10-Security Command Reference

HomeSupportSwitchesH3C S7500E Switch SeriesReference GuidesCommand ReferencesH3C S7500E Switch Series Command References-Release7178-6W10010-Security Command Reference
01-AAA commands
Title Size Download
01-AAA commands 416.28 KB

Contents

AAA commands· 1

General AAA commands· 1

aaa nas-id profile· 1

aaa session-limit 1

accounting command· 2

accounting default 3

accounting lan-access· 4

accounting login· 5

accounting portal 7

authentication default 8

authentication lan-access· 9

authentication login· 10

authentication portal 11

authentication super 13

authorization command· 14

authorization default 15

authorization lan-access· 16

authorization login· 17

authorization portal 19

authorization-attribute (ISP domain view) 20

display domain· 21

domain· 23

domain default enable· 24

nas-id bind vlan· 25

state (ISP domain view) 26

Local user commands· 27

access-limit 27

authorization-attribute (local user view/user group view) 27

bind-attribute· 30

display local-user 31

display user-group· 33

group· 35

local-user 36

password· 37

service-type· 38

state (local user view) 39

user-group· 40

RADIUS commands· 41

accounting-on enable· 41

algorithm loading-share enable· 42

attribute 15 check-mode· 43

client 43

data-flow-format (RADIUS scheme view) 44

display radius scheme· 45

display radius statistics· 48

key (RADIUS scheme view) 50

nas-ip (RADIUS scheme view) 51

port 52

primary accounting (RADIUS scheme view) 53

primary authentication (RADIUS scheme view) 54

radius dynamic-author server 56

radius nas-ip· 57

radius scheme· 58

radius session-control enable· 59

radius-server test-profile· 59

reset radius statistics· 60

retry· 61

retry realtime-accounting· 61

secondary accounting (RADIUS scheme view) 62

secondary authentication (RADIUS scheme view) 64

security-policy-server 66

snmp-agent trap enable radius· 67

state primary· 68

state secondary· 69

timer quiet (RADIUS scheme view) 70

timer realtime-accounting (RADIUS scheme view) 71

timer response-timeout (RADIUS scheme view) 72

user-name-format (RADIUS scheme view) 73

vpn-instance (RADIUS scheme view) 74

HWTACACS commands· 75

data-flow-format (HWTACACS scheme view) 75

display hwtacacs scheme· 75

hwtacacs nas-ip· 78

hwtacacs scheme· 79

key (HWTACACS scheme view) 79

nas-ip (HWTACACS scheme view) 81

primary accounting (HWTACACS scheme view) 82

primary authentication (HWTACACS scheme view) 83

primary authorization· 85

reset hwtacacs statistics· 86

secondary accounting (HWTACACS scheme view) 87

secondary authentication (HWTACACS scheme view) 89

secondary authorization· 90

timer quiet (HWTACACS scheme view) 92

timer realtime-accounting (HWTACACS scheme view) 93

timer response-timeout (HWTACACS scheme view) 93

user-name-format (HWTACACS scheme view) 94

vpn-instance (HWTACACS scheme view) 95

LDAP commands· 96

authentication-server 96

display ldap scheme· 96

ip· 98

ipv6· 99

ldap scheme· 100

ldap server 100

login-dn· 101

login-password· 102

protocol-version· 102

search-base-dn· 103

search-scope· 104

server-timeout 104

user-parameters· 105


AAA commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

General AAA commands

aaa nas-id profile

Use aaa nas-id profile to create a NAS-ID profile and enter NAS-ID profile view.

Use undo aaa nas-id profile to remove a NAS-ID profile.

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

Default

No NAS-ID profile exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.

Examples

# Create a NAS-ID profile named aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

Related commands

·     nas-id bind vlan

·     port-security nas-id-profile

·     portal nas-id-profile

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users who can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

In non-FIPS mode:

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

In FIPS mode:

aaa session-limit { https | ssh } max-sessions

undo aaa session-limit { https | ssh }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range for this argument is 1 to 32.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting method of the ISP domain is used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record all commands that have been successfully executed on the device.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

·     accounting default

·     command accounting (Fundamentals Command Reference)

·     hwtacacs scheme

accounting default

Use accounting default to specify the default accounting method for an ISP domain.

Use undo accounting default to restore the default.

Syntax

In non-FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

In FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users who support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

accounting lan-access

Use accounting lan-access to configure the accounting method for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

In non-FIPS mode:

accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

In FIPS mode:

accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

Default

The default accounting method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands

·     accounting default

·     local-user

·     radius scheme

accounting login

Use accounting login to specify the accounting method for login users.

Use undo accounting login to restore the default.

Syntax

In non-FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

In FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting login

Default

The default accounting method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

·     accounting default

·     hwtacacs scheme

·     local-user

·     radius scheme

accounting portal

Use accounting portal to specify the accounting method for portal users.

Use undo accounting portal to restore the default.

Syntax

In non-FIPS mode:

accounting portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

In FIPS mode:

accounting portal { local | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

Default

The default accounting method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

Related commands

·     accounting default

·     local-user

·     radius scheme

authentication default

Use authentication default to specify the default authentication method for an ISP domain.

Use undo authentication default to restore the default.

Syntax

In non-FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

In FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users who support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication lan-access

Use authentication lan-access to configure the authentication method for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

In non-FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

In FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

Default

The default authentication method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

·     authentication default

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication login

Use authentication login to specify the authentication method for login users.

Use undo authentication login to restore the default.

Syntax

In non-FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

In FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication login

Default

The default authentication method of the ISP is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

·     authentication default

·     hwtacacs scheme

·     ldap scheme

·     local-user

·     radius scheme

authentication portal

Use authentication portal to specify the authentication method for portal users.

Use undo authentication portal to restore the default.

Syntax

In non-FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

In FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

Default

The default authentication method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

·     authentication default

·     ldap scheme

·     local-user

·     radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication method of the ISP domain is used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role authentication, the following rules apply:

·     If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role whose username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.

·     If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n represents a user role level. For example, to obtain a level-3 user role, the device uses the username string $enab3$.

For more information about user role authentication, see Fundamentals Configuration Guide.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

·     authentication default

·     hwtacacs scheme

·     radius scheme

authorization command

Use authorization command to specify the command authorization method.

Use undo authorization command to restore the default.

Syntax

In non-FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

In FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }

undo authorization command

Default

The default authorization method of the ISP domain is used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup authorization method.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

·     authorization accounting (Fundamentals Command Reference)

·     hwtacacs scheme

·     local-user

authorization default

Use authorization default to specify the default authorization method for an ISP domain.

Use undo authorization default to restore the default.

Syntax

In non-FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

In FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Non-login users can access the network.

·     Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide.

·     FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users who support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

·     hwtacacs scheme

·     local-user

·     radius scheme

authorization lan-access

Use authorization lan-access to configure the authorization method for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

In non-FIPS mode:

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

In FIPS mode:

authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

Default

The default authorization method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

·     authorization default

·     local-user

·     radius scheme

authorization login

Use authorization login to configure the authorization method for login users.

Use undo authorization login to restore the default.

Syntax

In non-FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

In FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization login

Default

The default authorization method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

·     Login users are assigned the default user role. For more information about the default user role feature, see Fundamentals Configuration Guide.

·     FTP, SFTP, and SCP login users also have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

·     authorization default

·     hwtacacs scheme

·     local-user

·     radius scheme

authorization portal

Use authorization portal to configure the authorization method for portal users.

Use undo authorization portal to restore the default.

Syntax

In non-FIPS mode:

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

In FIPS mode:

authorization portal { local | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

Default

The default authorization method of the ISP domain is used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

·     authorization default

·     local-user

·     radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { idle-cut minute [ flow ] | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name }

undo authorization-attribute { idle-cut | ip-pool | ipv6-pool | user-profile }

Default

No authorization attribute is configured for users in the ISP domain and the idle cut feature is disabled.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 600. This option takes effect only on portal users.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240. This argument takes effect only on portal users.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for PPP users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. This option is not supported in the current software version.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users who do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If you execute the command multiple times for the idle cut feature, the most recent configuration takes effect.

Examples

# Configure the idle cut feature for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute idle-cut 30 10240

Related commands

display domain

display domain

Use display domain to display the ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

 

Domain: system

  State: Active

  Default authentication scheme:  Local

  Default authorization  scheme:  Local

  Default accounting     scheme:  Local

  Session time: Exclude idle time

  Authorization attributes :

    Idle-cut: Disabled

 

Domain: dm

  State: Active

  Login   authentication scheme:  RADIUS=rad

  Login   authorization  scheme:  HWTACACS=hw

  Super   authentication scheme:  RADIUS=rad

  PPP     accounting     scheme:  RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local

  Command authorization  scheme:  HWTACACS=hw

  LAN access authentication scheme:  RADIUS=r4

  Portal  authentication scheme:  LDAP=ldp

  Default authentication scheme:  LDAP=rad, Local, None

  Default authorization  scheme:  Local

  Default accounting     scheme:  None

  Session time: Exclude idle time

  Authorization attributes :

    Idle-cut : Enabled

      Idle timeout: 2 minutes

      Flow: 10240 bytes

    IP pool: appy

 

Default domain name: system

Table 1 Command output

Field

Description

Domain

ISP domain name.

State

Status of the ISP domain.

Default authentication scheme

Default authentication method.

Default authorization scheme

Default authorization method.

Default accounting scheme

Default accounting method.

Session time

Online duration sent to the server for users who went offline due to connection failure or malfunction.

The online duration does not include the idle cut period (or user online detection interval for portal users).

ADVPN authentication scheme

ADVPN is not supported in the current software version. The setting in this field is not effective.

ADVPN authorization scheme

ADVPN is not supported in the current software version. The setting in this field is not effective.

ADVPN accounting scheme

ADVPN is not supported in the current software version. The setting in this field is not effective.

Login authentication scheme

Authentication method for login users.

Login authorization scheme

Authorization method for login users.

Login accounting scheme

Accounting method for login users.

Authorization attributes

Authorization attributes for users in the ISP domain.

Idle-cut

Idle cut feature status:

·     Enabled—The feature is enabled. The device logs off users who do not meet the minimum traffic requirements in an idle timeout period.

·     Disabled—The feature is disabled. It is the default idle cut state.

Idle timeout

Idle timeout period, in minutes.

Flow

Minimum traffic that a login user must generate in an idle cut period, in bytes.

IP pool

In the current software version, the device does not support authorizing an IP pool to authenticated users. The setting in this field is not effective.

RADIUS

RADIUS scheme.

HWTACACS

HWTACACS scheme.

LDAP

LDAP scheme.

Local

Local scheme.

None

No authentication, no authorization, or no accounting.

Super authentication scheme

Authentication method for obtaining another user role without reconnecting to the device.

PPP authentication scheme

PPP is not supported in the current software version. The setting in this field is not effective.

PPP authorization scheme

PPP is not supported in the current software version. The setting in this field is not effective.

PPP accounting scheme

PPP is not supported in the current software version. The setting in this field is not effective.

Command authorization scheme

Command line authorization method.

Command accounting scheme

Command line accounting method.

LAN access authentication scheme

Authentication method for LAN users.

LAN access authorization scheme

Authorization method for LAN users.

LAN access accounting scheme

Accounting method for LAN users.

Portal authentication scheme

Authentication method for portal users.

Portal authorization scheme

Authorization method for portal users.

Portal accounting scheme

Accounting method for portal users.

 

domain

Use domain to create an ISP domain and enter ISP domain view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system-defined ISP domain named system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, or default.

Usage guidelines

All ISP domains are in active state when they are created.

The system has a predefined ISP domain named system. You can modify but not remove its configuration.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create ISP domain test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

·     display domain

·     domain default enable

·     state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified ISP domain must already exist.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

·     display domain

·     domain

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN binding exists.

Views

NAS-ID profile view

Predefined user roles

network-admin

mdc-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

·     aaa nas-id profile

·     port-security nas-id-profile

·     portal nas-id-profile

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users, who do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | ip-pool | ipv6-pool | user-profile | user-role role-name | vlan | work-directory } *

Default

FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user on the default MDC are assigned the network-operator user role. The local users created by an mdc-admin or level-15 user on a non-default MDC are assigned the mdc-operator user role.

Views

Local user view, user group view

Predefined user roles

network-admin

mdc-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user. This option is not supported in the current software version.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified idle timeout period is logged out.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is not supported in the current software version.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. This option is not supported in the current software version.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

·     For portal users, only the following authorization attributes are effective: acl, idle-cut, and vlan.

·     For LAN users, only the following authorization attributes are effective: acl and vlan.

·     For HTTP, HTTPS, Telnet, and terminal users, only the authorization attribute user-role is effective.

·     For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.

·     For other types of local users, no authorization attribute is effective.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an active/standby or master/subordinate switchover, do not specify slot information for the working directory.

To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

When you configure the security-audit user role, follow these restrictions and guidelines:

·     If the device has local users authorized as the security-audit user role, you cannot delete the last local user who has this user role.

·     The user role security-audit is mutually exclusive with other user roles.

¡     When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

¡     When you assign other user roles to a local user who has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of the network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

·     display local-user

·     display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attribute is configured for a local user.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option is not supported in the current software version.

subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters. This argument is not supported in the current software version.

ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN and portal users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN and portal users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN and portal users.

Usage guidelines

Binding attributes are checked upon authentication of a local user. If the local user has a non-matching attribute or lacks a required attribute, user authentication fails.

When you configure binding attributes for a local user, verify the following items:

·     The device can obtain from the user's packet all attributes for checking. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

·     The binding interface type must meet the requirements of the local user. For example, you can bind an 802.1X user to a physical port. If you bind the 802.1X user to a logical interface (for example, a VLAN interface), the user will fail the local authentication.

Examples

# Bind IP address 3.3.3.3 with the network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3

Related commands

display local-user

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | lan-access | pad | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

class: Specifies the local user type.

·     manage: Device management user.

·     network: Network access user.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users who use a specific type of service.

·     advpn: ADVPN tunnel users. This keyword is not supported in the current software version.

·     ftp: FTP users.

·     http: HTTP users.

·     https: HTTPS users.

·     ike: IKE users. This keyword is not supported in the current software version.

·     lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users.

·     pad: X.25 PAD users. This keyword is not supported in the current software version.

·     portal: Portal users.

·     ppp: PPP users. This keyword is not supported in the current software version.

·     ssh: SSH users.

·     telnet: Telnet users.

·     terminal: Terminal users who log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 2 local users matched.

 

Device management user root:

 State:                    Active

 Service type:             SSH/Telnet/Terminal

 Access limit:             Enabled           Max access number: 3

 Current access number:    1

 User group:               system

 Bind attributes:

 Authorization attributes:

  Work directory:          flash:

  User role list:          network-admin

 Password control configurations:

  Password aging:          Enabled (3 days)

Network access user jj:

 State:                    Active

 Service type:             Lan-access

 User group:               system

 Bind attributes:

  IP address:              2.2.2.2

  Location bound:          GigabitEthernet1/0/1

  MAC address:             0001-0001-0001

  VLAN ID:                 2

  Calling number:          2:2

 Authorization attributes:

  Idle timeOut:            33 (min)

  Work directory:          flash:

  ACL number:              2000

  User role list:          network-operator, level-0, level-3

Table 2 Command output

Field

Description

State

Status of the local user: active or blocked.

Service type

Service types that the local user can use, including FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.

Access limit

Whether the concurrent login limit is enabled.

Max access number

Maximum number of concurrent logins using the local user name.

Current access number

Current number of concurrent logins using the local user name.

User group

Group to which the local user belongs.

Bind attributes

Binding attributes of the local user.

IP address

IP address of the local user.

Location bound

Binding port of the local user.

MAC address

MAC address of the local user.

VLAN ID

Binding VLAN of the local user.

Calling number

PPP calling numbers are not supported in the current software version. The setting in this field is not effective.

Authorization attributes

Authorization attributes of the local user.

Idle timeOut

Idle timeout period of the user, in minutes.

Callback number

PPP callback numbers are not supported in the current software version. The setting in this field is not effective.

Work directory

Directory that the FTP, SFTP, or SCP user can access.

ACL number

Authorization ACL of the local user.

VLAN ID

Authorized VLAN of the local user.

User role list

Authorized roles of the local user.

Password control configurations

Password control attributes that are configured for the user.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user who failed to log in after using up all login attempts.

 

display user-group

Use display user-group to display the user group configuration.

Syntax

display user-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, this command displays the configuration of all user groups.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group

Total 2 user groups matched.

 

The contents of user group system:

 Authorization attributes:

  Work directory:          flash:

The contents of user group jj:

 Authorization attributes:

  Idle timeOut:            2 (min)

  Callback number:         2:2

  Work directory:          flash:/

  ACL number:              2000

  VLAN ID:                 2

Password control configurations:

  Password aging:          Enabled (2 days)

Table 3 Command output

Field

Description

Idle timeOut

Idle timeout period, in minutes.

Callback number

PPP callback numbers are not supported in the current software version. The setting in this field is not effective.

Work directory

Directory that FTP, SFTP, or SCP users in the group can access.

ACL number

Authorization ACL.

VLAN ID

Authorized VLAN.

Password control configurations

Password control attributes that are configured for the user group.

Password aging

This field appears only when password aging is enabled. The aging time is displayed in parentheses.

Password length

This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.

Password composition

This field appears only when password composition checking is enabled. The field also displays the following information in parentheses:

·     Minimum number of character types that the password must contain.

·     Minimum number of characters from each type in the password.

Password complexity

This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses:

·     Whether the password can contain the username or the reverse of the username.

·     Whether the password can contain any character repeated consecutively three or more times.

Maximum login attempts

Maximum number of consecutive failed login attempts.

Action for exceeding login attempts

Action to take on the user who failed to log in after using up all login attempts.

 

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system-defined user group system.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove local users.

Syntax

local-user user-name [ class { manage | network } ]

undo local-user { user-name class { manage | network } | all [ service-type { advpn | ftp | http | https | ike | lan-access | pad | portal | ppp | ssh | telnet | terminal } | class { manage | network } ] }

Default

No local user exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters that does not contain the domain name. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name also cannot be a, al, or all.

class: Specifies the local user type.

·     manage: Device management user who can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

·     network: Network access user who accesses network resources through the device. Network access users can use LAN access and portal services.

all: Specifies all users.

service-type: Specifies the local users who use a specific type of service.

·     advpn: ADVPN tunnel users. This keyword is not supported in the current software version.

·     ftp: FTP users.

·     http: HTTP users.

·     https: HTTPS users.

·     ike: IKE users. This keyword is not supported in the current software version.

·     lan-access: LAN users who typically access the network through an Ethernet, such as 802.1X users.

·     pad: X.25 PAD users. This keyword is not supported in the current software version.

·     portal: Portal users.

·     ppp: PPP users. This keyword is not supported in the current software version.

·     ssh: SSH users.

·     telnet: Telnet users.

·     terminal: Terminal users who log in through console ports.

Usage guidelines

If you do not specify the class { manage | network } option, this command adds a device management user.

Examples

# Add a device management user named user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

Related commands

·     display local-user

·     service-type

password

Use password to configure a password for a local user.

Use undo password to delete the password of a local user.

Syntax

In non-FIPS mode:

password [ { cipher | hash | simple } password ]

undo password

In FIPS mode:

password

Default

·     In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

·     In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Sets a ciphertext password.

hash: Sets a hashed password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A cipher password is a string of 1 to 117 characters.

¡     A hashed password is a string of 1 to 110 characters.

¡     A plaintext password is a string of 1 to 63 characters.

·     In FIPS mode, the password is a plaintext string of 15 to 63 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").

Usage guidelines

If you do not specify any parameters or if the device operates in FIPS mode, you enter the interactive mode to set a plaintext password. Only device management users support passwords configured in interactive mode.

In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.

Device management users support plaintext and hashed passwords. Network access users support plaintext and ciphertext passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext, hashed or encrypted.

Examples

# Set the password of the device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of the device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

# Set the password of the network access user user2 to 123456TESTuser&! in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple 123456TESTuser&!

Related commands

·     display local-user

·     local-user password-display-mode

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to delete service types configured for a local user.

Syntax

In non-FIPS mode:

service-type { advpn | ftp | ike | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp }

undo service-type { advpn | ftp | ike | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp }

In FIPS mode:

service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp }

undo service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

advpn: Authorizes the user to use the ADVPN service. This keyword is not supported in the current software version.

ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ike: Authorizes the user to use the IKE service. This keyword is not supported in the current software version.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

pad: Authorizes the user to use the PAD service. This keyword is not supported in the current software version.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

portal: Authorizes the user to use the Portal service.

ppp: Authorizes the user to use the PPP service. This keyword is not supported in the current software version.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize the device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Usage guidelines

This command applies only to the local user.

Examples

# Place the device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter user group view.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

There is a user group named system in the system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.

A user group with one or more local users cannot be deleted.

The system has a predefined user group named system. You can modify but not remove its configuration.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a card reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set with the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

algorithm loading-share enable

Use algorithm loading-share enable to enable the RADIUS server load sharing feature.

Use undo algorithm loading-share enable to disable the RADIUS server load sharing feature.

Syntax

algorithm loading-share enable

undo algorithm loading-share enable

Default

The RADIUS server load sharing feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server roles. The device forwards an AAA request to the most appropriate server of all active servers in the scheme after it compares the weight values and numbers of currently served users. Specify a weight value for each RADIUS server based on the AAA capacity of the server. A larger weight value indicates a higher AAA capacity.

In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server. If the accounting server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server.

Examples

# Enable the RADIUS server load sharing feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] algorithm loading-share enable

Related commands

·     primary authentication (RADIUS scheme view)

·     primary accounting (RADIUS scheme view)

·     secondary authentication (RADIUS scheme view)

·     secondary accounting (RADIUS scheme view)

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

client

Use client to specify a RADIUS DAE client.

Use undo client to remove a RADIUS DAE client.

Syntax

client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No RADIUS DAE clients are specified.

Views

RADIUS DAE server view

Predefined user roles

network-admin

mdc-admin

Parameters

ip ipv4-address: Specifies a DAE client by its IPv4 address.

ipv6 ipv6-address: Specifies a DAE client by its IPv6 address.

key { cipher | simple } string: Specifies the shared key for secure communication between the RADIUS DAE client and server. Make sure the shared key is the same as the key configured on the RADIUS DAE client. If the RADIUS DAE client does not have any shared key, do not specify this option.

·     cipher string: Specifies a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Specifies a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the RADIUS DAE client belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

With the RADIUS DAE server feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DAE clients. The device processes the requests and sends DAE responses to the DAE clients.

The device discards any DAE packets sent from DAE clients that are not specified for the DAE server.

You can execute the client command multiple times to specify multiple DAE clients for the DAE server.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Specify the DAE client as 10.110.1.2 in the MPLS L3VPN abc. Set the shared key to 123456 in plaintext form for secure communication between the DAE server and client.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456 vpn-instance abc

Related commands

·     radius dynamic-author server

·     port

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

 

------------------------------------------------------------------

RADIUS Scheme Name  : radius1

  Index : 0

  Primary Auth Server:

    Host name: Not configured

    IP  : Not configured                            Port: 1812

    State: Active

    VPN : vpn1

    Test profile: 132

      Probe username: test

      Probe interval: 60 minutes

    Weight: 40

  Primary Acct Server:

    Host name: server1

    IP : 1.1.1.1                                    Port: 1813

    State: Active

    VPN : Not configured

    Weight: 40

  Second Auth Server:

    Host name: Not configured

    IP : Not configured                             Port: 1812

    State: Block

    VPN : Not configured

    Test profile: Not configured

    Weight: 40

  Second Acct Server:

    Host name: Not configured

    IP : Not configured                              Port: 1813

    State: Block (Mandatory)

    VPN : Not configured

    Weight: 0

  Security Policy Server:

    Server: 0     IP: 2.2.2.2         VPN: Not configured

    Server: 1     IP: 3.3.3.3         VPN: 2

 

  Accounting-On function                     : Enabled

    retransmission times                     : 5

    retransmission interval(seconds)         : 2

  Timeout Interval(seconds)                  : 3

  Retransmission Times                       : 3

  Retransmission Times for Accounting Update : 5

  Server Quiet Period(minutes)               : 5

  Realtime Accounting Interval(minutes)      : 22

  NAS IP Address                             : 1.1.1.1

  VPN                                        : Not configured

  User Name Format                           : with-domain

  Data flow unit                             : Million Byte

  Packet unit                                : one

  Attribute 15 check-mode                    : Strict

  Algorithm                                  : loading-share

------------------------------------------------------------------

Table 4 Command output

Field

Description

Index

Index number of the RADIUS scheme.

Primary Auth Server

Information about the primary authentication server.

Primary Acct Server

Information about the primary accounting server.

Second Auth Server

Information about the secondary authentication server.

Second Acct Server

Information about the secondary accounting server.

Host name

Hostname of the server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by IP address.

IP

IP address of the server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by hostname, and the hostname is not resolved.

Port

Service port number of the server. If no port number is specified, this field displays the default port number.

State

Status of the server:

·     Active—The server is in active state.

·     Block—The server is changed to blocked state automatically.

·     Block (Mandatory)—The server is set to blocked state manually.

VPN

VPN to which the server belongs. If no VPN is specified for the server, this field displays Not configured.

Test profile

Test profile used for RADIUS server status detection.

Probe username

Username used for RADIUS server status detection.

Probe interval

Server status detection interval, in minutes.

Weight

Weight value of the RADIUS server.

Server: n

Member ID of the security policy server.

IP

IP address of the security policy server.

VPN

VPN to which the security policy server belongs. If no VPN is specified for the server, this field displays Not configured.

Accounting-On function

Whether the accounting-on feature is enabled.

retransmission times

Number of accounting-on packet transmission attempts.

retransmission interval(seconds)

Interval at which the device retransmits accounting-on packets, in seconds.

Timeout Interval(seconds)

RADIUS server response timeout period, in seconds.

Retransmission times

Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Retransmission Times for Accounting Update

Maximum number of accounting attempts.

Server Quiet Period(minutes)

Quiet period for the servers, in minutes.

Realtime Accounting Interval(minutes)

Interval for sending realtime accounting updates, in minutes.

NAS IP Address

Source IP address for outgoing RADIUS packets.

VPN

VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured.

User Name Format

Format for the usernames sent to the RADIUS server. Possible values include:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards the username as the username is entered.

Data flow unit

Measurement unit for data flow.

Packet unit

Measurement unit for packets.

Attribute 15 check-mode

RADIUS Login-Service attribute check method for SSH, FTP, and terminal users:

·     StrictMatches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

·     Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

Algorithm

Load sharing principle of RADIUS servers:

·     primary-secondaryThe device forwards traffic to the server selected based on primary and secondary server roles.

·     loading-share—The device distributes traffic among multiple servers for load sharing.

 

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

 

                                 Auth.         Acct.       SessCtrl.

          Request Packet:          0             0             0

            Retry Packet:          0             0             -

          Timeout Packet:          0             0             -

        Access Challenge:          0             -             -

           Account Start:          -             0             -

          Account Update:          -             0             -

            Account Stop:          -             0             -

       Terminate Request:          -             -             0

              Set Policy:          -             -             0

    Packet With Response:          0             0             0

 Packet Without Response:          0             0             -

          Access Rejects:          0             -             -

          Dropped Packet:          0             0             0

          Check Failures:          0             0             0

Table 5 Command output

Field

Description

Auth.

Authentication packets.

Acct.

Accounting packets.

SessCtrl.

Session-control packets.

Request Packet

Number of request packets.

Retry Packet

Number of retransmitted request packets.

Timeout Packet

Number of request packets timed out.

Access Challenge

Number of access challenge packets.

Account Start

Number of start-accounting packets.

Account Update

Number of accounting update packets.

Account Stop

Number of stop-accounting packets.

Terminate Request

Number of packets for logging off users forcibly.

Set Policy

Number of packets for updating user authorization information.

Packet With Response

Number of packets for which responses were received.

Packet Without Response

Number of packets for which no responses were received.

Access Rejects

Number of Access-Reject packets.

Dropped Packet

Number of discarded packets.

Check Failures

Number of packets with checksum errors.

 

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS communication.

Use undo key to restore the default.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A ciphertext shared key is a string of 1 to 117 characters.

¡     A plaintext shared key is a string of 1 to 64 characters.

·     In FIPS mode:

¡     A ciphertext shared key is a string of 15 to 117 characters.

¡     A plaintext shared key is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

·     display radius scheme

·     radius nas-ip

port

Use port to specify the RADIUS DAE server port.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The RADIUS DAE server port number is 3799.

Views

RADIUS DAE server view

Predefined user roles

network-admin

mdc-admin

Parameters

port-number: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

The destination port in DAE packets on the DAE client must be the same as the RADIUS DAE server port on the DAE server.

Examples

# Enable the RADIUS DAE server to listen to UDP port 3790 for DAE requests.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] port 3790

Related commands

·     client

·     radius dynamic-author server

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, hostname, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out.

·     When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

·     When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' realtime accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.

Examples

# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

# Specify the primary accounting server with hostname server1, UDP port number 1813, and plaintext shared key 123456 for RADIUS scheme radius2.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] primary accounting server1 1813 key simple 123456

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     secondary accounting (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process authentication requests.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

The server status detection is triggered for the server if the specified test profile exists on the device.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out.

·     When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

·     When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a.     Checks the weight value and number of currently served users for each active server.

b.     Determines the most appropriate server in performance to receive an AAA request.

Examples

# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

# Specify the primary authentication server with hostname server1, UDP port number 1812, and plaintext shared key 123456 for RADIUS scheme radius2.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] primary authentication server1 1812 key simple 123456

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     radius-server test-profile

·     secondary authentication (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

radius dynamic-author server

Use radius dynamic-author server to enable the RADIUS DAE server feature and enter RADIUS DAE server view.

Use undo radius dynamic-author server to disable the RADIUS DAE server feature.

Syntax

radius dynamic-author server

undo radius dynamic-author server

Default

The RADIUS DAE server feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After you enable the RADIUS DAE server feature, the device listens to the RADIUS DAE server port to receive DAE packets from specified DAE clients.

Examples

# Enable the RADIUS DAE server feature and enter RADIUS DAE server view.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server]

Related commands

·     client

·     port

radius nas-ip

Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 or IPv6 address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IPv4 or IPv6 address, do not specify this option.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.

You can specify up to 16 source IP addresses, including the following IP addresses:

·     Zero or one public-network source IPv4 address.

·     Zero or one public-network source IPv6 address.

·     Private-network source IP addresses.

A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

·     The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

·     The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.

·     The setting in RADIUS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be referenced by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to restore the default.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled and the UDP port 1812 is closed.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ interval interval ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.

interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

Usage guidelines

You can execute this command multiple times to configure multiple test profiles.

If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.

Examples

# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin interval 10

Related commands

·     primary authentication (RADIUS scheme view)

·     secondary authentication (RADIUS scheme view)

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

·     If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

·     If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300.

Examples

# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

·     radius scheme

·     timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a realtime accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.

To work with the RADIUS server, the NAS needs to send realtime accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the realtime accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

·     retry

·     timer realtime-accounting (RADIUS scheme view)

·     timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name | weight weight-value ] * ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.

Usage guidelines

You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out.

·     When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

·     When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' realtime accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# For RADIUS scheme radius2, specify three secondary accounting servers by IP address or hostname. Set the UDP port number to 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

[Sysname-radius-radius2] secondary accounting server1 1813

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary accounting (RADIUS scheme view)

·     vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name | weight weight-value ] * ]

Default

No secondary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 117 characters. In FIPS mode, the key is a string of 15 to 117 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 64 characters. In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process authentication requests.

Usage guidelines

You can configure up to 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

The server status detection is triggered for a server if the specified test profile exists on the device.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the RADIUS scheme.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out.

·     When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

·     When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a.     Checks the weight value and number of currently served users for each active server.

b.     Determines the most appropriate server in performance to receive an AAA request.

Examples

# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# For RADIUS scheme radius2, specify three secondary authentication servers by IP address or hostname. Set the UDP port number to 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

[Sysname-radius-radius2] secondary authentication server1 1812

Related commands

·     display radius scheme

·     key (RADIUS scheme view)

·     primary authentication (RADIUS scheme view)

·     radius-server test-profile

·     vpn-instance (RADIUS scheme view)

security-policy-server

Use security-policy-server to specify a security policy server.

Use undo security-policy-server to remove a security policy server.

Syntax

security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all }

Default

No security policy server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies the IPv4 address of the security policy server.

ipv6 ipv6-address: Specifies the IPv6 address of the security policy server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the security policy server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.

all: Specifies all security policy servers.

Usage guidelines

You can specify up to eight security policy servers for a RADIUS scheme.

Examples

# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

Related commands

display radius scheme

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All types of notifications for RADIUS are enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.

accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.

authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:

·     RADIUS server unreachable notificationThe RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

·     RADIUS server reachable notificationThe RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

·     Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

·     Changes the status of the primary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.

When the primary server and all secondary servers are in blocked state, the device only tries to communicate with the primary server.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

·     If you set the status of the server to blocked, the device stops detecting the status of the server.

·     If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

·     display radius scheme

·     radius-server test-profile

·     state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the status of a secondary RADIUS accounting server.

authentication: Sets the status of a secondary RADIUS authentication server.

host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

·     Changes the status of the secondary server to blocked.

·     Starts a quiet timer for the server.

·     Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

·     If you set the status of the server to blocked, the device stops detecting the status of the server.

·     If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

·     display radius scheme

·     radius-server test-profile

·     state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

·     A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

·     A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the realtime accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting interval

undo timer realtime-accounting

Default

The realtime accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the realtime accounting interval in minutes, in the range of 0 to 60.

Usage guidelines

When the realtime accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the realtime accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the realtime accounting interval configured on the server. If the realtime accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 6 Recommended realtime accounting intervals

Number of users

Realtime accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# Set the realtime accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

·     display radius scheme

·     retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to a RADIUS server.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the RADIUS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.

Examples

# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN for a RADIUS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Specifies the name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here applies to all servers in the RADIUS scheme for which no VPN is specified.

Examples

# Specify VPN test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 TACACS schemes

 

------------------------------------------------------------------

HWTACACS Scheme Name  : hwtac

  Index : 0

  Primary Auth Server:

    Host name: Not configured

    IP  : 2.2.2.2         Port: 49     State: Active

    VPN Instance: 2

    Single-connection: Enabled

  Primary Author Server:

    Host name: server1

    IP  : 2.2.2.2         Port: 49     State: Active

    VPN Instance: 2

    Single-connection: Disabled

  Primary Acct Server:

    Host name: Not configured

    IP  : Not Configured  Port: 49     State: Block

    VPN Instance: Not configured

    Single-connection: Disabled

 

  VPN Instance                          : 2

  NAS IP Address                        : 2.2.2.3

  Server Quiet Period(minutes)          : 5

  Realtime Accounting Interval(minutes) : 12

  Response Timeout Interval(seconds)    : 5

  Username Format                       : with-domain

  Data flow unit                        : Byte

  Packet unit                           : one

------------------------------------------------------------------

Table 7 Command output

Field

Description

Index

Index number of the HWTACACS scheme.

Primary Auth Server

Primary HWTACACS authentication server.

Primary Author Server

Primary HWTACACS authorization server.

Primary Acct Server

Primary HWTACACS accounting server.

Secondary Auth Server

Secondary HWTACACS authentication server.

Secondary Author Server

Secondary HWTACACS authorization server.

Secondary Acct Server

Secondary HWTACACS accounting server.

Host name

Hostname of the HWTACACS server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by IP address.

IP

IP address of the HWTACACS server.

This field displays Not configured in the following situations:

·     The server is not configured.

·     The server is specified by hostname, and the hostname is not resolved.

Port

Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.

Single-connection

Single connection status:

·     Enabled—Establish only one TCP connection for all users to communicate with the server.

·     Disabled—Establish a TCP connection for each user to communicate with the server.

State

Status of the HWTACACS server: active or blocked.

VPN Instance

MPLS L3VPN to which the HWTACACS server or scheme belongs. If no VPN is specified for the server or scheme, this field displays Not configured.

NAS IP Address

Source IP address for outgoing HWTACACS packets.

Server Quiet Period(minutes)

Quiet period for the primary servers, in minutes.

Realtime Accounting Interval(minutes)

Realtime accounting interval, in minutes.

Response Timeout Interval(seconds)

HWTACACS server response timeout period, in seconds.

Username Format

Format for the usernames sent to the HWTACACS server. Possible values include:

·     with-domain—Includes the domain name.

·     without-domain—Excludes the domain name.

·     keep-original—Forwards the username as the username is entered.

Data flow unit

Measurement unit for data flows.

Packet unit

Measurement unit for packets.

 

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

You can specify up to 16 source IP addresses, including the following IP addresses:

·     Zero or one public-network source IPv4 address.

·     Zero or one public-network source IPv6 address.

·     Private-network source IP addresses.

A newly specified public-network source IP address overwrites the previous one. Each VPN can have at most one private-network source IPv4 address and one private-network source IPv6 address.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be referenced by more than one ISP domain at the same time.

You can configure up to 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

·     In non-FIPS mode:

¡     A ciphertext shared key is a string of 1 to 373 characters.

¡     A plaintext shared key is a string of 1 to 255 characters.

·     In FIPS mode:

¡     A ciphertext shared key is a string of 15 to 373 characters.

¡     A plaintext shared key is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

·     If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

·     If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

·     The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

·     The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

·     The setting in HWTACACS scheme view takes precedence over the setting in system view.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

# Specify the primary accounting server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme test2.

<Sysname> system-view

[Sysname] hwtacacs scheme test2

[Sysname-hwtacacs-test2] primary accounting server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary accounting (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

# Specify the primary authentication server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt2.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt2

[Sysname-hwtacacs-hwt2] primary authentication server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authentication (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

# Specify the primary authorization server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt2.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt2

[Sysname-hwtacacs-hwt2] primary authorization server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     secondary authorization

·     vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

# Specify a secondary accounting server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary accounting (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

# Specify a secondary authentication server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authentication (HWTACACS scheme view)

·     vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

·     cipher string: Sets a ciphertext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 373 characters. In FIPS mode, the key is a string of 15 to 373 characters.

·     simple string: Sets a plaintext shared key. The string argument is case sensitive. In non-FIPS mode, the key is a string of 1 to 255 characters. In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authorization server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure up to 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option. The VPN specified by this command takes precedence over the VPN specified for the HWTACACS scheme.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

# Specify a secondary authorization server with hostname server1, TCP port number 49, and plaintext shared key 123456 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization server1 49 key simple 123456

Related commands

·     display hwtacacs scheme

·     key (HWTACACS scheme view)

·     primary authorization

·     vpn-instance (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in an HWTACACS scheme.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# Set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the realtime accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The realtime accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

minutes: Specifies the realtime accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For realtime accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Table 8 Recommended realtime accounting intervals

Number of users

Realtime accounting interval

1 to 99

3 minutes

100 to 499

6 minutes

500 to 999

12 minutes

1000 or more

15 minutes or longer

 

Examples

# Set the realtime accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to an HWTACACS server.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-original: Sends the username to the HWTACACS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN for an HWTACACS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

vpn-instance-name: Name of the MPLS L3VPN, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN specified here takes effect for all servers in the HWTACACS scheme for which no VPN is specified.

Examples

# Specify VPN test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme

LDAP commands

authentication-server

Use authentication-server to specify the LDAP authentication server for an LDAP scheme.

Use undo authentication-server to remove the LDAP authentication server.

Syntax

authentication-server server-name

undo authentication-server server-name

Default

No LDAP authentication server is specified.

Views

LDAP scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

For an LDAP scheme, you can only specify one LDAP authentication server. If you execute the command for an LDAP scheme multiple times, the most recent configuration takes effect.

Examples

# Specify the LDAP authentication server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server ccc

Related commands

·     display ldap scheme

·     ldap server

display ldap scheme

Use display ldap scheme to display the LDAP scheme configuration.

Syntax

display ldap scheme [ scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

Total 1 LDAP schemes

 

------------------------------------------------------------------

  LDAP Scheme Name           : ldap-sch

  Authentication Server      : cc

    IP                       : 2.2.2.2

    Port                     : 389

    VPN Instance             : 2

    LDAP Protocol Version    : LDAPv2

    Server Timeout Interval  : 10 (seconds)

    Login Account DN         : lda

    Base DN                  : ll

    Search Scope             : single-level

    User Searching Parameters:

      User Object Class      : Not configured

      Username Attribute     : cn

      Username Format        : with-domain

------------------------------------------------------------------

Table 9 Command output

Field

Description

Index

Index number of the LDAP scheme.

Authentication Server

Name of the LDAP authentication server. If no server is configured, this field displays Not configured.

IP

IP address of the LDAP authentication server. If no authentication server is specified, this field displays Not configured.

Port

Port number of the authentication server. If no port number is specified, this field displays the default port number.

VPN Instance

VPN to which the LDAP server belongs. If no VPN is specified, this field displays Not configured.

LDAP Protocol Version

LDAP version, LDAPv2 or LDAPv3.

Server Timeout Interval

LDAP server timeout period, in seconds.

Login Account DN

DN of the administrator.

Base DN

Base DN for user search.

Search Scope

User DN search scope, including:

·     all-level—All subdirectories.

·     single-levelNext lower level of subdirectories under the base DN.

User Searching Parameters

User search parameters.

User Object Class

User object class for user DN search. If no user object class is configured, this field displays Not configured.

Username Attribute

User account attribute for login.

Username Format

Format for the username sent to the server.

 

ip

Use ip to configure the IP address and port number of the LDAP server.

Use undo ip to delete the LDAP server IP address and port number.

Syntax

ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ip

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Specifies the IP address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of the LDAP authentication server as 192.168.0.10 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300

Related commands

ldap server

ipv6

Use ipv6 to configure the IPv6 address and port number of the LDAP server.

Use undo ipv6 to delete the LDAP server IPv6 address and port number.

Syntax

ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ipv6

Default

An LDAP server does not have an IPv6 address.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv6-address: Specifies the IPv6 address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the LDAP server belongs, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IPv6 address and port number of the LDAP authentication server as 1:2::3:4 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300

Related commands

ldap server

ldap scheme

Use ldap scheme to create an LDAP scheme and enter LDAP scheme view.

Use undo ldap scheme to delete an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP scheme is defined.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An LDAP scheme can be referenced by more than one ISP domain at the same time.

You can configure up to 16 LDAP schemes.

Examples

# Create an LDAP scheme named ldap1 and enter LDAP scheme view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

ldap server

Use ldap server to create an LDAP server and enter LDAP server view.

Use undo ldap server to delete an LDAP server.

Syntax

ldap server server-name

undo ldap server server-name

Default

No LDAP server exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

server-name: LDAP server name, a case-insensitive string of 1 to 64 characters.

Examples

# Create an LDAP server ccc and enter LDAP server view.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to remove the configuration.

Syntax

login-dn dn-string

undo login-dn

Default

No administrator DN is specified.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city.

<Sysname> system-view

[Sysname] ldap server ldap1

[Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

login-password { cipher | simple } password

undo login-password

Default

No administrator password is configured.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

·     If the simple keyword is specified, the password must be a string of 1 to 128 characters.

·     If the cipher keyword is specified, the password must be a ciphertext string of 1 to 201 characters.

Usage guidelines

This command is effective only after the login-dn command is configured.

For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext.

Examples

# Configure the administrator password to abcdefg in plain text.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] login-password simple abcdefg

Related commands

·     display ldap scheme

·     login-dn

protocol-version

Use protocol-version to specify the LDAP version.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

v2: Specifies the LDAP version LDAPv2.

v3: Specifies the LDAP version LDAPv3.

Usage guidelines

For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.

If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] protocol-version v2

Related commands

display ldap scheme

search-base-dn

Use search-base-dn to specify the base DN for user search.

Use undo search-base-dn to restore the default.

Syntax

search-base-dn base-dn

undo search-base-dn

Default

No base DN is specified for user search.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

Examples

# Specify the base DN for user search as dc=ldap,dc=com.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com

Related commands

·     display ldap scheme

·     ldap server

search-scope

Use search-scope to specify the user search scope.

Use undo search-scope to restore the default.

Syntax

search-scope { all-level | single-level }

undo search-scope

Default

The user search scope is all-level.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

all-level: Specifies that the search goes through all subdirectories of the base DN.

single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.

Examples

# Specify the search scope for the LDAP authentication as all subdirectories of the base DN.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-scope all-level

Related commands

·     display ldap scheme

·     ldap server

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.

Usage guidelines

If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Set the LDAP server timeout period to 15 seconds.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] server-timeout 15

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.

Use undo user-parameters to restore the default.

Syntax

user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { user-name-attribute | user-name-format | user-object-class }

Default

The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.

Views

LDAP server view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.

Examples

# Set the user object class to person.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] user-parameters user-object-class person

Related commands

·     display ldap scheme

·     login-dn

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网