Use access-limit enable to set the maximum number of online users in an ISP domain. Users are not accepted after the number of online users reaches the allowed maximum number.

Use undo access-limit enable to restore the default.

Syntax

access-limit enable max-user-number

undo access-limit enable

Default

There is no limit to the number of online users in an ISP domain.

Views

ISP domain view

Default command level

2: System level

Parameters

max-user-number: Maximum number of online users that the ISP domain will accept, in the range of 1 to 2147483646.

Usage guidelines

Because system resources can be limited, and user connections might compete for network resources, setting a limit for online users helps provide reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] access-limit enable 500

Related commands

display domain

accounting command

Use accounting command to specify the command-line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting method for the ISP domain is used for command-line accounting.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified HWTACACS scheme must have been configured.

Command-line accounting can use only an HWTACACS scheme.

Examples

# Configure ISP domain test to use HWTACACS scheme hwtac for command-line accounting.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

· accounting default

· hwtacacs scheme

accounting default

Use accounting default to configure the default accounting method for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS or HWTACACS scheme must have been configured.

The default accounting method is used for all users who support the specified accounting method and have no specific accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that a typical accounting feature provides.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

· local-user

· hwtacacs scheme

· radius scheme

accounting lan-access

Use accounting lan-access to configure the accounting method for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo accounting lan-access

Default

The default accounting method for the ISP domain is used for LAN users.

Views

ISP domain view

Default command level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS scheme must have been configured.

Examples

# Configure ISP domain test to use local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands

· local-user

· accounting default

· radius scheme

accounting login

Use accounting login to configure the accounting method for login users through the console port, AUX port, or Telnet.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting login

Default

The default accounting method for the ISP domain is used for login users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS or HWTACACS scheme must have been configured.

Accounting is not supported for login users who use FTP.

Examples

# Configure ISP domain test to use local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

· local-user

· accounting default

· hwtacacs scheme

· radius scheme

accounting optional

Use accounting optional to enable the accounting optional feature.

Use undo accounting optional to disable the feature.

Syntax

accounting optional

undo accounting optional

Default

The feature is disabled.

Views

ISP domain view

Default command level

2: System level

Usage guidelines

After you configure the accounting optional command for a domain, a user who would otherwise be disconnected can continue to use the network resources when no accounting server is available or when communication with the current accounting server fails. However, the device no longer sends users' real-time accounting updates.

After you configure the accounting optional command, the setting configured by the access-limit command in local user view has no effect.

Examples

# Enable the accounting optional feature for users in domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting optional

accounting portal

Use accounting portal to configure the accounting method for portal users.

Use undo accounting portal to restore the default.

Syntax

accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

Default

The default accounting method for the ISP domain is used for portal users.

Views

ISP domain view

Default command level

2: System level

Parameters

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS scheme must have been configured.

Examples

# Configure ISP domain test to use local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

Related commands

· local-user

· accounting default

· radius scheme

accounting ppp

Use accounting ppp to configure the accounting method for PPP users.

Use undo accounting ppp to restore the default.

Syntax

accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo accounting ppp

Default

The default accounting method for the ISP domain is used for PPP users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform any accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

The specified RADIUS or HWTACACS scheme must have been configured.

Examples

# Configure ISP domain test to use local accounting for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp local

# Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp radius-scheme rd local

Related commands

· local-user

· accounting default

· hwtacacs scheme

· radius scheme

authentication default

Use authentication default to configure the default authentication method for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS, HWTACACS, or LDAP scheme must have been configured.

The default authentication method is used for all users who support the specified authentication method and have no specific authentication method configured.

Examples

# Configure the default authentication method for ISP domain test to use RADIUS authentication scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

· local-user

· hwtacacs scheme

· radius scheme

· ldap scheme

authentication lan-access

Use authentication lan-access to configure the authentication method for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo authentication lan-access

Default

The default authentication method for the ISP domain is used for LAN users.

Views

ISP domain view

Default command level

2: System level

Parameters

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS scheme must have been configured.

Examples

# Configure ISP domain test to use local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

· local-user

· authentication default

· radius scheme

authentication login

Use authentication login to configure the authentication method for login users through the console port, AUX port, Telnet, or FTP.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication login

Default

The default authentication method for the ISP domain is used for login users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS, HWTACACS, or LDAP scheme must have been configured.

Examples

# Configure ISP domain test to use local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

· local-user

· authentication default

· hwtacacs scheme

· radius scheme

· ldap scheme

authentication portal

Use authentication portal to configure the authentication method for portal users.

Use undo authentication portal to restore the default.

Syntax

authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

Default

The default authentication method for the ISP domain is used for portal users.

Views

ISP domain view

Default command level

2: System level

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified LDAP or RADIUS scheme must have been configured.

Only PAP is supported for LDAP authentication of portal users.

Examples

# Configure ISP domain test to use local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

· local-user

· authentication default

· ldap scheme

· radius scheme

authentication ppp

Use authentication ppp to configure the authentication method for PPP users.

Use undo authentication ppp to restore the default.

Syntax

authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authentication ppp

Default

The default authentication method for the ISP domain is used for PPP users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform any authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

The specified RADIUS or HWTACACS scheme must have been configured.

Examples

# Configure ISP domain test to use local authentication for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp local

# Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp radius-scheme rd local

Related commands

· local-user

· authentication default

· hwtacacs scheme

· radius scheme

authentication super

Use authentication super to configure the authentication method for user privilege level switching.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name }

undo authentication super

Default

The default authentication method for the ISP domain is used for user privilege level switching authentication.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS or HWTACACS authentication scheme must have been configured.

Examples

# Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching authentication.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

· hwtacacs scheme

· radius scheme

· super authentication-mode (Fundamentals Command Reference)

authentication wlan-ap

Use authentication wlan-ap to configure the authentication method for APs in a WLAN and specify the authentication RADIUS scheme.

Use undo authentication wlan-ap to restore the default.

Syntax

authentication wlan-ap radius-scheme radius-scheme-name

undo authentication wlan-ap

Default

The default authentication method for the ISP domain is used for AP authentication.

Views

ISP domain view

Predefined command level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. The specified RADIUS scheme must exist.

Examples

# Configure the APs to use RADIUS scheme rd for authentication in ISP domain named system.

<Sysname> system-view

[Sysname] domain system

[Sysname-isp-system] authentication wlan-ap radius-scheme rd

Related commands

· authentication default

· radius scheme

authorization command

Use authorization command to configure the command-line authorization method.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }

undo authorization command

Default

The default authorization method for the ISP domain is used for command-line authorization.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange, and an authenticated user can access only Level 0 commands.

Usage guidelines

The specified HWTACACS scheme must have been configured.

With command-line authorization configured, a user who has logged in to the device can execute only the commands with a level lower than or equal to that of the local user.

Examples

# Configure ISP domain test to use local command-line authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# Configure ISP domain test to use HWTACACS scheme hwtac for command-line authorization and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

· local-user

· command authorization

· hwtacacs scheme

authorization default

Use authorization default to configure the default authorization method for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization default

Default

The default authorization method for the ISP domain of an ISP domain is local.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, non-login users can access the network, FTP users can access the root directory of the device, and non-FTP users can access only the Level 0 commands.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS, HWTACACS, or LDAP scheme must have been configured.

The default authorization method is used for all users who support the specified authorization method and have no specific authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Examples

# Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

· local-user

· hwtacacs scheme

· radius scheme

· ldap scheme

authorization lan-access

Use authorization lan-access to configure the authorization method for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }

undo authorization lan-access

Default

The default authorization method for the ISP domain is used for LAN users.

Views

ISP domain view

Default command level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange, and an authenticated LAN user can access the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Examples

# Configure ISP domain test to use local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

· local-user

· authorization default

· radius scheme

authorization login

Use authorization login to configure the authorization method for login users through the console port, AUX port, Telnet, or FTP.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization login

Default

The default authorization method for the ISP domain is used for login users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange. After passing authentication, FTP users can access the root directory of the device, and other login users can access only the Level 0 commands.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS, HWTACACS, or LDAP scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Examples

# Configure ISP domain test to use local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

· local-user

· authorization default

· hwtacacs scheme

· radius scheme

· ldap scheme

authorization portal

Use authorization portal to configure the authorization method for portal users.

Use undo authorization portal to restore the default.

Syntax

authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

Default

The default authorization method for the ISP domain is used for portal users.

Views

ISP domain view

Default command level

2: System level

Parameters

local: Performs local authorization.

none: Does not perform any authorization exchange, and an authenticated portal user can access the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The specified RADIUS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Examples

# Configure ISP domain test to use local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

· local-user

· authorization default

· radius scheme

authorization ppp

Use authorization ppp to configure the authorization method for PPP users.

Use undo authorization ppp to restore the default.

Syntax

authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

undo authorization ppp

Default

The default authorization method for the ISP domain is used for PPP users.

Views

ISP domain view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform any authorization exchange, and an authenticated PPP user can access the network directly.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

The specified RADIUS or HWTACACS scheme must have been configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

Examples

# Configure ISP domain test to use local authorization for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp local

# Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp radius-scheme rd local

Related commands

· local-user

· authorization default

· hwtacacs scheme

· radius scheme

authorization-attribute

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { session-timeout minutes | user-profile profile-name }

undo authorization-attribute { session-timeout | user-profile }

Default

No authorization attributes are configured for users in an ISP domain.

Views

ISP domain view

Default command level

3: Manage level

Parameters

session-timeout minutes: Specifies the session timeout timer, in the range of 1 to 129600, in minutes. The device logs off a user in the ISP domain when the timer expires for the user.

user-profile profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide.

Usage guidelines

If the server (local or remote) does not authorize attributes to an authenticated user in the ISP domain, the system uses the attributes specified by using this command.

You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times for the same authorization attribute, only the most recent configuration takes effect.

Examples

# Specify the default authorization user profile for domain test as profile1.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute user-profile profile1

cut connection

Use cut connection to tear down the specified user connections.

Syntax

cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id }

Views

System view

Default command level

2: System level

Parameters

access-type: Specifies the user connections for the specified access type.

· dot1x: Indicates 802.1X authentication.

· mac-authentication: Indicates MAC address authentication.

· portal: Indicates portal authentication.

all: Specifies all user connections.

domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a string of 1 to 24 characters.

interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported.

ip ip-address: Specifies the user connections for an IP address.

mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H.

ucibindex ucib-index: Specifies the user connection that uses the connection index, in the range of 0 to 4294967295.

user-name user-name: Specifies the user connections that use the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username without a domain name, the system considers that the user is in the default domain or the mandatory authentication domain.

vlan vlan-id: Specifies the user connections of a VLAN, in the range of 1 to 4094.

Usage guidelines

This command applies to only LAN access, portal, and PPP user connections.

You cannot cut the connections by username for 802.1X users whose usernames include the version number or spaces, or use a slash (/) or backslash (\) as the domain name delimiter. For example, the cut connection user-name aaa\bbb command cannot cut the connections of the user aaa\bbb.

An interface that is configured with a mandatory authentication domain considers users of the corresponding access type as users in the mandatory authentication domain. For example, if you configure an 802.1X mandatory authentication domain on an interface, the interface uses the domain's AAA methods for all its 802.1X users. To cut connections of these users, use the cut connection domain isp-name command, and specify the mandatory authentication domain.

Examples

# Tear down all connections of ISP domain test.

<Sysname> system-view

[Sysname] cut connection domain test

Related commands

· display connection

· service-type

display connection

Use display connection to display information about AAA user connections.

Syntax

display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

access-type: Specifies the user connections for the specified access type.

· dot1x: Indicates 802.1X authentication.

· mac-authentication: Indicates MAC address authentication.

· portal: Indicates portal authentication.

domain isp-name: Specifies the user connections for an ISP domain. The isp-name argument represents the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.

interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2 Ethernet interfaces and WLAN virtual interfaces are supported.

ip ip-address: Specifies the user connections for an IP address.

mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format H-H-H.

ucibindex ucib-index: Specifies the user connection for the connection index, in the range of 0 to 4294967295.

user-name user-name: Specifies the user connections for the username. The user-name argument is a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system assumes that the user is in the default domain name or the mandatory authentication domain.

vlan vlan-id: Specifies the user connections for a VLAN, in the range of 1 to 4094.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command does not display information about FTP user connections.

With no parameter specified, this command displays brief information about all AAA user connections.

If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise, this command displays brief information.

If an interface is configured with a mandatory authentication domain (for example, an 802.1X mandatory authentication domain), the device uses the mandatory authentication domain to perform authentication, authorization, and accounting for users who access the interface through the specified access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain.

The device displays the username of a user on an interface configured with a mandatory authentication domain depending on the format of the username entered by the user at login:

· If the username does not contain the at sign (@), the device displays the username in the format username@mandatory authentication domain name.

· If the username contains the at sign (@), the device displays the entered username. For example, if a user entered the username aaa@123 at login and the name of the mandatory authentication domain is dom, the device displays the username aaa@123, rather than aaa@123@dom.

You cannot query the connections by username for 802.1X users whose usernames use a slash (/) or backslash (\) as the domain name delimiter. For example, the display connection user-name aaa\bbb command cannot display the connections of the user aaa\bbb.

Examples

# Display information about all AAA user connections.

<Sysname> display connection

Index=1 ,Username=user1@system

MAC=00-15-E9-A6-7C-FE

IP=10.0.0.1

IPv6=N/A

Online=00h00m53s

Total 1 connection(s) matched.

# Display information about AAA user connections with an index of 0.

<Sysname> display connection ucibindex 0

Index=0 , Username=user1@system

MAC=00-15-E9-A6-7C-FE

IP=10.0.0.1

IPv6=N/A

Access=Admin ,AuthMethod=PAP

Port Type=Virtual ,Port Name=N/A

Initial VLAN=999, Authorized VLAN=20

ACL Group=Disable

User Profile=N/A

CAR=Disable

Traffic Statistic:

InputOctets =12121212 OutputOctets =12120

InputGigawords=1 OutputGigawords=0

Priority=Disable

SessionTimeout=60(s), Terminate-Action=Radius-Request

Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s

Total 1 connection matched.

# Display information about AAA user connections with an index of 1. The authentication response packet contains the username test1, which is used for accounting.

<Sysname> display connection ucibindex 1

Index=1 , Username=test@system

MAC=00-15-E9-A6-7C-FE

IP=10.0.0.1

IPv6=N/A

Access=Admin ,AuthMethod=PAP

Port Type=Virtual ,Port Name=N/A

Initial VLAN=999, Authorization VLAN=20

ACL Group=Disable

User Profile=N/A

CAR=Disable

Traffic Statistic:

InputOctets =12121212 OutputOctets =12120

InputGigawords=1 OutputGigawords=0

Priority=Disable

SessionTimeout=60(s), Terminate-Action=Radius-Request

Accounting Username=test1

Start=2009-07-16 10:53:03 ,Current=2009-07-16 10:57:06 ,Online=00h04m03s

Total 1 connection matched.

Table 1 Command output

Field	Description
Username	Username of the connection, in the format username@domain.
MAC	MAC address of the user.
IP	IPv4 address of the user.
IPv6	IPv6 address of the user.
Online	Online duration of the user.
Access	User access type.
ACL Group	Authorization ACL group. When no authorization ACL group is assigned, this field displays Disable.
User Profile	Authorization user profile.
CAR(kbps)	Authorized CAR parameters.
InputOctets	Uplink traffic in bytes. Total uplink traffic in bytes = InputGigawords × 232 + InputOctets.
OutputOctets	Downlink traffic in bytes. Total downlink traffic in bytes = OutputGigawords × 232 + OutputOctets.
InputGigawords	Uplink traffic in 4G bytes (4G equals 232).
OutputGigawords	Downlink traffic in 4G bytes (4G equals 232).
UpPeakRate	Uplink peak rate.
DnPeakRate	Downlink peak rate.
UpAverageRate	Uplink average rate.
DnAverageRate	Downlink average rate.
SessionTimeout	Session timeout value received from the server, in seconds. The value indicates: · The remaining online time of the user if Terminate-Action is Default. · The re-authentication interval for the user if Terminate-Action is Radius-Request.
Terminate-Action	Action to take when the session timeout expires. The action can be: · Default—Cuts off the user. · Radius-Request—Re-authenticates the user.
Accounting Username	Username that is delivered from the server and to be used for accounting.

Related commands

cut connection

display domain

Use display domain to display the configuration of ISP domains.

Syntax

display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

isp-name: Name of an existing ISP domain, a string of 1 to 24 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any ISP domain, the command displays the configuration for all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

0 Domain : system

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Self-service : Disabled

Authorization attributes :

1 Domain : test

State : Active

Access-limit : Disabled

Accounting method : Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Lan-access authentication scheme : radius:test, local

Lan-access authorization scheme : hwtacacs:hw, local

Lan-access accounting scheme : local

Domain User Template:

Idle-cut : Disabled

Session-time : exclude-idle-time

Self-service : Disabled

Authorization attributes :

User-profile : profile1

Default Domain Name: system

Total 2 domain(s).

Table 2 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain: active or blocked. Users in an active ISP domain can request network services, and users in a blocked ISP domain cannot.
Access-limit	Limit on the number of user connections. If there is no limit on the number, this field displays Disabled.
Accounting method	Indicates whether accounting is required. When no accounting server is available or when communication with the accounting server fails and accounting is required, user connections are torn down. Otherwise, users can continue to use network services.
Default authentication scheme	Default authentication method.
Default authorization scheme	Default authorization method.
Default accounting scheme	Default accounting method.
Lan-access authentication scheme	Authentication method for LAN users.
Lan-access authorization scheme	Authorization method for LAN users.
Lan-access accounting scheme	Accounting method for LAN users.
Domain User Template	Indicates functions and attributes set for users in the domain.
Idle-cut	Indicates whether the idle cut function is enabled. When the idle cut function is enabled for a domain, the system logs out any user in the domain whose traffic is less than the specified minimum traffic during the idle timeout period.
Session-time	Indicates whether the idle timeout period is included in the user online time to be uploaded to the server: · Exclude-idle-time—The idle timeout period is excluded from the user online time. · Include-idle-time—The idle timeout period is included in the user online time.
Self-service	Indicates whether the self-service function is enabled. With the self-service function enabled, users can launch a browser and enter the self-service URL in the address bar to access the self-service pages and perform self-service operations.
Authorization attributes	Default authorization attributes for the ISP domain.
User-profile	Default authorization user profile.
SessionTimeOut	Session timeout time, in minutes.

Related commands

· access-limit enable

· domain

· state

domain

Use domain to create an ISP domain and enter ISP domain view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system predefined ISP domain named system in the system.

Views

System view

Default command level

3: Manage level

Parameters

isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), vertical bar (|), or at sign (@).

Usage guidelines

All ISP domains are in active state when they are created.

The system predefined ISP domain system cannot be deleted, but you can modify its configuration.

To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create ISP domain test, and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

· state

· display domain

domain default enable

Use domain default enable to specify the default ISP domain. Users without a domain name included in their usernames are considered to be in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system predefined ISP domain system.

Views

System view

Default command level

3: Manage level

Parameters

isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified domain must already exist. Otherwise, users without a domain name in their username cannot pass authentication.

To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create a new ISP domain named test, and configure it as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

· domain

· state

· display domain

domain if-unknown

Use domain if-unknown to specify an ISP domain for users with unknown domain names.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-name

undo domain if-unknown

Default

No ISP domain is specified for users with unknown domain names.

Views

System view

Default command level

3: Manage level

Parameters

Usage guidelines

The device chooses an authentication domain for each user in the following order:

· The authentication domain specified for the access module.

· The ISP domain in the username.

· The default ISP domain of the device.

· The ISP domain specified for users with unknown domain names.

If all the domains are unavailable, user authentication fails.

Support for the authentication domain configuration depends on the access module. You can specify an authentication domain for 802.1X, portal, or MAC address authentication.

Examples

# Specify the ISP domain test for users with unknown domain names.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

domain default enable

eap-profile

Use eap-profile to create an EAP profile and enter EAP profile view.

Use undo eap-profile to remove an EAP profile.

Syntax

eap-profile profile-name

undo eap-profile profile-name

Views

System view

Default command level

2: System level

Parameters

profile-name: Name of the EAP profile, a case-insensitive string of 1 to 16 characters.

Usage guidelines

An EAP profile is a collection of local EAP authentication settings, including the authentication method to be used and, for some authentication methods, the SSL server policy to be referenced.

Examples

# Create an EAP profile, and enter its view.

<Sysname> system-view

[Sysname] eap-profile aprf1

[Sysname-eap-prof-aprf1]

Related commands

· eap method

· ssl-server-policy

idle-cut enable

Use idle-cut enable to enable the idle cut function.

Use undo idle-cut enable to restore the default.

Syntax

idle-cut enable minute [ flow ]

undo idle-cut enable

Default

The function is disabled.

Views

ISP domain view

Default command level

2: System level

Parameters

minute: Idle timeout period in minutes, in the range of 1 to 129600.

flow: Minimum traffic during the idle timeout period in bytes, in the range of 1 to 10240000. The default is 10240.

Usage guidelines

When the idle cut function is enabled for a domain, the device checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum.

You can also set the idle timeout period on the server to make the server log out users whose traffic during the idle timeout period is less than 10240 bytes. However, your setting on the server takes effect only when you disable the idle cut function on the device.

In a portal stateful failover situation, set the idle cut interval to be greater than 5 minutes to make sure online users' data can be backed up.

Examples

# Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to 1024 bytes for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] idle-cut enable 50 1024

Related commands

domain

ip pool

Use ip pool to configure an address pool for assigning addresses to PPP users.

Use undo ip pool to delete an address pool.

Syntax

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

Default

No IP address pool is configured for PPP users.

Views

ISP domain view

Default command level

2: System level

Parameters

pool-number: Address pool number, in the range of 0 to 99.

low-ip-address and high-ip-address: Start and end IP addresses of the address pool. Up to 1024 addresses are allowed for an address pool. If you do not specify the end IP address, the start IP address is the only IP address in the pool.

Usage guidelines

An IP address pool configured in system view assigns IP addresses to PPP users who do not need to be authenticated. Use the remote address command in interface view to specify the address pool used for assigning an IP address to the peer device.

An IP address pool configured in ISP domain view assigns IP addresses to the ISP domain's PPP users who must be authenticated. For example, configure IP address pools for ISP domains in situations where an interface serves a great amount of PPP users and the address resources are inadequate. For example, a GigabitEthernet interface running PPPoE can accommodate up to 4096 users. However, only one address pool with up to 1024 addresses can be configured on its VT. This is far from what is required. To address the issue, configure address pools for ISP domains and assign addresses from them to the PPP users by domain.

Examples

# Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10

local-server authentication eap-profile

Use local-server authentication eap-profile to specify the EAP profile for the local authentication server to use.

Use undo local-server authentication eap-profile to remove the configuration.

Syntax

local-server authentication eap-profile profile-name

undo local-server authentication eap-profile

Views

System view

Default command level

2: System level

Parameters

profile-name: Name of an existing EAP profile, a case-insensitive string of 1 to 16 characters.

Examples

# Specify the EAP profile for the local authentication server to use as aprf1.

<Sysname> system-view

[Sysname] local-server authentication eap-profile aprf1

Related commands

eap-profile

method

Use method to specify the EAP authentication method.

Use undo method to remove the configuration.

Syntax

method { md5 | peap-gtc | peap-mschapv2 | tls | ttls }

undo method { md5 | peap-gtc | peap-mschapv2 | tls | ttls }

Default

No EAP authentication method is specified for an EAP profile.

Views

EAP profile view

Default command level

2: System level

Parameters

md5: Specifies the MD5 authentication method.

peap-gtc: Specifies PEAP together with the GTC for authentication in TLS tunnels.

peap-mschapv2: Specifies PEAP together with the MSCHAPv2 for authentication in TLS tunnels.

tls: Specifies the TLS authentication method.

ttls: Specifies the TTLS authentication method.

Usage guidelines

You can specify more than one EAP authentication method for an EAP profile. The most recent authentication method configuration has the lowest priority. The peap-gtc and peap-mschapv2 keywords cannot be simultaneously configured for an EAP profile.

The local server first negotiates the EAP authentication method with the EAP client when this command is used for EAP authentication of an EAP client. During negotiation, the local server prefers the authentication method with the highest priority among the specified methods. If the client supports the authentication method, the negotiation succeeds and the authentication process starts. Otherwise, the local server attempts the authentication method with the next highest priority until a supported method is found. If none of the authentication methods are found to be supported, the local server sends an EAP-Failure packet to notify the client about the authentication failure.

An EAP-TTLS authentication process includes two phases, TLS handshake and TLS tunnel. TLS handshake, also called "external authentication," performs negotiation and tunnel establishment. The established tunnel is used to secure the TLS tunnel phase, which also called "internal authentication" (PAP or MSCHAPv2). PAP authentication supports all user identity query methods (local and ldap-scheme), whereas MSCHAPv2 authentication supports only the local keyword. MSCHAPv2 authentication uses the local database for user identity query if the local keyword is configured, whether or not the ldap-scheme keyword is configured. It fails if only the ldap-scheme keyword is configured.

Examples

# Create an EAP profile, and specify authentication methods MD5 and PEAP-MSCHAPv2 for the profile, with PEAP-MSCHAPv2 having a higher priority.

<Sysname> system-view

[Sysname] eap-profile aprf1

[System-eap-prof-aprf1] method peap-mschapv2

[System-eap-prof-aprf1] method md5

Related commands

user-credentials

nas device-id

Use nas device-id to specify the device ID.

Use undo nas device-id to restore the default.

Syntax

nas device-id device-id

undo nas device-id

Default

The device ID is 1.

Views

System view

Default command level

2: System level

Parameters

device-id: Specifies the device ID for the device. In stateful failover mode, it must be 1 or 2. In a MAC-BAC network, the value range for the device ID is 1 to 255.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

In stateful failover mode, a device is uniquely identified from the other device by its device ID.

In a MAC-BAC network, a master AC manages a group of BAS ACs. Each AC in the group must have a unique device ID.

Configuring or changing the device ID of a device logs off all online users of the device.

Examples

# Configure the device, which is intended to work in stateful failover mode, to use 1 as the device ID.

<Sysname> system-view

[Sysname] nas device-id 1

Warning: This command will cut all user connections on this device. Continue? [Y

/N]

The other device for stateful failover must be configured to use 2 as the device ID.

# Configure an AC in a MAC-BAC network to use 3 as the device ID.

<Sysname> system-view

[Sysname] nas device-id 3

user-credentials

Use user-credentials to specify the database for user credential verification in local EAP authentication.

Use undo user-credentials to restore the default setting.

Syntax

user-credentials { ldap-scheme ldap-scheme-name [ local ] | local }

undo user-credentials

Default

The local user database is used.

Views

EAP profile view

Default command level

2: System level

Parameters

ldap-scheme: Uses the LDAP database.

ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters

local: Uses the local user database.

Examples

# Configure EAP profile aprf1 to use the local user database for local EAP authentication.

<Sysname> system-view

[Sysname] eap-profile aprf1

[Sysname-eap-prof-aprf1] user-credentials local

# Configure EAP profile aprf2 to use the LDAP database and the LDAP scheme test for local EAP authentication and use the local user database as the backup.

<Sysname> system-view

[Sysname] ldap scheme test

[Sysname-ldap-test] quit

[Sysname] eap-profile aprf2

[Sysname-eap-prof-aprf2] user-credentials ldap-scheme test local

nas-id bind vlan

Use nas-id bind vlan to bind a NAS ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS ID-VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS ID-VLAN binding exists.

Views

NAS ID profile view

Default command level

2: System level

Parameters

nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters

vlan-id: ID of the VLAN to be bound with the NAS ID, in the range of 1 to 4094.

Usage guidelines

In a NAS ID profile view, you can configure multiple NAS ID–VLAN bindings.

A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the most recent binding takes effect.

Examples

# Bind NAS ID 222 with VLAN 2.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

self-service-url enable

Use self-service-url enable to enable the self-service server location function and specify the URL of the self-service server.

Use undo self-service-url enable to restore the default.

Syntax

self-service-url enable url-string

undo self-service-url enable

Default

The self-service server location function is disabled.

Views

ISP domain view

Default command level

2: System level

Parameters

url-string: URL of the self-service server, a string of 1 to 64 characters that starts with http:// and does not contain a question mark. This URL was specified by the RADIUS server administrator during RADIUS server installation.

Usage guidelines

With the self-service function, users can manage and control their accounts and passwords. Only the RADIUS server systems provided by IMC support the self-service function.

Examples

# For ISP domain test, enable the self-service server location function, and specify the URL of the self-service server for changing user password to http://10.153.89.94/selfservice.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] self-service-url enable http://10.153.89.94/selfservice

session-time include-idle-time

Use session-time include-idle-time to include the idle timeout period in the user online time to be uploaded to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The user online time uploaded to the server excludes the idle timeout period.

Views

ISP domain view

Default command level

2: System level

Usage guidelines

The device uploads to the server the online user time when a user is logged off. However, when the idle cut function or online portal user detection is enabled, the online user time of an abnormally logged-off user can contain an idle timeout interval. You can configure the device according to your accounting policy to include or exclude the idle timeout period before the device uploads the online user time to the server.

Examples

# Configure the device to include the idle timeout period in the user online time uploaded to the server for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] session-time include-idle-time

Related commands

idle-cut enable

ssl-server-policy

Use ssl-server-policy to specify an SSL server policy for the EAP authentication.

Use undo ssl-server-policy to remove the configuration.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for an EAP profile.

Views

EAP profile view

Default command level

2: System level

Parameters

policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.

Usage guidelines

The SSL server policy and the relevant PKI domain settings must have been configured before you specify the policy for an EAP profile. Otherwise, the command does not take effect.

For more information about SSL and PKI commands, see "SSL configuration commands" and "PKI configuration commands."

Examples

# Create an EAP profile, and specify an SSL server policy for the profile.

<Sysname> system-view

[Sysname] eap-profile aprf1

[System-eap-prof-aprf1] ssl-server-policy tls-server

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Default command level

2: System level

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

Blocking an ISP domain disables the domain's offline users from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test to the blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Local user configuration commands

access-limit

Use access-limit to limit the number of users who concurrently use the same local user account.

Use undo access-limit to remove the limitation.

Syntax

access-limit max-user-number

undo access-limit

Default

There is no limit to the number of users who concurrently use the same local user account.

Views

Local user view

Default command level

3: Manage level

Parameters

max-user-number: Maximum number of concurrent users of the same local user account, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is used for the user account.

This limit has no effect on FTP users because accounting is not available for FTP users.

Examples

# Limit the maximum number of concurrent users of local user account abc to 5.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to remove authorization attributes and restore the defaults.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level level | session-timeout minutes | user-profile profile-name | user-role { guest | guest-manager } | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | level | session-timeout | user-profile | user-role | vlan | work-directory } *

Default

No authorization attribute is configured for a local user or user group.

Views

Local user view, user group view

Default command level

3: Manage level

Parameters

acl acl-number: Specifies the authorization ACL. The ACL number must range from 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL.

callback-number callback-number: Specifies the authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.

idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The minute argument indicates the idle timeout period, in the range of 1 to 129600 minutes.

level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. This parameter determines the command level for login users whose user interfaces perform AAA authentication. By default, the user level is 0, and users can use only commands of level 0 after login.

session-timeout minutes: Specifies the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 129600. The device logs off the user when the timer expires.

user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a case-sensitive string of 1 to 32 characters. It can contain letters, digits, and underscores (_), and must start with a letter. After a user passes authentication and gets online, the device uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide.

user-role: Specifies the role for the local user. This keyword is available in only local user view. Users playing different roles can access different levels of commands. If you specify no role for a local user, the access right of the user after login depends on other authorization attributes. Supported roles include:

· guest: A guest user account is usually created through the Web interface.

· guest-manager: An authenticated guest manager can manage guest user accounts on Web pages. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

vlan vlan-id: Specifies the authorized VLAN, in the range of 1 to 4094. After passing authentication, a local user can access the resources in this VLAN.

work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the device.

Usage guidelines

Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes.

Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency.

An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.

A local user can play only one role at a time. If you perform the role configuration multiple times, only the last role configuration takes effect.

Examples

# Configure the authorized VLAN of local user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attribute is configured for a local user.

Views

Local user view

Default command level

3: Manage level

Parameters

call-number call-number: Specifies a calling number for ISDN user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.

subcall-number: Specifies the sub-calling number. The total length of the calling number and the sub-calling number cannot be more than 62 characters.

ip ip-address: Specifies the IP address of the user.

location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The value range for the slot-number argument is 0 to 255, that for the subslot-number argument is 0 to 15, and that for the port-number argument is 0 to 255.

mac mac-address: Specifies the MAC address of the user in the format H-H-H.

vlan vlan-id: Specifies the VLAN to which the user belongs, in the range of 1 to 4094.

Usage guidelines

Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user do not match the configured ones, the user fails checking and authentication.

Binding attribute checking does not take the service types of users into account. A configured binding attribute is effective for all types of users. Configure binding attributes for different types of local users with caution. For example, an IP address binding applies only to 802.1X authentication that supports IP address upload. If the authentication method such as MAC authentication does not support IP address upload, do not configure an IP address binding for the authentication method. Otherwise, local authentication fails.

Examples

# Configure the bound IP of local user abc as 3.3.3.3.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] bind-attribute ip 3.3.3.3

display local-user

Use display local-user to display configuration and statistics information about local users.

Syntax

display local-user [ idle-cut { disable | enable } | service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.

service-type: Specifies the local users who use a specified type of service. Supported service types vary by the device model.

· ftp: FTP users. This keyword is not supported in FIPS mode.

· lan-access: Users accessing the network through Ethernet, such as 802.1X users.

· portal: Portal users.

· ppp: PPP users. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

· ssh: SSH users.

· telnet: Telnet users. This keyword is not supported in FIPS mode.

· terminal: Users logging in through the console or AUX port.

· web: Web users.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username is a case-sensitive string of 1 to 55 characters, and it does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN, in the range of 1 to 4094.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameter, the command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

The contents of local user abc:

State: Active

ServiceType: lan-access

Access-limit: Enabled Current AccessNum: 0

Max AccessNum: 300

User-group: system

Bind attributes:

IP address: 1.2.3.4

Bind location: 0/4/1 (SLOT/SUBSLOT/PORT)

MAC address: 00-01-00-02-00-03

Vlan ID: 100

Authorization attributes:

Idle TimeOut: 10(min)

Work Directory: flash:/

User Privilege: 3

Acl ID: 2000

Vlan ID: 100

User Profile: prof1

Expiration date: 12:12:12-2018/09/16

Password aging: Enabled (30 days)

Password length: Enabled (4 characters)

Password composition: Enabled (4 types, 2 characters per type)

Total 1 local user(s) matched.

Table 3 Command output

Field	Description
State	Status of the local user: active or blocked.
ServiceType	Service types that the local user can use, including FTP, LAN access, PPP, portal, SSH, Telnet, and terminal.
Access-limit	Whether or not to limit the number of concurrent connections of the username.
Current AccessNum	Number of connections that currently use the username.
Max AccessNum	Maximum number of concurrent connections of the username.
Bind attributes	Binding attributes of the local user.
VLAN ID	VLAN to which the user is bound.
Calling Number	Calling number bound for the ISDN user.
Authorization attributes	Authorization attributes of the local user.
Idle TimeOut	Idle timeout period of the user, in minutes.
Callback-number	Authorized PPP callback number of the local user.
Work Directory	Directory that the FTP user can access.
VLAN ID	Authorized VLAN of the local user.
User Profile	User profile for local user authorization.
Session TimeOut	Session timeout timer for the user, in minutes.
Expiration date	Expiration time of the local user.
Password aging	Aging time of the local user password.
Password length	Minimum length of the local user password.
Password composition	Password composition policy of the local user.

Related commands

local-user

display user-group

Use display user-group to display the configuration of user groups.

Syntax

display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

group-name: Specifies a user group name, a case-insensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any user group name, the command displays the configuration of all user groups.

Examples

# Display the configuration of user group abc.

<Sysname> display user-group abc

The contents of user group abc:

Authorization attributes:

Idle-cut: 120(min)

Work Directory: FLASH:

Level: 1

Acl Number: 2000

Vlan ID: 1

User-Profile: 1

Callback-number: 1

Password aging: Enabled (1 days)

Password length: Enabled (4 characters)

Password composition: Enabled (1 types, 1 characters per type)

Total 1 user group(s) matched.

Table 4 Command output

Field	Description
Idle-cut	Idle timeout interval, in minutes.
Work Directory	Directory that FTP/SFTP users in the group can access.
Level	Level of the local users in the group.
ACL Number	Authorization ACL for the local users in the group.
VLAN ID	Authorized VLAN for the local users in the group.
User-Profile	User profile for local user authorization.
Session TimeOut	Session timeout timer, in minutes.
Callback-number	Authorized PPP callback number for the local users in the group.
Password aging	Password aging time for the local users in the group.
Password length	Minimum password length for the local users in the group.
Password composition	Password composition policy of the local users in the group.

Related commands

user-group

expiration-date (local user view)

Use expiration-date to set the expiration time of a local user.

Use undo expiration-date to remove the configuration.

Syntax

expiration-date time

undo expiration-date

Default

A local user has no expiration time, and no time validity checking is performed.

Views

Local user view

Default command level

3: Manage level

Parameters

time: Expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where the value range for HH is 0 to 23, and those for MM and SS are 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where the value range for YYYY is 2000 to 2035, the value range for MM is 1 to 12, and the value range for DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals 02:02:00-2008/02/02.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

For temporary network access requirements, create a guest account, and specify a validity time and an expiration time for the account to control the validity of the account. When a user uses the guest account for local authentication and passes the authentication, the access device checks whether the current system time is between the validity time and the expiration time. If it is, the device permits the user to access the network. Otherwise, the device denies the access request of the user.

Examples

# Set the expiration time of user abc to 12:10:20 on May 31, 2008.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

Related commands

validity-date

fast-authentication aging

Use fast-authentication aging to set the aging time of the MAC binding entry for a local portal user.

Use undo fast-authentication aging to restore the default.

Syntax

fast-authentication aging aging-value

undo fast-authentication aging

Default

The aging time of the MAC binding entry for a local portal user is 12 hours.

Views

Local portal user view

Default command level

2: System level

Parameters

aging-value: Specifies the aging time of the MAC binding entry, in the range of 1 to 2160, in hours.

Examples

# Set the aging time to 720 hours for the MAC binding entry of local portal user test.

<Sysname> system-view

[Sysname] local-user test

[Sysname-luser-test] fast-authentication aging 720

fast-authentication enable

Use fast-authentication enable to enable fast authentication for a local portal user.

Use undo fast-authentication enable to disable fast authentication for a local portal user.

Syntax

fast-authentication enable

undo fast-authentication enable

Default

Fast authentication is disabled for a local portal user.

Views

Local portal user view

Default command level

2: System level

Usage guidelines

This feature provides fast authentication for local portal users that access the network frequently.

After a local portal user passes portal authentication, the device creates a MAC binding entry that binds the user MAC address with the user authentication account. Before the MAC binding entry ages out, the user can directly use the MAC address to come online again if the user passes MAC authentication. No portal authentication is performed on the user.

This feature takes effect on local portal users whose service types also include the LAN access service.

Examples

# Enable fast authentication for local portal user test.

<Sysname> system-view

[Sysname] local-user test

[Sysname-luser-test] fast-authentication enable

fast-authentication mac-address

Use fast-authentication mac-address to specify the user MAC address for fast authentication.

Use undo fast-authentication mac-address to delete the user MAC address for fast authentication.

Syntax

fast-authentication mac-address mac-address

undo fast-authentication mac-address mac-address

Default

The MAC address of a local portal user is not specified for fast authentication.

Views

Local portal user view

Default command level

2: System level

Parameters

mac-address: Specifies the MAC address of the local portal user, in the format of H-H-H.

Examples

# Specify MAC address 1-1-1 as the MAC address for fast authentication of local portal user test.

<Sysname> system-view

[Sysname] local-user test

[Sysname-luser-test] fast-authentication mac-address 1-1-1

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system default user group system.

Views

Local user view

Default command level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign local user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111

[Sysname-luser-111] group abc

group-attribute allow-guest

Use group-attribute allow-guest to set the guest attribute for a user group so that guest users created by a guest manager through the Web interface can join the group.

Use undo group-attribute allow-guest to restore the default.

Syntax

group-attribute allow-guest

undo group-attribute allow-guest

Default

The guest attribute is not set for a user group, and guest users created by a guest manager through the Web interface cannot join the group.

Views

User group view

Default command level

3: Manage level

Usage guidelines

The guest attribute is set for the system predefined user group system and you cannot remove the attribute for the user group.

Examples

# Set the guest attribute for user group test.

<Sysname> system-view

[Sysname] user-group test

[Sysname-ugroup-test] group-attribute allow-guest

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove the specified local users.

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { ftp | lan-access | portal | ppp | ssh | telnet | terminal | web } ] }

Default

The system has a local user named admin.

Views

System view

Default command level

3: Manage level

Parameters

user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name. It cannot contain any slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@), and cannot be a, al, or all.

all: Specifies all users.

service-type: Specifies the users of a type.

· ftp: FTP users. This keyword is not supported in FIPS mode.

· lan-access: Users accessing the network through an Ethernet, such as 802.1X users.

· portal: Portal users.

· ppp: PPP users. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

· ssh: SSH users.

· telnet: Telnet users. This keyword is not supported in FIPS mode.

· terminal: Users logging in through the console or AUX port. In FIPS mode, you must specify this keyword.

· web: Web users.

Examples

# Add a local user named user1.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1]

Related commands

· display local-user

· service-type

password

Use password to configure a password for a local user and specify whether to display the password in ciphertext or plain text.

Use undo password to delete the password of a local user.

Syntax

password [ [ hash ] { cipher | simple } password ]

undo password

Views

Local user view

Default command level

2: System level

Parameters

hash: Enables hash encryption. If you specify this keyword, all passwords, including passwords configured in plain text, are saved in hashed form. If you do not specify this keyword, all passwords, including passwords configured in plain text, are saved in ciphertext.

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters. If hash is specified, a ciphertext password must be a string of 1 to 110 characters.

Usage guidelines

If you do not specify any parameter, you enter the interactive mode to set a plaintext password string. For more information about password control commands, see "Password control commands."

When the password control feature is enabled globally (by using the password-control enable command), local user passwords, such as the length and complexity, are under the restriction of the password control feature and are not displayed. At the same time, you cannot use the password hash cipher command to configure passwords.

The password command is not supported in FIPS mode. You must use the password control feature to configure passwords for local users.

Examples

# Set the password to 123456 in plain text for local user user1, and save the password in ciphertext.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password simple 123456

# Set a plaintext password 123456 in interactive mode for local user user1, and save the password in ciphertext.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password

Password:******

Confirm :******

# Set the password to 123456 in plain text for local user user1, and save the password in hashed form.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] password hash simple 123456

Related commands

display local-user

service-type

Use service-type to specify the service types that a user can use.

Use undo service-type to delete one or all service types configured for a user.

Syntax

service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web }

undo service-type { ftp | lan-access | { ssh | telnet | terminal } * | portal | ppp | web }

Default

No service is authorized to a local user.

Views

Local user view

Default command level

3: Manage level

Parameters

ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by default. This keyword is not supported in FIPS mode.

lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users such as 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service. This keyword is not supported in FIPS mode.

terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console or AUX port. In FIPS mode, you must specify this keyword.

portal: Authorizes the user to use the Portal service.

ppp: Authorizes the user to use the PPP service. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

web: Authorizes the user to use the Web service.

Usage guidelines

You can execute the service-type command repeatedly to specify multiple service types for a user.

Examples

# Authorize user user1 to use the Telnet service.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Default command level

2: System level

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Usage guidelines

By blocking a user, you disable the user from requesting network services. No other users are affected.

Examples

# Place local user user1 to the blocked state.

<Sysname> system-view

[Sysname] local-user user1

[Sysname-luser-user1] state block

Related commands

local-user

user-group

Use user-group to create a user group and enter its view.

Use undo user-group to remove a user group.

Syntax

user-group group-name

undo user-group group-name

Views

System view

Default command level

3: Manage level

Parameters

group-name: User group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes include password control attributes and authorization attributes.

A user group with one or more local users cannot be removed.

The system predefined user group system cannot be removed, but you can modify its configuration.

Examples

# Create a user group named abc, and enter its view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

validity-date

Use validity-date to set the validity time of a local user.

Use undo validity-date to remove the configuration.

Syntax

validity-date time

undo validity-date

Default

A local user has no validity time and no time validity checking is performed.

Views

Local user view

Default command level

3: Manage level

Parameters

time: Validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where the value range for HH is 0 to 23, and those for MM and SS are 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where the value range for YYYY is 2000 to 2035, the value range for MM is 1 to 12, and the value range for DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals 02:02:00-2008/02/02.

Usage guidelines

Examples

# Set the validity time of user abc to 12:10:20 on April 30, 2008, and set the expiration time to 12:10:20 on May 31, 2008.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-abc] validity-date 12:10:20-2008/04/30

[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

Related commands

expiration-date

RADIUS configuration commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to disable the accounting-on feature.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

seconds: Time interval for retransmitting an accounting-on packet in seconds, in the range of 1 to 15. The default is 3 seconds.

send-times: Maximum number of accounting-on packet transmission attempts, in the range of 1 to 255. The default is 50.

Usage guidelines

The accounting-on feature enables the device, after rebooting, to automatically send an accounting-on message to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and log out online users.

Parameters set with the accounting-on enable command take effect immediately.

After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the device reboots.

Examples

# Enable the accounting-on feature for RADIUS authentication scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

radius scheme

attribute 4

Use attribute 4 to configure the NAS-IP-Address attribute (attribute number 4) for RADIUS Access-Request packets.

Use undo attribute 4 to restore the default.

Syntax

attribute 4 ip-address

undo attribute 4

Default

The NAS-IP-Address attribute takes the source IP address of the RADIUS Access-Request packet.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ip-address: Specifies the IP address in the NAS-IP-Address attribute for RADIUS Access-Request packets. It must be a valid IPv4 address, and you cannot specify one of the following IP addresses:

· IP addresses of full 0s.

· IP addresses of full 1s.

· D-class IP addresses.

· E-class IP addresses.

· Loopback IP addresses.

Usage guidelines

In a MAC-BAC network, the NAS-IP-Address attribute (attribute number 4) in a RADIUS Access-Request packet must take the IP address of the master AC.

This command does not change the source IP address of a RADIUS Access-Request packet.

Examples

# Configure the NAS-IP-Address attribute (attribute number 4) as 192.168.0.2 for RADIUS Access-Request packets.

<Sysname> system-view

[Sysname] radius scheme aaa

[Sysname-radius-aaa] attribute 4 192.168.0.2

Related commands

· radius nas-ip

· nas-ip (RADIUS scheme view)

attribute 25 car

Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to restore the default.

Syntax

attribute 25 car

undo attribute 25 car

Default

RADIUS attribute 25 is not interpreted as CAR parameters.

Views

RADIUS scheme view

Default command level

2: System level

Examples

# Specify the device to interpret RADIUS attribute 25 as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

· display radius scheme

· display connection

attribute 41

Use attribute 41 to set the value of the Account-Delay-Time attribute for RADIUS Accounting-Request packets.

Use undo attribute 41 to restore the default.

Syntax

attribute 41 value

undo attribute 41

Default

The value of the Account-Delay-Time attribute for a RADIUS Accounting-Request packet is the actual transmission delay for the packet.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

value: Specifies the value of the Account-Delay-Time attribute, in the range of 0 to 255.

Examples

# Set the value of the Account-Delay-Time attribute to 0 for RADIUS Accounting-Request packets.

<Sysname> system-view

[Sysname] radius scheme aaa

[Sysname-radius-aaa] attribute 41 0

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the traffic statistics unit for data flows or packets.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

The unit for data flows is byte and that for data packets is one-packet.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The unit for data flows and that for packets must be consistent with those on the RADIUS server. Otherwise, accounting cannot be performed correctly.

Examples

# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

radius-scheme-name: RADIUS scheme name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any RADIUS scheme, the command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

------------------------------------------------------------------

SchemeName : radius1

Index : 0 Type : extended

Primary Auth Server:

IP: 1.1.1.1 Port: 1812 State: active

Encryption Key : ******

Probe username : test

Probe interval : 10min

Primary Acct Server:

IP: 1.1.1.1 Port: 1813 State: active

Encryption Key : ******

Probe username : test

Probe interval : 10min

Second Auth Server:

IP: 1.1.2.1 Port: 1812 State: active

Encryption Key : N/A

Probe username : test

Probe interval : 10min

IP: 1.1.3.1 Port: 1812 State: active

Encryption Key : N/A

Probe username : N/A

Probe interval : N/A

Second Acct Server:

IP: 1.1.2.1 Port: 1813 State: block

Encryption Key : N/A

Probe username : N/A

Probe interval : N/A

Auth Server Encryption Key : ******

Acct Server Encryption Key : N/A

Accounting-On packet disable, send times : 50 , interval : 3s

Interval for timeout(second) : 3

Retransmission times for timeout : 3

Interval for realtime accounting(minute) : 12

Retransmission times of realtime-accounting packet : 5

Retransmission times of stop-accounting packet : 500

Quiet-interval(min) : 5

Username format : without-domain

Data flow unit : Byte

Packet unit : one

NAS-IP address : 1.1.1.1

Attribute 25 : car

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 5 Command output

Field	Description
SchemeName	Name of the RADIUS scheme.
Index	Index number of the RADIUS scheme.
Type	Type of the RADIUS server that the device supports. Options include: · Extended—The RADIUS server uses the proprietary RADIUS protocol of H3C for packet exchange. · Standard—The RADIUS server uses the standard RADIUS protocol for packet exchange. The protocol is compliant to RFC 2865 and RFC 2866 or later.
Primary Auth Server	Information about the primary authentication server.
Primary Acct Server	Information about the primary accounting server.
Second Auth Server	Information about the secondary authentication server.
Second Acct Server	Information about the secondary accounting server.
IP	IP address of the server.
Port	Service port of the server. If no port configuration is performed, the default port number is displayed.
State	Status of the server: active or blocked.
Encryption Key	Shared key for secure authentication or accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A.
Probe username	Username used for server status detection.
Probe interval	Server status detection interval, in minutes.
Auth Server Encryption Key	Shared key for secure authentication communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A.
Acct Server Encryption Key	Shared key for secure accounting communication, displayed as a series of asterisks (******). If no shared key is configured, this field displays N/A.
Accounting-On packet disable	The accounting-on feature is disabled.
send times	Retransmission times of accounting-on packets.
interval	Interval at which the device retransmits accounting-on packets.
Interval for timeout(second)	RADIUS server response timeout period, in seconds.
Retransmission times for timeout	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Interval for realtime accounting(minute)	Interval for real-time accounting, in minutes.
Retransmission times of realtime-accounting packet	Maximum number of accounting attempts.
Retransmission times of stop-accounting packet	Maximum number of stop-accounting attempts.
Quiet-interval(min)	Quiet interval for the primary server.
Username format	Format of the usernames to be sent to the RADIUS server.
Data flow unit	Unit for data flows sent to the RADIUS server.
Packet unit	Unit for packets sent to the RADIUS server.
NAS-IP address	Source IP address for RADIUS packets to be sent.
Backup-NAS-IP address	Backup source IP address for RADIUS packets to be sent.
Attribute 25	Interprets RADIUS attribute 25 as the CAR parameters.

Related commands

radius scheme

display radius statistics

Use display radius statistics to display statistics about RADIUS packets.

Syntax

display radius statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display statistics about RADIUS packets.

<Sysname> display radius statistics

state statistic(total=24576):

DEAD = 24576 AuthProc = 0 AuthSucc = 0

AcctStart = 0 RLTSend = 0 RLTWait = 0

AcctStop = 0 OnLine = 0 Stop = 0

Received and Sent packets statistic:

Sent PKT total = 1547 Received PKT total = 23

Resend Times Resend total

1 508

2 508

Total 1016

RADIUS received packets statistic:

Code = 2 Num = 15 Err = 0

Code = 3 Num = 4 Err = 0

Code = 5 Num = 4 Err = 0

Code = 11 Num = 0 Err = 0

Radius relay statistic:

Send request relay packets = 0 Receive response relay packets = 0

Receive request relay packets = 0 Reply response relay packets = 0

Send account update packets = 0 Receive account update packets = 0

Relay request packets error = 0 Send relay packet errors = 0

Running statistic:

RADIUS received messages statistic:

Auth request Num = 24 Err = 0 Succ = 24

Account request Num = 4 Err = 0 Succ = 4

Account off request Num = 503 Err = 0 Succ = 503

PKT auth timeout Num = 15 Err = 5 Succ = 10

PKT acct_timeout Num = 1509 Err = 503 Succ = 1006

Realtime Account timer Num = 0 Err = 0 Succ = 0

PKT response Num = 23 Err = 0 Succ = 23

Session ctrl pkt Num = 0 Err = 0 Succ = 0

Normal author request Num = 0 Err = 0 Succ = 0

Set policy result Num = 0 Err = 0 Succ = 0

Accounting on request Num = 0 Err = 0 Succ = 0

Accounting on response Num = 0 Err = 0 Succ = 0

Dynamic Author Ext request Num = 0 Err = 0 Succ = 0

Free handle request Num = 0 Err = 0 Succ = 0

RADIUS sent messages statistic:

Auth accept Num = 10

Auth reject Num = 14

Auth continue Num = 0

Account success Num = 4

Account failure Num = 3

Server ctrl req Num = 0

RecError_MSG_sum = 0

SndMSG_Fail_sum = 0

Timer_Err = 0

Alloc_Mem_Err = 0

State Mismatch = 0

Other_Error = 0

No-response-acct-stop packet = 1

Discarded No-response-acct-stop packet for buffer overflow = 0

Table 6 Command output

Field	Description
state statistic	User statistics, by state. The value range depends on the device model. For more information, see About the H3C Access Controllers Command References.
DEAD	Number of idle users. The value range depends on the device model. For more information, see About the H3C Access Controllers Command References.
AuthProc	Number of users waiting for authentication.
AuthSucc	Number of users who have passed authentication.
AcctStart	Number of users for whom accounting has been started.
RLTSend	Number of users for whom the system sends real-time accounting packets.
RLTWait	Number of users waiting for real-time accounting.
AcctStop	Number of users in the state of accounting waiting stopped.
OnLine	Number of online users.
Stop	Number of users in the state of stop.
Received and Sent packets statistic	Statistics for packets received and sent by the RADIUS module.
Sent PKT total	Number of packets sent.
Received PKT total	Number of packets received.
Resend Times	Number of transmission attempts.
Resend total	Number of packets retransmitted.
Total	Total number of packets retransmitted.
RADIUS received packets statistic	Statistics for packets received by the RADIUS module.
Code	Packet type.
Num	Total number of packets.
Err	Number of packets that the device failed to process.
Succ	Number of messages that the device successfully processed.
Radius relay statistic	Statistics for relay packets received and sent by the RADIUS module. Relay packets refer to the 802.1X stateful failover packets.
Send request relay packets	Number of request relay packets sent by the RADIUS module.
Receive response relay packets	Number of response relay packets received by the RADIUS module.
Receive request relay packets	Number of request relay packets received by the RADIUS module.
Reply response relay packets	Number of response relay packets that the RADIUS module has replied.
Send account update packets	Number of accounting update packets sent by the RADIUS module.
Receive account update packets	Number of accounting update packets received by the RADIUS module.
Relay request packets error	Number of request packets that the RADIUS module failed to relay.
Send relay packet errors	Number of relay packets that the RADIUS module failed to send out.
Running statistic	Statistics for RADIUS messages received and sent by the RADIUS module.
RADIUS received messages statistic	Statistics for received RADIUS messages.
Auth request	Counts of authentication requests.
Account request	Counts of accounting requests.
Account off request	Counts of stop-accounting requests.
PKT auth timeout	Counts of authentication timeout messages.
PKT acct_timeout	Counts of accounting timeout messages.
Realtime Account timer	Counts of real-time accounting requests.
PKT response	Counts of responses from servers.
Session ctrl pkt	Counts of session control messages.
Normal author request	Counts of normal authorization requests.
Set policy result	Counts of responses to the Set policy packets.
Accounting on request	Counts of accounting-on requests.
Accounting on response	Counts of accounting-on responses.
Dynamic Author Ext request	Counts of dynamic authorization extension requests.
Free handle request	Counts of requests for releasing system resources.
RADIUS sent messages statistic	Statistics for sent RADIUS messages.
Auth accept	Number of accepted authentication packets.
Auth reject	Number of rejected authentication packets.
Auth continue	Number of authentication continue packets.
EAP auth replying	Number of replying packets of EAP authentication.
Account success	Number of accounting succeeded packets.
Account failure	Number of accounting failed packets.
Server ctrl req	Number of server control requests.
RecError_MSG_sum	Number of received packets in error.
SndMSG_Fail_sum	Number of packets that failed to be sent out.
Timer_Err	Number of packets for indicating timer startup failures.
Alloc_Mem_Err	Number of packets for indicating memory allocation failures.
State Mismatch	Number of packets for indicating mismatching status.
Other_Error	Number of packets for indicating other types of errors.
No-response-acct-stop packet	Number of times that no response was received for stop-accounting packets.
Discarded No-response-acct-stop packet for buffer overflow	Number of stop-accounting packets that were buffered but then discarded due to full memory.

Related commands

radius scheme

display stop-accounting-buffer (for RADIUS)

Use display stop-accounting-buffer to display information about buffered stop-accounting requests.

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive string of 1 to 32 characters.

session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.

user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS scheme.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

If the device sends a stop-accounting request to a RADIUS server but receives no response, it retransmits it up to a certain number of times (defined by the retry command). If the device still receives no response, it considers the stop-accounting attempt a failure, buffers the request, and makes another stop-accounting attempt. The maximum number of the stop-accounting attempts is defined by the retry stop-accounting command. If all attempts fail, the device discards the request.

Examples

# Display information about the stop-accounting requests buffered for user abc.

<Sysname> display stop-accounting-buffer user-name abc

RDIdx Session-ID user name Happened time

1 1000326232325010 abc 23:27:16-08/31/2006

1 1000326232326010 abc 23:33:01-08/31/2006

Total 2 record(s) Matched

Related commands

· reset stop-accounting-buffer

· stop-accounting-buffer enable

· user-name-format

· retry

· retry stop-accounting

eap offload

Use eap offload to enable the EAP offload feature.

Use undo eap offload to disable the EAP offload feature.

Syntax

eap offload method peap-mschapv2

undo eap offload method peap-mschapv2

Default

The EAP offload feature is disabled, and the device forwards received EAP authentication requests in pass-through mode, rather than performing offload operations.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

method peap-mschapv2: Specifies the EAP authentication method. Only PEAP-MSCHAPv2 authentication is supported.

Usage guidelines

Because some RADIUS servers do not support EAP authentication, it is necessary to enable the EAP offload feature for a RADIUS scheme that uses such a RADIUS server. Later, the access device processes received EAP authentication requests from its clients before forwarding the requests to the RADIUS server for authentication.

Examples

# Enable the EAP offload feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] eap offload method peap-mschapv2

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS authentication/authorization or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication } [ cipher | simple ] key

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication/authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plain text shared key.

key: Specifies the shared key string. This argument is case sensitive. If you specify neither cipher nor simple, you set a plaintext shared key.

· In non-FIPS mode:

¡ A ciphertext shared key is a string of 1 to 117 characters.

¡ A plaintext shared key is a string of 1 to 64 characters.

· In FIPS mode, a shared key must contain at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

The shared keys specified during the configuration of the RADIUS servers take precedence.

The shared keys configured on the device must match the shared keys configured on the RADIUS servers.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting ok

# For RADIUS scheme radius1, set the shared key for secure authentication/authorization communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key authentication cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

Related commands

display radius scheme

nas-backup-ip

Use nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets in a stateful failover situation.

Use undo nas-backup-ip to restore the default.

Syntax

nas-backup-ip ip-address

undo nas-backup-ip

Default

A RADIUS scheme is configured with no backup source IP address for outgoing RADIUS packets.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ip-address: Backup source IP address for outgoing RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the other device for stateful failover and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

With a backup source IP address configured for outgoing RADIUS packets, a device for stateful failover sends this address to the RADIUS server if it is the active device. When the active device fails, the RADIUS server can send unsolicited RADIUS packets to the standby device.

A RADIUS scheme can have only one backup source IP address. If you specify a new backup source IP address for the same RADIUS scheme, the new one overwrites the old one.

The setting configured by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas the setting configured by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

Examples

# For a device working in stateful failover mode, set the source IP address and backup source IP address for outgoing RADIUS packets to 2.2.2.2 and 3.3.3.3, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 2.2.2.2

[Sysname-radius-radius1] nas-backup-ip 3.3.3.3

On the backup device, you must set the source IP address and backup source IP address for outgoing RADIUS packets to 3.3.3.3 and 2.2.2.2, respectively.

Related commands

· nas-ip

· radius nas-ip

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to restore the default.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip

Default

The source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.

The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration does not take effect.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new one overwrites the old one.

The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

radius nas-ip

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server, which must be a valid global unicast address.

port-number: Specifies the service port number of the primary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS accounting server.

· cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.

· If neither cipher nor simple is specified, you set a plaintext shared key string.

· In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption.

probe: Enables the device to detect the status of the primary RADIUS accounting server.

username name: Specifies the username in the accounting request for server status detection.

interval interval: Specifies the detection interval, in the range of 1 to 3600, in minutes. The default setting is 10 minutes.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.

The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.

If you change the primary accounting server when the device has already sent a start-accounting request to the server, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.

If you remove an accounting server being used by users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests.

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

You can use the probe username name [ interval interval ] option to configure status detection settings for a primary RADIUS accounting server. With the configuration, the device sends the server a simulated accounting request including the specified username at random time in each specified detection interval. The server is considered to be reachable if it returns a response. Otherwise, device considers the accounting server as unreachable and generates a "server unreachable" trap in any of the following cases:

· When the device also sends at least one real accounting request and does not receive any response to a real or simulated request within one detection interval.

· When the device does not send any real accounting request and does not receive any response to a real or simulated request for three successive intervals.

If an accounting response is received from the accounting server in unreachable state, the device immediately generates a "server reachable" trap, and starts a new detection interval.

When the server status detection function is enabled, the quiet timer specified by the timer quiet command does not take effect.

Examples

# For RADIUS scheme radius1, set the IP address of the primary accounting server to 10.110.1.2, the UDP port to 1813, and the shared key to hello in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple hello

# For RADIUS scheme radius1, set the username for status detection of the primary accounting server to test, and set the detection interval to 120 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 probe username test interval 120

Related commands

key

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication/authorization server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *

undo primary authentication

Default

No primary RADIUS authentication/authorization server is specified.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server, which must be a valid global unicast address.

port-number: Specifies the service port number of the primary RADIUS authentication/authorization server, a UDP port number in the range of 1 to 65535. The default setting is 1812.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS authentication/authorization server.

· cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.

· If neither cipher nor simple is specified, you set a plaintext shared key string.

· In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption.

probe: Enables the device to detect the status of the primary RADIUS authentication/authorization server.

username name: Specifies the username in the authentication request for server status detection.

interval interval: Specifies the detection interval, in the range of 1 to 3600, in minutes. The default setting is 10 minutes.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS authentication/authorization server are the same as those configured on the server.

The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails.

If you remove the primary authentication server when an authentication process is in progress, the communication with the primary server times out, and the device looks for a server in active state from the new primary server on.

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

You can use the probe username name [ interval interval ] option to configure status detection settings for a primary RADIUS authentication/authorization server. With the configuration, the device sends the server a simulated authentication request including the specified username at random time in each specified detection interval. The server is considered to be reachable if it returns a response. Otherwise, device considers the server as unreachable and generates a "server unreachable" trap in any of the following cases:

· When the device also sends at least one real authentication request and does not receive any response to a real or simulated request within one detection interval.

· When the device does not send any real authentication request and does not receive any response to a real or simulated request for three successive intervals.

If an authentication response is received from the authentication server in unreachable state, the device immediately generates a "server reachable" trap, and starts a new detection interval.

When the server status detection function is enabled, the quiet timer specified by the timer quiet command does not take effect.

Examples

# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to 10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello

# In RADIUS scheme radius1, set the username used for status detection of the primary authentication/authorization server to test, and set the server status detection interval to 120 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval 120

Related commands

key

radius client

Use radius client enable to enable the RADIUS client service.

Use undo radius client to disable the RADIUS client service.

Syntax

radius client enable

undo radius client

Default

The RADIUS client service is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

When the RADIUS client service is disabled, the following events occur:

· No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS server still has the user's record during a certain period of time.

· The buffered accounting packets cannot be sent out and are deleted from the buffer when the configured maximum number of attempts is reached, affecting the precision of user accounting.

· If local authentication, authorization, or accounting is configured as the backup, the device performs local authentication, authorization, or accounting instead after the RADIUS request fails. Local accounting is only for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

Examples

# Enable the RADIUS client service.

<Sysname> system-view

[Sysname] radius client enable

radius dynamic-author client trusted

Use radius dynamic-author client trusted to configure the device to trust the DAE packets sent by the specified IP address.

Use undo radius dynamic-author client trusted to remove the IP address from which the DAE packets are trusted.

Syntax

radius dynamic-author client trusted ip ip-address

undo radius dynamic-author client trusted

Default

The device does not trust the DAE packets sent by any IP addresses.

Views

System view

Default command level

2: System level

Parameters

ip ip-address: Specifies the IP address of the DAC. It cannot be from the following IP categories:

· IP addresses of full 0s.

· IP addresses of full 1s.

· D-class IP addresses.

· E-class IP addresses.

· Loopback IP addresses.

Usage guidelines

You can configure only one such IP address on a DAS. If you execute this command multiple times, the most recent configuration takes effect.

In a MAC-BAC network, the BAS ACs function as the DASs and receive DAE packets from the master AC. The master AC, which serves as a DAE proxy, has verified the Authenticator field of these DAE packets after it receives them from DACs. To save bandwidth, specify the IP address of the master AC as the DAE-trusted IP address on the BAS ACs. These ACs can send or receive DAE packets to or from the master AC without verifying the Authenticator field.

Example

# Configure the device to trust the DAE packets sent by the device at 192.168.0.2.

<Sysname> system-view

[Sysname] radius dynamic-author client trusted ip 192.168.0.2

radius dynamic-author port

Use radius dynamic-author port to specify the UDP port for listening for and receiving DAE packets.

Use undo radius dynamic-author port to restore the default.

Syntax

radius dynamic-author port listen-port

undo radius dynamic-author port

Default

The UDP port number is 3799.

Views

System view

Default command level

2: System level

Parameters

listen-port: Specifies the UDP port number for listening for and receiving DAE packets, in the range of 1 to 65535.

Usage guidelines

In a MAC-BAC network, make sure all BAS ACs managed by the same master AC use the same UDP port to listen for and receive DAE packets.

The destination port for DAE packets on the master AC must be the same as the port used for listening for and receiving DAE packets on the BAS ACs. To specify the destination port for DAE packets on the master AC, use the server port command.

Example

# Specify the UDP port as 30000 to listen for and receive DAE packets.

<Sysname> system-view

[Sysname] radius dynamic-author port 30000

radius log packet

Use radius log packet to enable logging of RADIUS packets.

Use undo radius log packet to disable logging of RADIUS packets.

Syntax

radius log packet

undo radius log packet

Default

Logging of RADIUS packets is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable logging of RADIUS packets.

<Sysname> system-view

[Sysname] radius log packet

radius nas-backup-ip

Use radius nas-backup-ip to specify a backup source IP address for outgoing RADIUS packets.

Use undo radius nas-backup-ip to restore the default.

Syntax

radius nas-backup-ip ip-address

undo radius nas-backup-ip

Default

A device is configured with no backup source IP address for outgoing RADIUS packets.

Views

System view

Default command level

2: System level

Parameters

ip-address: Backup source IP address for outgoing RADIUS packets. It must be the source IP address for outgoing RADIUS packets that is configured on the backup device for stateful failover and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

Usage guidelines

Support for the command depends on the device model. For more information, see About the H3C Access Controllers Command References.

You can specify up to one public-network backup source IP address. A newly specified public-network backup source IP address overwrites the previous one.

The setting configured by the nas-backup-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-backup-ip command in system view is for all RADIUS schemes. The setting in RADIUS scheme view takes precedence.

Examples

# For the device working in stateful failover mode, specify the source IP address and backup source IP address for RADIUS packets as 2.2.2.2 and 3.3.3.3, respectively.

<Sysname> system-view

[Sysname] radius nas-ip 2.2.2.2

[Sysname] radius nas-backup-ip 3.3.3.3

On the backup device, you must specify the source IP address and backup source IP address for RADIUS packets as 3.3.3.3 and 2.2.2.2, respectively.

Related commands

nas-backup-ip

radius nas-ip

Use radius nas-ip to specify a source address for outgoing RADIUS packets.

Use undo radius nas-ip to remove the configuration.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address }

undo radius nas-ip { ipv4-address | ipv6 ipv6-address }

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Default command level

2: System level

Parameters

ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be a link-local address.

Usage guidelines

You can specify up to one public-network source IP address. A newly specified public-network source IP address overwrites the previous one.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip

radius scheme

Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS scheme is defined.

Views

System view

Default command level

3: Manage level

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be referenced by more than one ISP domain at the same time.

A RADIUS scheme referenced by ISP domains cannot be removed.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius trap

Use radius trap to enable the trap function for RADIUS.

Use undo radius trap to disable the trap function for RADIUS.

Syntax

radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }

undo radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }

Default

The trap function is disabled for RADIUS.

Views

System view

Default command level

2: System level

Parameters

accounting-server-down: Sends traps when the reachability of the accounting server changes.

authentication-error-threshold: Sends traps when the number of authentication failures exceed the specified threshold. The threshold is represented by the ratio of the number of failed request transmission attempts to the total number of transmission attempts. The value range is 1 to 100, and the default is 30. This threshold can only be configured through the MIB.

authentication-server-down: Sends traps when the reachability of the authentication server changes.

Usage guidelines

With the trap function for RADIUS, a NAS sends a trap message in the following cases:

· When the status of a RADIUS server changes. If a NAS sends a request but receives no response before the maximum number of attempts is exceeded, it places the server to the blocked state and sends a trap message. If a NAS receives a response from a RADIUS server it considered unreachable, it considers that the RADIUS server is reachable again and also sends a trap message.

· When the ratio of the number of failed transmission attempts to the total number of authentication request transmission attempts reaches the threshold.

Examples

# Enable the device to send traps in response to accounting server reachability changes.

<Sysname> system-view

[Sysname] radius trap accounting-server-down

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Default command level

2: System level

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

reset stop-accounting-buffer (for RADIUS)

Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have been received.

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Views

User view

Default command level

2: System level

Parameters

session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a string of 1 to 50 characters.

time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Clear the stop-accounting requests buffered for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear the stop-accounting requests buffered in the time range from 0:0:0 to 23:59:59 on August 31, 2006.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

Related commands

· stop-accounting-buffer enable

· display stop-accounting-buffer

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

retry-times: Maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device still receives no response from the RADIUS server, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Examples

# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

· radius scheme

· timer response-timeout

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

retry-times: Maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no real-time accounting request for a user in the timeout period from the NAS, it considers that there may be line or device failures and stops accounting for the user. This may happen when some unexpected failure occurs. To cooperate with this feature of the RADIUS server, the NAS must keep pace with the server in disconnecting the user. The maximum number of accounting attempts, together with some other parameters, enables the NAS to promptly disconnect the user.

The maximum number of accounting attempts, together with some other parameters, controls how the NAS sends accounting request packets.

Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is 3 (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and it makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

· retry

· timer response-timeout

· timer realtime-accounting

retry stop-accounting (RADIUS scheme view)

Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

Default

The maximum number of stop-accounting request transmission attempts is 500.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 10 to 65535.

Usage guidelines

The maximum number of stop-accounting request transmission attempts, together with some other parameters, controls how the NAS deals with stop-accounting request packets.

Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of transmission attempts is five (set with the retry command), and the maximum number of stop-accounting request transmission attempts is 20 (set with the retry stop-accounting command). For each stop-accounting request, if the device receives no response within 3 seconds, it retransmits the request. If it receives no responses after retransmitting the request five times, it considers the attempt a failure, buffers the request, and makes another attempt. If 20 consecutive attempts fail, the device discards the request.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

Related commands

· retry

· retry stop-accounting

· timer response-timeout

· display stop-accounting-buffer

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove the configuration.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key ] *

undo secondary accounting [ ipv4-address | ipv6 ipv6-address ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must be a valid global unicast address.

port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default setting is 1813.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.

· cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.

· If neither cipher nor simple is specified, you set a plaintext shared key string.

· In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption.

probe: Enables the device to detect the status of the secondary RADIUS accounting server.

username name: Specifies the username in the accounting request for server status detection.

interval interval: Specifies the detection interval in the range of 1 to 3600, in minutes. The default setting is 10 minutes.

Usage guidelines

Make sure the port number and shared key settings of the secondary RADIUS accounting server are the same as those configured on the server.

You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate with it.

The IP addresses of the accounting servers and those of the authentication/authorization servers must be of the same IP version.

The IP addresses of the primary and secondary accounting servers must be different from each other. Otherwise, the configuration fails.

The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.

If you remove a secondary accounting server when the device has already sent a start-accounting request to the server, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on.

If you remove an accounting server being used by online users, the device can no longer send real-time accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting requests.

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

You can use the probe username name [ interval interval ] option to configure status detection settings for a secondary RADIUS accounting server. With the configuration, the device sends the server a simulated accounting request including the specified username at random time in each specified detection interval. The server is considered to be reachable if it returns a response. Otherwise, device considers the accounting server as unreachable and generates a "server unreachable" trap in any of the following cases:

· When the device also sends at least one real accounting request and does not receive any response to a real or simulated request within one detection interval.

· When the device does not send any real accounting request and does not receive any response to a real or simulated request for three successive intervals.

If an accounting response is received from the accounting server in unreachable state, the device immediately generates a "server reachable" trap, and starts a new detection interval.

When the server status detection function is enabled, the quiet timer specified by the timer quiet command does not take effect.

Examples

# For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello

[Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello

# For RADIUS scheme radius2, set the IP address of the secondary accounting server to 10.110.1.1, the UDP port to 1813, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 key cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

# For RADIUS scheme radius1, set the username for status detection of the secondary accounting server (10.110.1.1) to test, and set the detection interval to 120 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 probe username test interval 120

Related commands

· key

· state

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication/authorization server.

Use undo secondary authentication to remove the configuration.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] ] *

undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]

Default

No secondary RADIUS authentication/authorization server is specified.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization server, which must be a valid global unicast address.

port-number: Specifies the service port number of the secondary RADIUS authentication/authorization server, a UDP port number in the range of 1 to 65535. The default setting is 1812.

key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary RADIUS authentication/authorization server.

· cipher key: Specifies a ciphertext shared key, a case-sensitive ciphertext string of 1 to 117 characters.

· simple key: Specifies a plaintext shared key, a case-sensitive string of 1 to 64 characters.

· If neither cipher nor simple is specified, you set a plaintext shared key string.

· In FIPS mode, the shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and must use 3DES for encryption and decryption.

probe: Enables the device to detect the status of the secondary RADIUS authentication/authorization server.

username name: Specifies the username in the authentication request for server status detection.

interval interval: Specifies the detection interval in the range of 1 to 3600, in minutes. The default setting is 10 minutes.

Usage guidelines

Make sure the port number and shared key settings of the secondary RADIUS authentication/authorization server are the same as those configured on the server.

The shared key configured by this command takes precedence over that configured by using the key accounting [ cipher | simple ] key command.

You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS scheme by executing this command repeatedly. After the configuration, if the primary server fails, the device looks for a secondary server in active state (a secondary RADIUS authentication/authorization server configured earlier has a higher priority) and tries to communicate with it.

The IP addresses of the authentication/authorization servers and those of the accounting servers must be of the same IP version.

The IP addresses of the primary and secondary authentication/authorization servers must be different from each other. Otherwise, the configuration fails.

If you remove a secondary authentication server in use in the authentication process, the communication with the secondary server times out, and the device looks for a server in active state from the primary server on.

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

You can use the probe username name [ interval interval ] option to configure status detection settings for a secondary RADIUS authentication/authorization server. With the configuration, the device sends the server a simulated authentication request including the specified username at random time in each specified detection interval. The server is considered to be reachable if it returns a response. Otherwise, device considers the server as unreachable and generates a "server unreachable" trap in any of the following cases:

· When the device also sends at least one real authentication request and does not receive any response to a real or simulated request within one detection interval.

· When the device does not send any real authentication request and does not receive any response to a real or simulated request for three successive intervals.

If an authentication response is received from the authentication server in unreachable state, the device immediately generates a "server reachable" trap, and starts a new detection interval.

When the server status detection function is enabled, the quiet timer specified by the timer quiet command does not take effect.

Examples

# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello

# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

# In RADIUS scheme radius1, set the username used for status detection of the secondary authentication/authorization server to test, and set the server status detection interval to 120 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval 120

Related commands

· key

· state

security-policy-server

Use security-policy-server to specify a security policy server for a RADIUS scheme.

Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme.

Syntax

security-policy-server ip-address

undo security-policy-server { ip-address | all }

Default

No security policy server is specified for a RADIUS scheme.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

ip-address: Specifies a security policy server by its IP address.

all: Specifies all security policy servers.

Usage guidelines

You can specify up to eight security policy servers for a RADIUS scheme.

You can change security policy servers for a RADIUS scheme only when no user is using the scheme.

Examples

# Specify security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

server-type (RADIUS scheme view)

Use server-type to specify the RADIUS server type.

Use undo server-type to restore the default.

Syntax

server-type { extended | standard }

undo server-type

Default

The supported RADIUS server type is standard.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol.

standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and 2866 or their successors).

Examples

# Configure the RADIUS server type of RADIUS scheme radius1 as standard.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] server-type standard

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication/authorization server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device changes the status of the primary server to blocked, starts a quiet timer for the server, and then tries to communicate with a secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of the primary server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually.

When the primary server and secondary servers are both in blocked state, the device communicates with the primary server.

Examples

# Set the status of the primary server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

· display radius scheme

· state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

accounting: Sets the status of the secondary RADIUS accounting server.

authentication: Sets the status of the secondary RADIUS authentication/authorization server.

ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If no IP address is specified, this command changes the status of all configured secondary servers for authentication/authorization or accounting.

If the device finds that a secondary server in active state is unreachable, the device changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in active state (a secondary RADIUS server configured earlier has a higher priority). When the quiet timer of a server times out, the status of the server changes to active automatically. If you set the status of the server to blocked before the quiet timer times out, the status of the server cannot change back to active automatically unless you set the status to active manually. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

Examples

# Set the status of all secondary servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

· display radius scheme

· state primary

stop-accounting-buffer enable (RADIUS scheme view)

Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received.

Use undo stop-accounting-buffer enable to disable the buffering function.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers stop-accounting requests to which no responses are received.

Views

RADIUS scheme view

Default command level

2: System level

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet. However, if you have removed the accounting server, stop-accounting messages are not buffered.

Examples

# Enable the device to buffer the stop-accounting requests to which no responses are received.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

Related commands

· reset stop-accounting-buffer

· display stop-accounting-buffer

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for servers.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

minutes: Server quiet period in minutes, in the range of 0 to 255. If you set this argument to 0, when the device attempts to send an authentication or accounting request but the current server is unreachable, the device sends the request to the next server in active state, without changing the current server's status. As a result, when the device attempts to send a request of the same type for another user, it still tries to send the request to the current server because the current server is in active state.

Usage guidelines

The quiet timer controls whether the device changes the status of an unreachable server from active to blocked and how long the device keeps an unreachable server in blocked state.

If you determine that the primary server is unreachable because the device's port connected to the server is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the device uses the primary server whenever possible.

Be sure to set the server quiet timer properly. Too short a quiet timer may result in frequent authentication or accounting failures because the device has to repeatedly try to communicate with an unreachable server that is in active state.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

minutes: Real-time accounting interval in minutes. The value can be 0 or a multiple of 3, in the range of 3 to 60.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically. This command sets the interval.

When the real-time accounting interval on the device is 0, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server, or does not send online user accounting information.

Different real-time accounting intervals impose different performance requirements on the NAS and the RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher performance. Use a longer interval when there are a large number of users (1000 or more).

Number of users	Real-time accounting interval (in minutes)
1 to 99	3
100 to 499	6
500 to 999	12
1000 or more	15 or longer

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 75.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Syntax

user-name-format { keep-original | with-domain | without-domain }

Default

The ISP domain name is included in the username.

Views

RADIUS scheme view

Default command level

2: System level

Parameters

keep-original: Sends the username to the RADIUS server as it is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the device does not change the usernames from clients before forwarding them to the RADIUS server.

If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

Examples

# Specify the device to remove the domain name in the username sent to the RADIUS servers for the RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

radius scheme

HWTACACS configuration commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the traffic statistics unit for data flows or packets.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

The unit for data flows is byte and that for data packets is one-packet.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The unit for data flows and that for packets must be consistent with those on the HWTACACS server. Otherwise, accounting cannot be performed correctly.

Examples

# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively, in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs

Use display hwtacacs to display the configuration of HWTACACS schemes or the statistics for the HWTACACS servers specified in HWTACACS schemes.

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name.

statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS schemes.

Examples

# Display the configuration of HWTACACS scheme gy.

<Sysname> display hwtacacs gy

--------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 172.31.1.11:49

Primary-authorization-server : 172.31.1.11:49

Primary-accounting-server : 172.31.1.11:49

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 172.31.1.11:49

Current-authorization-server : 172.31.1.11:49

Current-accounting-server : 172.31.1.11:49

NAS-IP-address : 0.0.0.0

key authentication : ******

key authorization : ******

key accounting : ******

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Username format : with-domain

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------

Table 8 Command output

Field	Description
HWTACACS-server template name	Name of the HWTACACS scheme.
Primary-authentication-server	IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays 0.0.0.0:0. This rule also applies to the following eight fields.
Primary-authorization-server	IP address and port number of the primary authorization server.
Primary-accounting-server	IP address and port number of the primary accounting server.
Secondary-authentication-server	IP address and port number of the secondary authentication server.
Secondary-authorization-server	IP address and port number of the secondary authorization server.
Secondary-accounting-server	IP address and port number of the secondary accounting server.
Current-authentication-server	IP address and port number of the currently used authentication server.
Current-authorization-server	IP address and port number of the currently used authorization server.
Current-accounting-server	IP address and port number of the currently used accounting server.
NAS-IP-address	IP address of the NAS. If no NAS is specified, this field displays 0.0.0.0.
key authentication	Key for authentication, displayed as a series of asterisks (******). If no key is configured, this field displays N/A.
key authorization	Key for authorization, displayed as a series of asterisks (******). If no key is configured, this field displays N/A.
key accounting	Key for accounting, displayed as a series of asterisks (******). If no key is configured, this field displays N/A.
Realtime-accounting-interval	Realtime accounting interval. The HWTACACS realtime accounting function is not supported in this release.
Acct-stop-PKT retransmit times	Number of stop-accounting packet transmission attempts.
Data traffic-unit	Unit for data flows.
Packet traffic-unit	Unit for data packets.

# Display the statistics for the servers specified in HWTACACS scheme gy.

<Sysname> display hwtacacs gy statistics

---[HWTACACS template gy primary authentication]---

HWTACACS server open number: 10

HWTACACS server close number: 10

HWTACACS authen client access request packet number: 10

HWTACACS authen client access response packet number: 6

HWTACACS authen client unknown type number: 0

HWTACACS authen client timeout number: 4

HWTACACS authen client packet dropped number: 4

HWTACACS authen client access request change password number: 0

HWTACACS authen client access request login number: 5

HWTACACS authen client access request send authentication number: 0

HWTACACS authen client access request send password number: 0

HWTACACS authen client access connect abort number: 0

HWTACACS authen client access connect packet number: 5

HWTACACS authen client access response error number: 0

HWTACACS authen client access response failure number: 0

HWTACACS authen client access response follow number: 0

HWTACACS authen client access response getdata number: 0

HWTACACS authen client access response getpassword number: 5

HWTACACS authen client access response getuser number: 0

HWTACACS authen client access response pass number: 1

HWTACACS authen client access response restart number: 0

HWTACACS authen client malformed access response number: 0

HWTACACS authen client round trip time(s): 5

---[HWTACACS template gy primary authorization]---

HWTACACS server open number: 1

HWTACACS server close number: 1

HWTACACS author client request packet number: 1

HWTACACS author client response packet number: 1

HWTACACS author client timeout number: 0

HWTACACS author client packet dropped number: 0

HWTACACS author client unknown type number: 0

HWTACACS author client request EXEC number: 1

HWTACACS author client request PPP number: 0

HWTACACS author client request VPDN number: 0

HWTACACS author client response error number: 0

HWTACACS author client response EXEC number: 1

HWTACACS author client response PPP number: 0

HWTACACS author client response VPDN number: 0

HWTACACS author client round trip time(s): 3

---[HWTACACS template gy primary accounting]---

HWTACACS server open number: 0

HWTACACS server close number: 0

HWTACACS account client request packet number: 0

HWTACACS account client response packet number: 0

HWTACACS account client unknown type number: 0

HWTACACS account client timeout number: 0

HWTACACS account client packet dropped number: 0

HWTACACS account client request command level number: 0

HWTACACS account client request connection number: 0

HWTACACS account client request EXEC number: 0

HWTACACS account client request network number: 0

HWTACACS account client request system event number: 0

HWTACACS account client request update number: 0

HWTACACS account client response error number: 0

HWTACACS account client round trip time(s): 0

Related commands

hwtacacs scheme

display stop-accounting-buffer (for HWTACACS)

Use display stop-accounting-buffer to display information about buffered stop-accounting requests.

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a case-insensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Total 0 record(s) Matched

Related commands

· reset stop-accounting-buffer

· stop-accounting-buffer enable

· retry stop-accounting

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to remove the configuration.

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip ip-address

Default

The source IP address of a packet sent to the server is the IP address of the outbound interface.

Views

System view

Default command level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.

You can specify up to one public-network source IP address. A newly specified public-network source IP address overwrites the previous one.

The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS schemes. The setting in HWTACACS scheme view takes precedence.

Examples

# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Default command level

3: Manage level

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be referenced by more than one ISP domain at the same time.

An HWTACACS scheme referenced by ISP domains cannot be removed.

Examples

# Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } [ cipher | simple ] key

undo key { accounting | authentication | authorization }

Default

No shared key is configured.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

key: Specifies the shared key string. This argument is case sensitive. If neither cipher nor simple is specified, you set a plaintext shared key string.

· In non-FIPS mode:

¡ A plaintext shared key is a string of 1 to 64 characters.

¡ A ciphertext shared key is a ciphertext string of 1 to 117 characters.

· In FIPS mode, a shared key must be at least eight characters that contain digits, uppercase letters, lowercase letters, and special characters, and uses 3DES for encryption and decryption.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.

Examples

# Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting simple hello

# Set the shared key for secure HWTACACS accounting communication to hello in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting hello

# Set the shared key for secure HWTACACS accounting communication to $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in ciphertext for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key accounting cipher $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw==

Related commands

display hwtacacs

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to restore the default.

Syntax

nas-ip ip-address

undo nas-ip

Default

The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address in dotted decimal notation. It must be an address of the device and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.

Usage guidelines

If you configure the command multiple times, only the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the primary HWTACACS accounting server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

You can remove an accounting server only when it is not used by any active TCP connection to send accounting packets. Removing an accounting server only affects accounting processes that occur after the remove operation.

Examples

# Specify the IP address and port number of the primary accounting server for HWTACACS scheme test1 as 10.163.155.12 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

Related commands

display hwtacacs

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the primary HWTACACS authentication server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets. Removing an authentication server only affects authentication processes that occur after the remove operation.

Examples

# Specify the IP address and port number of the primary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

Related commands

display hwtacacs

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the primary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the primary HWTACACS authorization server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary authorization servers must be different. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

You can remove an authorization server only when it is not used by any active TCP connection to send authorization packets. Removing an authorization server only affects authorization processes that occur after the remove operation.

Examples

# Configure the IP address and port number of the primary authorization server for HWTACACS scheme hwt1 as 10.163.155.13 and 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

Related commands

display hwtacacs

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Default command level

1: Monitor level

Parameters

accounting: Specifies the HWTACACS accounting statistics.

all: Specifies all HWTACACS statistics.

authentication: Specifies the HWTACACS authentication statistics.

authorization: Specifies the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs

reset stop-accounting-buffer (for HWTACACS)

Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses have been received.

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Views

User view

Default command level

2: System level

Parameters

Examples

# Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

Related commands

· stop-accounting-buffer enable

· display stop-accounting-buffer

retry stop-accounting (HWTACACS scheme view)

Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

Default

The maximum number of stop-accounting request transmission attempts is 100.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 1 to 300.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 50

Related commands

· reset stop-accounting-buffer

· display stop-accounting-buffer

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove the configuration.

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS accounting server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the secondary HWTACACS accounting server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

Examples

# Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10.163.155.12 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

Related commands

display hwtacacs

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove the configuration.

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS authentication server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the secondary HWTACACS authentication server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

You can remove an authentication server only when it is not used by any active TCP connection to send authentication packets is using it. Removing an authentication server only affects authentication processes that occur after the remove operation.

Examples

# Specify the IP address and port number of the secondary authentication server for HWTACACS scheme hwt1 as 10.163.155.13 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

Related commands

display hwtacacs

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove the configuration.

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the secondary HWTACACS authorization server in dotted decimal notation. The default is 0.0.0.0.

port-number: Service port number of the secondary HWTACACS authorization server, in the range of 1 to 65535. The default is 49.

Usage guidelines

The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.

If you configure the command multiple times, only the most recent configuration takes effect.

Examples

# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

Related commands

display hwtacacs

stop-accounting-buffer enable (HWTACACS scheme view)

Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no responses are received.

Use undo stop-accounting-buffer enable to disable the buffering function.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers stop-accounting requests to which no responses are received.

Views

HWTACACS scheme view

Default command level

2: System level

Usage guidelines

Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request that receives no response in the specified period of time, the NAS buffers and resends the packet until it receives a response or until the number of transmission attempts reaches the configured limit. In the latter case, the NAS discards the packet.

Examples

# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests that receive no responses.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

Related commands

· reset stop-accounting-buffer

· display stop-accounting-buffer

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the primary server.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The primary server quiet period is 5 minutes.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

minutes: Primary server quiet period, in the range of 1 to 255, in minutes.

Usage guidelines

When the primary server is found unreachable, the device changes the status of the server from active to blocked and keeps the server in blocked state until the quiet timer expires.

Examples

# Set the quiet timer for the primary server to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

seconds: HWTACACS server response timeout period in seconds, in the range of 1 to 300.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Syntax

user-name-format { keep-original | with-domain | without-domain }

Default

The ISP domain name is included in the username.

Views

HWTACACS scheme view

Default command level

2: System level

Parameters

keep-original: Sends the username to the HWTACACS server as it is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the format userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot recognize a username that includes an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the HWTACACS scheme to more than one ISP domain. This avoids the confusing situation in which the HWTACACS server regards two users in different ISP domains but with the same userid as one.

If the HWTACACS scheme is used for wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users may fail.

Examples

# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for the HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

LDAP configuration commands

authentication-server

Use authentication-server to specify an LDAP authentication server.

Use undo authentication-server to cancel the specified LDAP authentication server.

Syntax

authentication-server ip-address [ port-number ]

undo authentication-server

Default

No LDAP authentication server is specified.

Views

LDAP scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the LDAP authentication server.

port-number: TCP port number of the LDAP authentication server, in the range of 1 to 65535. It defaults to 389.

Usage guidelines

The LDAP server port specified on the device must be consistent with that configured on the LDAP server.

If you change the IP address and port number of the LDAP authentication server, the change is effective only to the LDAP authentications after your change.

Examples

# Specify the IP address of the LDAP authentication server as 192.168.0.10 and the port number as 4300.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server 192.168.0.10 4300

Related commands

display ldap scheme

authorization-server

Use authorization-server to specify an LDAP authorization server.

Use undo authorization-server to cancel the specified LDAP authorization server.

Syntax

authorization-server ip-address [ port-number ]

undo authorization-server

Default

No LDAP authorization server is specified.

Views

LDAP scheme view

Default command level

2: System level

Parameters

ip-address: IP address of the LDAP authorization server.

port-number: Port number of the LDAP authorization server, in the range of 1 to 65535. It defaults to 389.

Usage guidelines

The LDAP server port specified on the device must be consistent with that configured on the LDAP server.

If you change the IP address and port number of the authorization server, the change is effective only to the LDAP authorizations after your change.

Examples

# Specify the IP address of the LDAP authorization server as 192.168.0.10 and the port number as 4300.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authorization-server 192.168.0.10 4300

Related commands

display ldap scheme

Use display ldap scheme to display the configuration of an LDAP scheme.

Syntax

display ldap scheme [ scheme-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

scheme-name: LDAP scheme name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If no LDAP scheme is specified, this command displays the configuration of all schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

------------------------------------------------------------------

Scheme name = default

Index = 0

Authentication IP = 1.1.1.1 Port = 390

Authorization IP = 0.0.0.0 Port = 389

LDAP protocol version : LDAPv3

LDAP server type : Microsoft

Server timeout interval : 10 (seconds)

User searching parameters:

Base DN : (not configured)

Search scope : all-level

User object class : (not configured)

Username attribute : cn

Username format : without-domain

User group attribute : (not configured)

Group searching parameters:

Base DN : (not configured)

Search scope : all-level

Group object class : (not configured)

Member attribute : (not configured)

Groupname attribute : cn

------------------------------------------------------------------

Total 1 LDAP scheme(s).

Table 9 Command output

Field	Description
Scheme name	LDAP scheme name.
Index	LDAP scheme index.
Authentication IP/Port	IP address/port number of the authentication server. If no authentication server is specified, the IP address is 0.0.0.0 and the port number is the default.
Authorization IP/Port	IP address/port number of the authorization server. If no authorization server is specified, the IP address is 0.0.0.0 and the port number is the default.
LDAP protocol version	LDAP version number: LDAPv2 or LDAPv3.
LDAP server type	LDAP server manufacturer: IBM, Microsoft, or Sun.
Server timeout interval	LDAP server timeout period, in seconds.
Login account DN	DN of the administrator.
Login account password	Password of the administrator, displayed as a series of asterisks (******).
User searching parameters	User search parameters.
Base DN	Base DN for user search.
Search scope	User DN search scope: · All-level—All sub-directories. · Single-level—Sub-directories of the next lower level under the directory of the base DN.
User object class	Customized user object class.
Username attribute	Customized user account attribute.
Username format	Username format: · With-domain—The username sent to the server contains the domain name. · Without-domain—The username sent to the server does not contain the domain name.
User group attribute	User group attribute on the server.
Group searching parameters	User group search parameters.

Related commands

ldap scheme

group-parameters

Use group-parameters to configure LDAP group attributes.

Use undo group-parameters to cancel configurations of LDAP group attributes.

Syntax

group-parameters { group-name-attribute { name-attribute | cn | uid } | group-object-class object-class-name | member-name-attribute attribute-name | search-base-dn base-dn | search-scope { all-level | single-level } }

undo group-parameters { group-name-attribute | group-object-class | member-name-attribute | search-base-dn | search-scope }

Default

The search base DN is not specified, the group name attribute is cn, the search scope is all-level, the customized group object class is not specified, and the customized member name attribute is not specified.

Views

LDAP scheme view

Default command level

2: System level

Parameters

group-name-attribute { name-attribute | cn | uid }: Specifies the user group name attribute for group search. The name-attribute argument represents a customized group name attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword means that the user group name attribute is common name, and the uid keyword means that the user group name attribute is user ID.

group-object-class object-class-name: Specifies the group object class for group search. The object-class-name argument represents a class name, a case-insensitive string of 1 to 64 characters.

member-name-attribute attribute-name: Specifies the member name attribute of the group to search for. The attribute-name argument represents member name attribute value, a case-insensitive string of 1 to 64 characters.

search-base-dn base-dn: Specifies the base DN for group search. The base-dn argument represents a DN value, a case-insensitive string of 1 to 255 characters.

search-scope { all-level | single-level }: Specifies the group search scope. The all-level keyword means that the search goes through all sub-directories of the base DN, and the single-level keyword means that the search goes through only the next lower level sub-directories of the base DN.

Usage guidelines

You can use the command repeatedly to configure multiple LDAP group attributes.

Some LDAP server vendors have default values defined for the group object class and member name attribute. If no default values are defined or you want to change the settings, use the group-parameters command.

Examples

# Configure the user group search to go through only the next lower level sub-directories of the base DN.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] group-parameters search-scope single-level

Related commands

· display ldap scheme

· login-dn

ldap scheme

Use ldap scheme to create an LDAP scheme and enter its view.

Use undo ldap scheme to remove an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP scheme is created.

Views

System view

Default command level

3: Manage level

Parameters

ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

LDAP protocol configurations are made in LDAP schemes. Each LDAP scheme must define at least the IP address of the LDAP authentication or authorization server and the administrator DN and administrator password.

One LDAP scheme can be referenced by multiple ISP domains.

The undo ldap scheme command cannot remove an LDAP scheme that is being referenced by ISPs.

Examples

# Create an LDAP scheme named ldap1, and enter its view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to cancel the specified administrator DN.

Syntax

undo login-dn

Default

No administrator DN is specified.

Views

LDAP scheme view

Default command level

2: System level

Parameters

dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with that configured on the LDAP server.

If you change the administrator DN, the change is effective only to the LDAP authentication and authorization after your change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

undo login-password

Default

No administrator password is configured.

Views

LDAP scheme view

Default command level

2: System level

Parameters

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 128 characters. If cipher is specified, it must be a ciphertext string of 1 to 201 characters. If neither cipher nor simple is specified, you set a plaintext password string.

Usage guidelines

This command is effective only after the login-dn command is configured.

For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext.

Examples

# Configure the administrator password to abcdefg in plain text

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] login-password simple abcdefg

# Configure the administrator password to /tbw94rb4yDN1Ez5vkK1pw== in ciphertext.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] login-password cipher /tbw94rb4yDN1Ez5vkK1pw==

Related commands

· display ldap scheme

· login-dn

protocol-version

Use protocol-version to specify the LDAP version supported in LDAP authentication.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP scheme view

Default command level

2: System level

Parameters

v2: Specifies the LDAP version as LDAPv2.

v3: Specifies the LDAP version as LDAPv3.

Usage guidelines

The LDAP version specified on the device must be consistent with that specified on the LDAP server.

If you change the LDAP version on the server, the change is effective only to the LDAP authentication and authorization after your change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] protocol-version v2

Related commands

display ldap scheme

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the devices waits for the LDAP server's replies during authentication or authorization.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP scheme view

Default command level

2: System level

Parameters

time-interval: LDAP server timeout period, in the range of 5 to 20 seconds.

Usage guidelines

If you change the connection timeout period, the change is effective only to the LDAP authentication and authorization after your change.

Examples

# Set the LDAP server timeout period to 15 seconds.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-scheme-ldap1] server-timeout 15

Related commands

display ldap scheme

server-type (LDAP scheme view)

Use server-type to configure the LDAP server type.

Use undo server-type to restore the default.

Syntax

server-type { ibm | microsoft | sun }

undo server-type

Default

The LDAP server type is Microsoft.

Views

LDAP scheme view

Default command level

2: System level

Parameters

ibm: Specifies the LDAP server manufacturer as IBM.

microsoft: Specifies the LDAP server manufacturer as Microsoft.

sun: Specifies the LDAP server manufacturer as Sun.

Usage guidelines

The LDAP server type specified on the device must be consistent with that specified on the server.

If you change the server type, the change is effective only to the LDAP authentication and authorization after your change.

Examples

# Specify the LDAP server type as IBM.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] server-type ibm

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes.

Use undo user-parameters to cancel configurations of LDAP user attributes.

Syntax

user-parameters { search-base-dn base-dn | search-scope { all-level | single-level } | user-group-attribute attribute-name | user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { search-base-dn | search-scope | user-group-attribute | user-name-attribute | user-name-format | user-object-class }

Default

No search base DN is not specified, the search scope is all-level, the customized user group attribute is not specified, the user account attribute is cn, the username format is without-domain, and the customized user object class is not specified.

Views

LDAP scheme view

Default command level

2: System level

Parameters

search-base-dn base-dn: Specifies the base DN for user search. The base-dn argument represents a DN value, a case-insensitive string of 1 to 255 characters.

search-scope { all-level | single-level }: Specifies user search scope. The all-level keyword means that the search goes through all sub-directories of the base DN, and the single-level keyword means that the search goes through only the next lower level of sub-directories of the base DN.

user-group-attribute attribute-name: Specify the user group attribute. The attribute-name argument represents an attribute name, a case-insensitive string of 1 to 64 characters.

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword means that the user account attribute is common name, and the uid keyword means that the user account attribute is user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

You can use the command repeatedly to configure multiple LDAP user attributes.

Some LDAP server vendors have default values defined for the user group attribute and user object class. In this case, you do not need to configure them on the device. If no default values are defined or you want to change the settings on the device, use the user-parameters command. Make sure that the settings on the device are consistent with those on the server.

Microsoft LDAP server has a default value for the user group attribute, but IBM and Sun servers have no default value for the attribute.

Generally, the name of a user is in the format userid@isp-name, where the string after the at sign (@) is the domain name. In the directory tree of the LDAP server, however, a user identification (which could be cn or uid) may not contain an ISP domain name. If usernames on the LDAP server do not contain domain names, specify the without-domain keyword so that the device removes domain names from usernames before sending them to the server.

Examples

# Set the user search scope to single-level.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] user-parameters search-scope single-level

Related commands

display ldap scheme

07-Security Command Reference

aaa nas-id profile

access-limit enable

authentication default

authorization-attribute

display domain

domain

domain default enable

idle-cut enable

local-server authentication eap-profile

self-service-url enable

session-time include-idle-time

state (ISP domain view)

Local user configuration commands

authorization-attribute (local user view/user group view)

expiration-date (local user view)

accounting-on enable

data-flow-format (RADIUS scheme view)

display radius scheme

display radius statistics

display stop-accounting-buffer (for RADIUS)

key (RADIUS scheme view)

nas-backup-ip

nas-ip (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius dynamic-author client trusted

reset radius statistics

reset stop-accounting-buffer (for RADIUS)

retry

retry stop-accounting (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

server-type (RADIUS scheme view)

state primary

state secondary

stop-accounting-buffer enable (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

display stop-accounting-buffer (for HWTACACS)

nas-ip (HWTACACS scheme view)

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

reset stop-accounting-buffer (for HWTACACS)

retry stop-accounting (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

server-type (LDAP scheme view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner