary accounting to specify a secondary RADIUS accounting server for a RADIUS scheme.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
By default, no secondary RADIUS accounting server is specified.
You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.
The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server will time out, and the device will look for a server in active state from the primary server on.
If you remove an accounting server being used by online users, the device no longer sends real-time accounting requests and stop-accounting requests for the users, and does not buffer the stop-accounting requests.
|
|
NOTE: · The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command. · The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. |
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text to the configuration file.
Related commands: key, state, and vpn-instance (RADIUS scheme view).
Examples
# For RADIUS scheme radius1, set the IP address of the secondary accounting server to 10.110.1.1, the UDP port to 1813, and the shared key to $c$3$xlged+OpMjGoGeHu/zRasBe2nKEl in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key cipher $c$3$xlged+OpMjGoGeHu/zRasBe2nKEl
# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 key hello
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 key hello
secondary authentication (RADIUS scheme view)
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | vpn-instance vpn-instance-name ] *
undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]
View
RADIUS scheme view
Default level
2: System level
Parameters
ipv4-address: IPv4 address of the secondary authentication/authorization server, in dotted decimal notation.
ipv6 ipv6-address: IPv6 address of the secondary authentication/authorization server. It must be a valid global unicast address.
port-number: UDP port number of the secondary authentication/authorization server, which ranges from port-number: Service port number of the secondary authentication/authorization server, a UDP port number in the range of 1 to 65535. The default setting is 1812.
key [ cipher | simple ] key: Specifies a case-sensitive shared key for communication with the secondary RADIUS authentication/authorization server. This shared key must be the same as that configured on the RADIUS server. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters and a plaintext password is a string of 1 to 64 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 117 characters and a plaintext password is a string of 8 to 64 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary authentication to specify a secondary RADIUS authentication/authorization server.
Use undo secondary authentication to remove a secondary RADIUS authentication/authorization server.
By default, no secondary RADIUS authentication/authorization server is specified.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server will time out, and the device will look for a server in active state from the primary server on.
|
|
NOTE: · The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command. · The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme. |
For secrecy, all shared keys, including shared keys configured in plain text, are saved in cipher text to the configuration file.
Related commands: key, state, and vpn-instance (RADIUS scheme view).
Examples
# For RADIUS scheme radius1, set the IP address of the secondary authentication/authorization server to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$DDbEscwRlcXQsVfGWL+764OFT/l6TiNm in cipher text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key cipher $c$3$DDbEscwRlcXQsVfGWL+764OFT/l6TiNm
# Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key simple hello
security-policy-server
Syntax
security-policy-server ip-address
undo security-policy-server { ip-address | all }
View
RADIUS scheme view
Default level
2: System level
Parameters
ip-address: Specifies a security policy server by its IP address.
all: Specifies all security policy servers.
Description
Use security-policy-server to specify a security policy server for a RADIUS scheme.
Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme.
By default, no security policy server is specified for a RADIUS scheme.
You can specify up to eight security policy servers for a RADIUS scheme.
You can change security policy servers for a RADIUS scheme only when no user is using the scheme.
Related commands: radius nas-ip.
Examples
# Specify security policy server 10.110.1.2 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] security-policy-server 10.110.1.2
server-type
Syntax
server-type { extended | standard }
undo server-type
View
RADIUS scheme view
Default level
2: System level
Parameters
extended: Specifies the extended RADIUS server (generally CAMS or IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol.
standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and 2866 or their successors).
Description
Use server-type to configure the RADIUS server type.
Use undo server-type to restore the default.
By default, the supported RADIUS server type is standard.
Examples
# Configure the RADIUS server type of RADIUS scheme radius1 as standard.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-type standard
state primary
Syntax
state primary { accounting | authentication } { active | block }
View
RADIUS scheme view
Default level
2: System level
Parameters
accounting: Sets the status of the primary RADIUS accounting server.
authentication: Sets the status of the primary RADIUS authentication/authorization server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Description
Use state primary to set the status of a primary RADIUS server.
By default, the primary RADIUS server specified for a RADIUS scheme is in active state.
During an authentication or accounting process, the switch first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the switch changes the status of the primary server to blocked, starts a quiet timer for the server, and then tries to communicate with a secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of the primary server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually.
When the primary server and secondary servers are both in blocked state, the switch communicates with the primary server.
Related commands: display radius scheme and state secondary.
Examples
# Set the status of the primary server in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
state secondary
Syntax
state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block }
View
RADIUS scheme view
Default level
2: System level
Parameters
accounting: Sets the status of the secondary RADIUS accounting server.
authentication: Sets the status of the secondary RADIUS authentication/authorization server.
ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Description
Use state secondary to set the status of a secondary RADIUS server.
By default, every secondary RADIUS server specified in a RADIUS scheme is in active state.
If no IP address is specified, this command changes the status of all configured secondary servers for authentication/authorization or accounting.
If the switch finds that a secondary server in active state is unreachable, the switch changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of a server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually. If all configured secondary servers are unreachable, the switch considers the authentication or accounting attempt a failure.
Related commands: display radius scheme and state primary.
Examples
# Set the status of all the secondary servers in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
stop-accounting-buffer enable (RADIUS scheme view)
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS scheme view
Default level
2: System level
Parameters
None
Description
Use stop-accounting-buffer enable to enable the switch to buffer stop-accounting requests to which no responses are received.
Use undo stop-accounting-buffer enable to disable the buffering function.
By default, the switch buffers stop-accounting requests to which no responses are received.
Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. However, if you have removed the accounting server, stop-accounting messages are not buffered.
Related commands: reset stop-accounting-buffer and display stop-accounting-buffer.
Examples
# Enable the device to buffer the stop-accounting requests to which no responses are received.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-buffer enable
timer quiet (RADIUS scheme view)
Syntax
timer quiet minutes
undo timer quiet
View
RADIUS scheme view
Default level
2: System level
Parameters
minutes: Server quiet period in minutes, ranging from 0 to 255. If you set this argument to 0, when the device needs to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server’s status. As a result, when the device needs to send a request of the same type for another user, it still tries to send the request to the current server because the current server is in active state.
Description
Use timer quiet to set the quiet timer for the servers, that is, the duration during which the servers stay blocked before resuming the active state.
Use undo timer quiet to restore the default.
By default, the server quiet period is 5 minutes.
You can use the command to adjust the duration during which a server must stay quiet, and control whether the device changes the status of an unreachable server. For example, if you determine that the primary server is unreachable because the device’s port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible.
Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device keeps trying to communicate with an unreachable server that is in active state.
Related commands: display radius scheme.
Examples
# Set the quiet timer for the servers to 10 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
timer realtime-accounting (RADIUS scheme view)
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
RADIUS scheme view
Default level
2: System level
Parameters
minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60.
Description
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
By default, the real-time accounting interval is 12 minutes.
For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.
When the real-time accounting interval on the switch is zero, the switch will send online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server (if any) or will not send online user accounting information.
Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).
Table 8 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval (in minutes) |
|
1 to 99 |
3 |
|
100 to 499 |
6 |
|
500 to 999 |
12 |
|
1000 or more |
15 or longer |
Related commands: retry realtime-accounting.
Examples
# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
timer response-timeout (RADIUS scheme view)
Syntax
timer response-timeout seconds
undo timer response-timeout
View
RADIUS scheme view
Default level
2: System level
Parameters
seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10.
Description
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
By default, the RADIUS server response timeout period is 3 seconds.
By default, the RADIUS server response timeout period is 3 seconds.
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.
Related commands: retry.
Examples
# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
user-name-format (RADIUS scheme view)
Syntax
user-name-format { keep-original | with-domain | without-domain }
View
RADIUS scheme view
Default level
2: System level
Parameters
keep-original: Sends the username to the RADIUS server as it is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Description
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
By default, the ISP domain name is included in the username.
A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.
For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server.
If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.
Related commands: radius scheme.
Examples
# Specify the switch to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
vpn-instance (RADIUS scheme view)
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
View
RADIUS scheme view
Default level
2: System level
Parameters
vpn-instance-name: Name of the MPLS VPN, a case-sensitive string of 1 to 31 characters.
Description
Use vpn-instance to specify a VPN instance for a RADIUS scheme.
Use undo vpn-instance to remove the configuration.
The VPN instance specified here applies to for all IPv4 servers in the RADIUS scheme for which no specific VPN instance is specified. The VPN instance specified here is not effective for IPv6 RADIUS servers.
Related commands: display radius scheme.
Examples
# Specify VPN instance test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
HWTACACS configuration commands
data-flow-format (HWTACACS scheme view)
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
View
HWTACACS scheme view
Default level
2: System level
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Description
Use data-flow-format to set the traffic statistics unit for data flows or packets.
Use undo data-flow-format to restore the default.
By default, the unit for data flows is byte and that for data packets is one-packet.
The unit for data flows and that for packets must be consistent with those on the HWTACACS server. Otherwise, accounting cannot be performed correctly.
Related commands: display hwtacacs.
Examples
# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets respectively in HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs
Syntax
In standalone mode:
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
hwtacacs-scheme-name: HWTACACS scheme name.
statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme.
slot slot-number: Displays the configuration or statistics for the card in a slot. (In standalone mode)
chassis chassis-number slot slot-number: Displays the configuration or statistics for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display hwtacacs to display the configuration of HWTACACS schemes or statistics for the HWTACACS servers specified in HWTACACS schemes.
If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes.
If no slot number is specified, the command displays the configuration of the HWTACACS scheme on the main processing unit. (In standalone mode)
If no IRF member ID is specified, the command displays the configuration of the HWTACACS schemes on all members of an IRF fabric. (In IRF mode)
Related commands: hwtacacs scheme.
Examples
# Display the configuration of HWTACACS scheme gy.
<Sysname> display hwtacacs gy
--------------------------------------------------------------------
HWTACACS-server template name : gy
Primary-authentication-server : 172.31.1.11:49
VPN instance : vpn1
Primary-authorization-server : 172.31.1.11:49
VPN instance : vpn1
Primary-accounting-server : 172.31.1.11:49
VPN instance : vpn1
Secondary-authentication-server : 0.0.0.0:0
VPN instance : vpn1
Secondary-authorization-server : 0.0.0.0:0
VPN instance : vpn1
Secondary-accounting-server : 0.0.0.0:0
VPN instance : vpn1
Current-authentication-server : 172.31.1.11:49
Current-authorization-server : 172.31.1.11:49
Current-accounting-server : 172.31.1.11:49
NAS-IP-address : 0.0.0.0
key authentication : ******
key authorization : ******
key accounting : ******
VPN instance : vpn1
Quiet-interval(min) : 5
Realtime-accounting-interval(min) : 12
Response-timeout-interval(sec) : 5
Acct-stop-PKT retransmit times : 100
Domain-included : Yes
Data traffic-unit : B
Packet traffic-unit : one-packet
--------------------------------------------------------------------
|
Field |
Description |
|
HWTACACS-server template name |
Name of the HWTACACS scheme. |
|
Primary-authentication-server |
HWTACACS server information. · If a server is specified by IP address, the field displays the IP address and port number of the server. · If a server is specified by hostname, the field displays the hostname and port number of the server. · If no server is specified, the field displays 0.0.0.0:0. |
|
Primary-authorization-server |
|
|
Secondary-authentication-server |
|
|
Secondary-authorization-server |
|
|
Secondary-accounting-server |
|
|
Current-authentication-server |
Currently used server information. · If a server is specified by IP address, the field displays the IP address and port number of the server. · If a server is specified by hostname, the field displays the hostname and port number of the server. · If no server is available, the field displays 0.0.0.0:0. |
|
Current-authorization-server |
|
|
Current-accounting-server |
|
|
VPN instance |
MPLS L3VPN to which the server belongs. |
|
NAS-IP-address |
IP address of the NAS. If no NAS is specified, this field displays 0.0.0.0. |
|
key authentication |
Key for authentication, displayed as a series of asterisks (******). If no key is specified, this field displays N/A. |
|
key authorization |
Key for authorization, displayed as a series of asterisks (******). If no key is specified, this field displays N/A. |
|
key accounting |
Key for accounting, displayed as a series of asterisks (******). If no key is specified, this field displays N/A. |
|
Acct-stop-PKT retransmit times |
Number of stop-accounting packet transmission attempts. |
|
Data traffic-unit |
Unit for data flows. |
|
Packet traffic-unit |
Unit for data packets. |
# Display the statistics for the servers specified in HWTACACS scheme gy.
<Sysname> display hwtacacs gy statistics
Slot: 1
---[HWTACACS template gy primary authentication]---
HWTACACS server open number: 10
HWTACACS server close number: 10
HWTACACS authen client access request packet number: 10
HWTACACS authen client access response packet number: 6
HWTACACS authen client unknown type number: 0
HWTACACS authen client timeout number: 4
HWTACACS authen client packet dropped number: 4
HWTACACS authen client access request change password number: 0
HWTACACS authen client access request login number: 5
HWTACACS authen client access request send authentication number: 0
HWTACACS authen client access request send password number: 0
HWTACACS authen client access connect abort number: 0
HWTACACS authen client access connect packet number: 5
HWTACACS authen client access response error number: 0
HWTACACS authen client access response failure number: 0
HWTACACS authen client access response follow number: 0
HWTACACS authen client access response getdata number: 0
HWTACACS authen client access response getpassword number: 5
HWTACACS authen client access response getuser number: 0
HWTACACS authen client access response pass number: 1
HWTACACS authen client access response restart number: 0
HWTACACS authen client malformed access response number: 0
HWTACACS authen client round trip time(s): 5
---[HWTACACS template gy primary authorization]---
HWTACACS server open number: 1
HWTACACS server close number: 1
HWTACACS author client request packet number: 1
HWTACACS author client response packet number: 1
HWTACACS author client timeout number: 0
HWTACACS author client packet dropped number: 0
HWTACACS author client unknown type number: 0
HWTACACS author client request EXEC number: 1
HWTACACS author client request PPP number: 0
HWTACACS author client request VPDN number: 0
HWTACACS author client response error number: 0
HWTACACS author client response EXEC number: 1
HWTACACS author client response PPP number: 0
HWTACACS author client response VPDN number: 0
HWTACACS author client round trip time(s): 3
---[HWTACACS template gy primary accounting]---
HWTACACS server open number: 0
HWTACACS server close number: 0
HWTACACS account client request packet number: 0
HWTACACS account client response packet number: 0
HWTACACS account client unknown type number: 0
HWTACACS account client timeout number: 0
HWTACACS account client packet dropped number: 0
HWTACACS account client request command level number: 0
HWTACACS account client request connection number: 0
HWTACACS account client request EXEC number: 0
HWTACACS account client request network number: 0
HWTACACS account client request system event number: 0
HWTACACS account client request update number: 0
HWTACACS account client response error number: 0
HWTACACS account client round trip time(s): 0
display stop-accounting-buffer (for HWTACACS)
Syntax
In standalone mode:
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
In IRF mode:
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters.
slot slot-number: Specifies the stop-accounting requests buffered for a card. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the stop-accounting requests buffered for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Related commands: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.
Examples
# Display information about the stop-accounting requests buffered for HWTACACS scheme hwt1 on the card in slot 0.
<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1 slot 0
Slot 0:
Total 0 record(s) Matched
hwtacacs nas-ip
Syntax
hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
View
System view
Default level
2: System level
Parameters
ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IP address. With no VPN specified, the command specifies a public-network source IP address.
Description
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to remove the configuration.
By default, the source IP address of a packet sent to the server is the IP address of the outbound interface.
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
You can specify up to one public-network source IP address and 15 private-network source IP addresses. A newly specified public-network source IP address overwrites the previous one. Each VPN can have only one private-network source IP address specified. A private-network source IP address newly specified for a VPN overwrites the previous one.
|
|
NOTE: The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence. |
Related commands: nas-ip.
Examples
# Set the IP address for the switch to use as the source address of the HWTACACS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
hwtacacs scheme
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Default level
3: Manage level
Parameters
hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Description
Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
By default, no HWTACACS scheme exists.
An HWTACACS scheme can be referenced by more than one ISP domain at the same time.
An HWTACACS scheme referenced by ISP domains cannot be removed.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
key (HWTACACS scheme view)
Syntax
key { accounting | authentication | authorization } [ cipher | simple ] key
undo key { accounting | authentication | authorization }
View
HWTACACS scheme view
Default level
2: System level
Parameters
accounting: Sets the shared key for secure HWTACACS accounting communication.
authentication: Sets the shared key for secure HWTACACS authentication communication.
authorization: Sets the shared key for secure HWTACACS authorization communication.
{ cipher | simple } key: Specifies a case-sensitive shared key string. If neither cipher nor simple is specified, you set a plaintext shared key string.
· In non-FIPS mode, a ciphertext password is a string of 1 to 373 characters and a plaintext password is a string of 1 to 255 characters.
· If FIPS mode, a ciphertext password is a string of 8 to 373 characters and a plaintext password is a string of 8 to 255 characters.
Description
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to remove the configuration.
By default, no shared key is configured.
The shared keys configured on the device must match those configured on the HWTACACS servers.
For secrecy, all shared keys, including keys configured in plain text, are saved in cipher text to the configuration file.
Related commands: display hwtacacs.
Examples
# Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting simple hello
# Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting hello
# Set the shared key for secure HWTACACS accounting communication to $c$3$67JOgjsk/G+Q70vekDjtZdjqS8DCy1WQ in cipher text.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting cipher $c$3$67JOgjsk/G+Q70vekDjtZdjqS8DCy1WQ
nas-ip (HWTACACS scheme view)
Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Description
Use nas-ip to specify a source address for outgoing HWTACACS packets.
Use undo nas-ip to restore the default.
By default, the source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view; if the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If yes, the server processes the packet. If not, the server drops the packet.
If you execute the command multiple times, the most recent configuration takes effect.
|
|
NOTE: The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence. |
Related commands: hwtacacs nas-ip.
Examples
# Set the source address for outgoing HWTACACS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
primary accounting (HWTACACS scheme view)
Syntax
primary accounting { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo primary accounting
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS accounting server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 255 characters.
port-number: Port number of the primary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to remove the configuration.
By default, no primary HWTACACS accounting server is specified.
The IP addresses or hostnames of the primary and secondary accounting servers must be different. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server affects only accounting processes that occur after the remove operation.
|
|
NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. |
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme test1
[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49
primary authentication (HWTACACS scheme view)
Syntax
primary authentication { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo primary authentication
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS authentication server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 255 characters.
port-number: Service port number of the primary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to remove the configuration.
By default, no primary HWTACACS authentication server is specified.
The IP addresses or hostnames of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets. Removing an authentication server affects only authentication processes that occur after the remove operation.
|
|
NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. |
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49
primary authorization
Syntax
primary authorization { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo primary authorization
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the primary HWTACACS authorization server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 255 characters.
port-number: Service port number of the primary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to remove the configuration.
By default, no primary HWTACACS authorization server is specified.
The IP addresses or hostnames of the primary and secondary authorization servers must be different. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation.
|
|
NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. |
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49
reset hwtacacs statistics
Syntax
In standalone mode:
reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ]
In IRF mode:
reset hwtacacs statistics { accounting | all | authentication | authorization } [ chassis chassis-number slot slot-number ]
View
User view
Default level
1: Monitor level
Parameters
accounting: Clears HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears HWTACACS authentication statistics.
authorization: Clears HWTACACS authorization statistics.
slot slot-number: Clears HWTACACS statistics for the card in the specified slot. (In standalone mode)
chassis chassis-number slot slot-number: Clears HWTACACS statistics for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
Description
Use reset hwtacacs statistics to clear HWTACACS statistics.
Related commands: display hwtacacs.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
reset stop-accounting-buffer (for HWTACACS)
Syntax
In standalone mode:
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ]
In IRF mode:
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ chassis chassis-number slot slot-number ]
View
User view
Default level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters.
slot slot-number: Specifies the stop-accounting requests buffered for a card. (In standalone mode)
chassis chassis-number slot slot-number: Specifies the stop-accounting requests buffered for a card in a certain IRF member switch. The chassis-number argument refers to the ID of the IRF member switch, and the slot-number argument refers to the number of the slot where the card resides. For the IRF member ID of a switch, use the display device command. (In IRF mode)
Description
Use reset stop-accounting-buffer to clear the buffered stop-accounting requests that get no responses.
Related commands: stop-accounting-buffer enable and display stop-accounting-buffer.
Examples
# Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1
retry stop-accounting (HWTACACS scheme view)
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS scheme view
Default level
2: System level
Parameters
retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 1 to 300.
Description
Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts.
Use undo retry stop-accounting to restore the default.
By default, the maximum number of stop-accounting request transmission attempts is 100.
Related commands: reset stop-accounting-buffer and display stop-accounting-buffer.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 50
secondary accounting (HWTACACS scheme view)
Syntax
secondary accounting { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo secondary accounting
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS accounting server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 255 characters.
port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove the configuration.
By default, no secondary HWTACACS accounting server is specified.
The IP addresses or hostnames of the primary and secondary accounting servers must be different. Otherwise, the configuration fails.
If you execute the command multiple times, the most recent configuration takes effect.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server affects only accounting processes that occur after the remove operation.
|
|
NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. |
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49
secondary authentication (HWTACACS scheme view)
Syntax
secondary authentication { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo secondary authentication
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS authentication server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 255 characters.
port-number: Service port number of the secondary HWTACACS authentication server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove the configuration.
By default, no secondary HWTACACS authentication server is specified.
The IP addresses or hostnames of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it. Removing an authentication server affects only authentication processes that occur after the remove operation.
|
|
NOTE: The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme. |
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49
secondary authorization
Syntax
secondary authorization { ip-address | hostname } [ port-number | vpn-instance vpn-instance-name ] *
undo secondary authorization
View
HWTACACS scheme view
Default level
2: System level
Parameters
ip-address: IP address of the secondary HWTACACS authorization server, in dotted decimal notation. The default setting is 0.0.0.0.
hostname: Hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 255 characters.
port-number: Service port number of the secondary HWTACACS authorization server. It ranges from 1 to 65535 and defaults to 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Description
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove the configuration.
By default, no secondary HWTACACS authorization server is specified.
The IP addresses or hostnames of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
If the specified server resides on an MPLS VPN, you also need to specify that VPN with the secondary authorization command to ensure normal communication with the server. The VPN specified here takes precedence over the VPN specified for the HWTACACS scheme.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server affects only authorization processes that occur after the remove operation.
Related commands: display hwtacacs and vpn-instance (HWTACACS scheme view).
Examples
# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49
stop-accounting-buffer enable (HWTACACS scheme view)
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
HWTACACS scheme view
Default level
2: System level
Parameters
None
Description
Use stop-accounting-buffer enable to enable the switch to buffer stop-accounting requests to which no responses are received.
Use undo stop-accounting-buffer enable to disable the buffering function.
By default, the switch buffers stop-accounting requests to which no responses are received.
Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request getting no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet.
Related commands: reset stop-accounting-buffer and display stop-accounting-buffer.
Examples
# In HWTACACS scheme hwt1, enable the switch to buffer the stop-accounting requests getting no responses.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable
timer quiet (HWTACACS scheme view)
Syntax
timer quiet minutes
undo timer quiet
View
HWTACACS scheme view
Default level
2: System level
Parameters
minutes: Primary server quiet period, in minutes. It ranges from 1 to 255.
Description
Use timer quiet to set the quiet timer for the primary server, that is, the duration that the status of the primary server stays blocked before resuming the active state.
Use undo timer quiet to restore the default.
By default, the primary server quiet period is 5 minutes.
Related commands: display hwtacacs.
Examples
# Set the quiet timer for the primary server to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
timer realtime-accounting (HWTACACS scheme view)
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS scheme view
Default level
2: System level
Parameters
minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. A value of zero means "Do not send online user accounting information to the HWTACACS server."
Description
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
By default, the real-time accounting interval is 12 minutes.
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is for setting the interval.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting interval. A shorter interval requires higher performance. Use a longer interval when there are a large number of users (more than 1000, inclusive).
Table 10 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval (in minutes) |
|
1 to 99 |
3 |
|
100 to 499 |
6 |
|
500 to 999 |
12 |
|
1000 or more |
15 or more |
Examples
# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
timer response-timeout (HWTACACS scheme view)
Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS scheme view
Default level
2: System level
Parameters
seconds: HWTACACS server response timeout period in seconds, in the range of 1 to 300.
Description
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
By default, the HWTACACS server response timeout time is 5 seconds.
HWTACACS is based on TCP. If the server response timeout timer or the TCP timeout timer times out, the switch will be disconnected from the HWTACACS server.
Related commands: display hwtacacs.
Examples
# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
user-name-format (HWTACACS scheme view)
Syntax
user-name-format { keep-original | with-domain | without-domain }
View
HWTACACS scheme view
Default level
2: System level
Parameters
keep-original: Sends the username to the HWTACACS server as it is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Description
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
By default, the ISP domain name is included in the username.
A username is generally in the format userid@isp-name, of which isp-name is used by the switch to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the switch must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain, avoiding the confused situation where the HWTACACS server regards two users in different ISP domains but with the same userid as one.
Examples
# Specify the switch to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
vpn-instance (HWTACACS scheme view)
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
View
HWTACACS scheme view
Default level
2: System level
Parameters
vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters.
Description
Use vpn-instance to specify a VPN instance for the HWTACACS scheme.
Use undo vpn-instance to remove the configuration.
The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN instance is specified.
Related commands: display hwtacacs.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
