accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

In FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

accounting lan-access

Use accounting lan-access to specify accounting methods for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

In non-FIPS mode:

accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

In FIPS mode:

accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

Default

The default accounting methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands

accounting default

local-user

radius scheme

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

In non-FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

In FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

accounting portal

Use accounting portal to specify accounting methods for portal users.

Use undo accounting portal to restore the default.

Syntax

In non-FIPS mode:

accounting portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

In FIPS mode:

accounting portal { local | radius-scheme radius-scheme-name [ local ] }

undo accounting portal

Default

The default accounting methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

Related commands

accounting default

local-user

radius scheme

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

In non-FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

In FIPS mode:

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication lan-access

Use authentication lan-access to specify authentication methods for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

In non-FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

In FIPS mode:

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication lan-access

Default

The default authentication methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

In non-FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

In FIPS mode:

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication portal

Use authentication portal to specify authentication methods for portal users.

Use undo authentication portal to restore the default.

Syntax

In non-FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

In FIPS mode:

authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }

undo authentication portal

Default

The default authentication methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

authentication default

ldap scheme

local-user

radius scheme

authentication super

Use authentication super to specify methods for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands

authentication default

hwtacacs scheme

radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

In non-FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

In FIPS mode:

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

command authorization (Fundamentals Command Reference)

hwtacacs scheme

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

In non-FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

In FIPS mode:

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Non-login users can access the network.

· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary default authorization method and multiple backup default authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authorization lan-access

Use authorization lan-access to specify authorization methods for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

In non-FIPS mode:

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

In FIPS mode:

authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo authorization lan-access

Default

The default authorization methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

authorization default

local-user

radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

In non-FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

In FIPS mode:

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

authorization default

hwtacacs scheme

local-user

radius scheme

authorization portal

Use authorization portal to specify authorization methods for portal users.

Use undo authorization portal to restore the default.

Syntax

In non-FIPS mode:

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

In FIPS mode:

authorization portal { local | radius-scheme radius-scheme-name [ local ] }

undo authorization portal

Default

The default authorization methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

authorization default

local-user

radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name }

undo authorization-attribute { ip-pool | ipv6-pool | user-profile }

Default

No authorization attributes are configured for users in the ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_), and it must start with a letter.

Usage guidelines

If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Configure user profile profile1 for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute user-profile profile1

Related commands

display domain

Use display domain to display the ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 24 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domain(s)

Domain: system

State: Active

default Authentication Scheme: local

default Authorization Scheme: local

default Accounting Scheme: local

Authorization attributes :

Idle-cut : Disable

Domain: dm

State: Active

default Authentication Scheme: radius: rad, local, none

default Authorization Scheme: local

default Accounting Scheme: none

Authorization attributes :

Idle-cut : Disable

User profile: test

Default Domain Name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain.
default Authentication Scheme	Default authentication methods.
default Authorization Scheme	Default authorization methods.
default Accounting Scheme	Default accounting methods.
login Authentication Scheme	Authentication methods for login users.
login Authorization Scheme	Authorization methods for login users.
login Accounting Scheme	Accounting methods for login users.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle-cut	Idle cut feature status. The feature is disabled. The idle cut feature is not supported in an ISP domain in the current software version.
radius	RADIUS scheme.
tacacs	HWTACACS scheme.
ldap	LDAP scheme.
local	Local scheme.
none	No authentication, no authorization, or no accounting.
Command Authorization Scheme	Command line authorization methods.
Command Accounting Scheme	Command line accounting method.
Super Authentication Scheme	Authentication methods for obtaining a temporary user role.
IP pool		Name of the authorization IPv4 address pool.
User profile	Name of the authorization user profile.
IPv6 pool	Name of the authorization IPv6 address pool.

domain

Use domain to create an ISP domain and enter ISP domain view.

Use undo domain to remove an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

There is a system-defined ISP domain named system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

All ISP domains are in active state when they are created.

The system has a predefined ISP domain named system. You can modify but not remove its configuration.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Examples

# Create ISP domain test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

display domain

domain default enable

domain if-unknown

state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

There can be only one default ISP domain.

The specified ISP domain must already exist.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

display domain

domain

domain if-unknown

Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-domain-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

Parameters

isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The name must meet the following requirements:

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

The device chooses an authentication domain for each user in the following order:

1. The authentication domain specified for the access module.

2. The ISP domain in the username.

3. The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN binding exists.

Views

NAS-ID profile view

Predefined user roles

network-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. The online users are not affected.

Examples

# Place the ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default.

Syntax

authorization-attribute { acl acl-number | idle-cut minute | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | idle-cut | ip-pool | ipv6-pool | user-profile profile-name | user-role role-name | vlan | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user are assigned the network-operator user role.

Views

Local user view, user group view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_), and it must start with a letter. The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. You can specify a maximum of 64 user roles for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

· For LAN users, only the following authorization attributes take effect: acl, user-profile, and vlan.

· For portal users, only the following authorization attributes take effect: acl, ip-pool, ipv6-pool, and user-profile.

· For Telnet and terminal users, only the following authorization attributes take effect: idle-cut and user-role.

· For HTTP and HTTPS users, only the user-role authorization attribute takes effect.

· For SSH users, only the following authorization attributes take effect: idle-cut, user-role, and work-directory.

· For FTP users, only the following authorization attributes take effect: user-role and work-directory.

· For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

display local-user

display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { ip | location | mac | vlan } *

Default

No binding attribute is configured for a local user.

Views

Local user view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IP address to which the user is bound. This option is applicable only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option is applicable only to LAN and portal users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option is applicable only to LAN and portal users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option is applicable only to LAN and portal users.

Usage guidelines

Binding attributes are checked upon authentication of a local user. If the local user has a non-matching attribute or lacks a required attribute, user authentication fails.

When you configure binding attributes for a local user, follow these guidelines:

· Make sure the device can obtain from the user's packet all attributes for checking. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

· Configure the location binding attribute based on the service type of the user.

¡ If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface through which the user accesses the device.

¡ If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface through which the user accesses the device.

¡ If the user is a portal user, specify the portal-enabled interface through which the user accesses the device. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.

Examples

# Bind IP address 3.3.3.3 with the network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3

Related commands

display local-user

description

Use description to configure a description for a network access user.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a network access user.

Views

Network access user view

Predefined user roles

network-admin

Parameters

text: Specifies a description, case-sensitive string of 1 to 255 characters.

Examples

# Configure a description for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] description Manager of MSC company

Related commands

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

class: Specifies the local user type.

manage: Device management user.

network: Network access user.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services. A local user in blocked state cannot request authentication, authorization, and accounting services, but it can request to stop the accounting service in use.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 2 local users matched.

Device management user root:

State: Active

Service Type: SSH/Telnet/Terminal

Access limit: Enabled Max access number: 3

Current access number: 1

User Group: system

Bind Attributes:

Authorization attributes:

Work Directory: flash:

User Role List: network-admin

Password control configurations:

Password aging: Enabled (3 days)

Network access user jj:

State: Active

Service Type: Lan-access

User Group: system

Bind Attributes:

IP Address: 2.2.2.2

Location Bound: Ten-GigabitEthernet1/0/1

MAC Address: 0001-0001-0001

VLAN ID: 2

Authorization attributes:

Idle TimeOut: 33 (min)

Work Directory: flash:

ACL number: 2000

User profile: test

User Role List: network-operator, level-0, level-3

Description: A guest from company cc

Validity period:

Start date and time: 2016/04/01-08:00:00

Expiration date and time: 2017/04/03-18:00:00

Table 2 Command output

Field	Description
State	Status of the local user: active or blocked.
Service Type	Service types that the local user can use, including FTP, HTTP, HTTPS, LAN access, portal, SSH, Telnet, and terminal.
Access limit	Whether the concurrent login limit is enabled.
Max access number	Maximum number of concurrent logins using the local user name.
Current access number	Current number of concurrent logins using the local user name.
User Group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
Authorization attributes	Authorization attributes of the local user.
Idle TimeOut	Idle timeout period of the user, in minutes.
Work Directory	Directory that the FTP, SFTP, or SCP user can access.
ACL number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User profile	Authorization user profile of the local user.
IP pool	Authorization IPv4 address pool of the local user.
IPv6 pool	Authorization IPv6 address pool of the local user.
User Role List	Authorized roles of the local user.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Description	Description of the network access user.
Validity period	Validity period of the network access user.
Start date and time	Date and time from which the network access user begins to take effect.
Expiration date and time	Date and time at which the network access user expires.

display user-group

Use display user-group to display the user group configuration.

Syntax

display user-group [ group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a user group, this command displays the configuration of all user groups.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group

Total 2 user groups matched.

The contents of user group system:

Authorization attributes:

Work Directory: flash:

The contents of user group jj:

Authorization attributes:

Idle TimeOut: 2 (min)

Work Directory: flash:/

ACL Number: 2000

VLAN ID: 2

Password control configurations:

Password aging: Enabled (2 days)

Table 3 Command output

Field	Description
Idle TimeOut	Idle timeout period, in minutes.
Authorization attributes		Authorization attributes of the user group.
Work Directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL Number	Authorization ACL.
VLAN ID	Authorized VLAN.
User profile		Authorization user profile of the user group.
IP pool		Authorization IPv4 address pool of the user group.
IPv6 pool		Authorization IPv6 address pool of the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to the system-defined user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter local user view.

Use undo local-user to remove local users.

Syntax

local-user user-name [ class { manage | network } ]

undo local-user { user-name class { manage | network } | all [ service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | class { manage | network } ] }

Default

No local user exists.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters that does not contain the domain name. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be a, al, or all, either.

class: Specifies the local user type.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

network: Network access user that accesses network resources through the device. Network access users can use the LAN access and portal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Usage guidelines

If you do not specify the class { manage | network } option, this command adds a device management user.

Examples

# Add a device management user named user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

Related commands

display local-user

service-type

local-user auto-delete enable

Use local-user auto-delete enable to enable the local user auto-delete feature.

Use undo local-user auto-delete enable to restore the default.

Syntax

local-user auto-delete enable

undo local-user auto-delete enable

Default

The local user auto-delete feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.

Examples

# Enable the local user auto-delete feature.

<Sysname> system-view

[Sysname] local-user auto-delete enable

Related commands

validity-datetime

password

Use password to configure a password for a local user.

Use undo password to delete the password of a local user.

Syntax

In non-FIPS mode:

password [ { cipher | hash | simple } password ]

undo password

In FIPS mode:

password

Default

In non-FIPS mode, there is no password configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

In FIPS mode, there is no password configured for a local user. A local user cannot pass authentication.

Views

Local user view

Predefined user roles

network-admin

Parameters

cipher: Sets a ciphertext password.

hash: Sets a hashed password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

· In non-FIPS mode:

¡ A cipher password is a string of 1 to 117 characters.

¡ A hashed password is a string of 1 to 110 characters.

¡ A plaintext password is a string of 1 to 63 characters.

· In FIPS mode, the password is a plaintext string of 15 to 63 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").

Usage guidelines

If you do not specify any parameters or the device operates in FIPS mode, you enter the interactive mode to set a plaintext password. Only device management users support passwords configured in interactive mode.

In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user. In FIPS mode, only password-protected users can pass authentication.

Device management users support plaintext and hashed passwords. Network access users support plaintext and ciphertext passwords. For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext, hashed or encrypted.

Examples

# Set the password of the device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of the device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

# Set the password of the network access user user2 to 123456TESTuser&! in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple 123456TESTuser&!

Related commands

display local-user

service-type

Use service-type to specify the service types that a local user can use.

Use undo service-type to delete service types configured for a local user.

Syntax

In non-FIPS mode:

service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal }

undo service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal }

In FIPS mode:

service-type { lan-access | { https | ssh | terminal } * | portal }

undo service-type { lan-access | { https | ssh | terminal } * | portal }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

portal: Authorizes the user to use the portal service.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state. The local user in blocked state cannot request authentication, authorization, and accounting services, but it can request to stop the accounting service in use.

Usage guidelines

This command applies only to the local user.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter user group view.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

There is a user group named system in the system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group. Configurable user attributes are authorization attributes.

A user group with one or more local users cannot be deleted.

The system has a predefined user group named system. You can modify but not remove its configuration.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

validity-datetime

Use validity-datetime to specify the validity period for a network access user.

Use undo validity-datetime to restore the default.

Syntax

validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }

undo validity-datetime

Default

The validity period for a local user does not expire.

Views

Network access user view

Predefined user roles

network-admin

Parameters

from: Specifies the validity start date and time for the user. If you do not specify this option, the command defines only the expiration date and time of the user.

start-date: Specifies the date on which the user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the time on the day when the user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

Expired network access user accounts cannot be used for authentication.

When both the from and to options are specified, the expiration date and time must be later than the validity start date and time.

When only the from option is specified, the user is valid since the specified date and time. When only the to option is specified, the user is valid until the specified date and time.

Examples

# Specify the validity period for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] validity-datetime from 2015/10/01 00:00:00 to 2016/10/02 12:00:00

Related commands

display local-user

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to make sure the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set with the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

algorithm loading-share enable

Use algorithm loading-share enable to enable the RADIUS server load sharing feature.

Use undo algorithm loading-share enable to disable the RADIUS server load sharing feature.

Syntax

algorithm loading-share enable

undo algorithm loading-share enable

Default

The RADIUS server load sharing feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server roles. The device forwards an AAA request to the most appropriate server of all active servers in the scheme after it compares the weight values and numbers of currently served users. Specify a weight value for each RADIUS server based on the AAA capacity of the server. A larger weight value indicates a higher AAA capacity.

In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server. If the accounting server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server.

Examples

# Enable the RADIUS server load sharing feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] algorithm loading-share enable

Related commands

display radius scheme

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

client

Use client to specify a RADIUS DAC.

Use undo client to remove a RADIUS DAC.

Syntax

client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *

undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

No RADIUS DACs are specified.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a DAC by its IPv4 address.

ipv6 ipv6-address: Specifies a DAC by its IPv6 address.

key { cipher | simple } string: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.

· cipher string: Specifies a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 117 characters.

¡ In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Specifies a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 64 characters.

¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the RADIUS DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.

The device discards any DAE packets sent from DACs that are not specified for the DAS.

You can execute the client command multiple times to specify multiple DACs for the DAS.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Specify the DAC as 10.110.1.2 in VPN instance abc. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456 vpn-instance abc

Related commands

port

radius dynamic-author server

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

Use display radius scheme to display the configuration of RADIUS schemes.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 2 RADIUS schemes

------------------------------------------------------------------

RADIUS scheme name : rad

Index : 0

Primary Auth Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1812

VPN : Not configured

State: Active

Test profile: 132

Probe username: test

Probe interval: 60 minutes

Weight: 40

Primary Acct Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1813

VPN : Not configured

State: Active

Weight: 40

Accounting-On function : Disabled

retransmission times : 50

retransmission interval(seconds) : 3

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 500

NAS IP Address : Not configured

VPN : Not configured

User Name Format : Without-domain

Data flow unit : Byte

Packet unit : One

Attribute 15 check-mode : Strict

Algorithm : primary-secondary

------------------------------------------------------------------

RADIUS scheme name : rad2

Index : 1

Primary Auth Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1812

VPN : 1

State: Active

Test profile: Not configured

Weight: 0

Primary Acct Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1813

VPN : 1

State: Active

Weight: 0

Accounting-On function : Disabled

retransmission times : 50

retransmission interval(seconds) : 3

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 500

NAS IP Address : Not configured

VPN : Not configured

User Name Format : Without-domain

Data flow unit : Byte

Packet unit : One

Attribute 15 check-mode : Strict

Algorithm : loading-share

------------------------------------------------------------------

RADIUS scheme name : rad2

Index : 1

Primary Auth Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1812

VPN : 1

State: Active

Test profile: Not configured

Weight: 0

Primary Acct Server:

Host name: radius.com

IP : 82.0.0.37 Port: 1813

VPN : 1

State: Active

Weight: 0

Accounting-On function : Disabled

retransmission times : 50

retransmission interval(seconds) : 3

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 500

NAS IP Address : Not configured

VPN : Not configured

User Name Format : Without-domain

Data flow unit : Byte

Packet unit : One

Attribute 15 check-mode : Strict

Algorithm : loading-share

------------------------------------------------------------------

Table 4 Command output

Field	Description
Index	Index number of the RADIUS scheme.
Primary Auth Server	Information about the primary authentication server.
Primary Acct Server	Information about the primary accounting server.
Second Auth Server	Information about the secondary authentication server.
Second Acct Server	Information about the secondary accounting server.
Host name	Hostname of the server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port number of the server. If no port number is specified, this field displays the default port number.
VPN	VPN instance to which the RADIUS server belongs. If no VPN instance is specified for the server, this field displays Not configured.
State	Status of the server: active or blocked.
Test profile	Test profile used for RADIUS server status detection.
Probe username	Username used for RADIUS server status detection.
Probe interval	Server status detection interval, in minutes.
Weight	Weight value of the RADIUS server.
Server: n	Member ID of the security policy server.
IP	IP address of the security policy server.
VPN	VPN instance to which the security policy server belongs. If no VPN instance is specified for the server, this field displays Not configured.
Accounting-On function	Whether the accounting-on feature is enabled.
retransmission times	Number of accounting-on packet transmission attempts.
retransmission interval(seconds)	Interval at which the device retransmits accounting-on packets, in seconds.
Timeout Interval(seconds)	RADIUS server response timeout period, in seconds.
Retransmission Times	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Retransmission Times for Accounting Update	Maximum number of accounting attempts.
Server Quiet Period(minutes)	Quiet period for the servers, in minutes.
Realtime Accounting Interval(minutes)	Interval for sending real-time accounting updates, in minutes.
Stop-accounting packets buffering	Whether buffering of nonresponded RADIUS stop-accounting requests is enabled.
Retransmission times	Maximum number of transmission attempts for individual RADIUS stop-accounting requests.
NAS IP Address	Source IP address for outgoing RADIUS packets.
VPN	VPN instance to which the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured.
User Name Format	Format for the usernames sent to the RADIUS server. Possible values include: · With-domain—Includes the domain name. · Without-domain—Excludes the domain name. · Keep-original—Forwards the username as the username is entered.
Data flow unit	Measurement unit for data flows.
Packet unit	Measurement unit for packets.
Attribute 15 check-mode	RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
Algorithm	Status of the RADIUS server load sharing feature: · Disabled—The feature is disabled. The device forwards traffic to the server selected based on primary and secondary server roles. · Enabled—The feature is enabled. The device distributes traffic among multiple servers for load sharing.

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

Auth. Acct. SessCtrl.

Request Packet: 0 0 0

Retry Packet: 0 0 -

Timeout Packet: 0 0 -

Access Challenge: 0 - -

Account Start: - 0 -

Account Update: - 0 -

Account Stop: - 0 -

Terminate Request: - - 0

Set Policy: - - 0

Packet With Response: 0 0 0

Packet Without Response: 0 0 -

Access Rejects: 0 - -

Dropped Packet: 0 0 0

Check Failures: 0 0 0

Table 5 Command output

Field	Description
Auth.	Authentication packets.
Acct.	Accounting packets.
SessCtrl.	Session-control packets.
Request Packet	Number of request packets.
Retry Packet	Number of retransmitted request packets.
Timeout Packet	Number of request packets timed out.
Access Challenge	Number of access challenge packets.
Account Start	Number of start-accounting packets.
Account Update	Number of accounting update packets.
Account Stop	Number of stop-accounting packets.
Terminate Request	Number of packets for logging off users forcibly.
Set Policy	Number of packets for updating user authorization information.
Packet With Response	Number of packets for which responses were received.
Packet Without Response	Number of packets for which no responses were received.
Access Rejects	Number of Access-Reject packets.
Dropped Packet	Number of discarded packets.
Check Failures	Number of packets with checksum errors.

Related commands

reset radius statistics

display stop-accounting-buffer (for RADIUS)

Use display stop-accounting-buffer to display information about buffered RADIUS stop-accounting requests to which no responses have been received.

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.

time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Specifies a user by its name, a case-sensitive string of 1 to 255 characters. Whether the user-name argument should include the domain name depends on the setting configured by using the user-name-format command for the RADIUS scheme.

Examples

# Display information about nonresponded RADIUS stop-accounting requests buffered for user abc.

<Sysname> display stop-accounting-buffer user-name abc

Total entries: 2

Scheme Session ID Username First sending time Attempts

rad1 1000326232325010 abc 23:27:16-08/31/2015 19

aaa 1000326232326010 abc 23:33:01-08/31/2015 20

Table 6 Command output

Field	Description
First sending time	Time when the stop-accounting request was first sent.
Attempts	Number of attempts that were made to send the stop-accounting request.

Related commands

reset stop-accounting-buffer (for RADIUS)

retry

retry stop-accounting (RADIUS scheme view)

stop-accounting-buffer enable (RADIUS scheme view)

user-name-format (RADIUS scheme view)

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS communication.

Use undo key to restore the default.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Sets the shared key for secure RADIUS accounting communication.

authentication: Sets the shared key for secure RADIUS authentication communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

· In non-FIPS mode:

¡ A ciphertext password is a string of 1 to 117 characters.

¡ A plaintext password is a string of 1 to 64 characters.

· In FIPS mode:

¡ A ciphertext password is a string of 15 to 117 characters.

¡ A plaintext password is a string of 15 to 64 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain text.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is the IP address specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. As a best practice, configure a loopback interface address as the source IP address for outgoing RADIUS packets.

A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a new source IP address for the same RADIUS scheme, the new address overwrites the old one.

Examples

# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

display radius scheme

radius nas-ip

port

Use port to specify the RADIUS DAS port.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The RADIUS DAS port number is 3799.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

port-number: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.

Examples

# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] port 3790

Related commands

client

radius dynamic-author server

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 117 characters.

¡ In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 64 characters.

¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The specified hostname might be resolved to multiple IPv4 and IPv6 addresses. The resolved IPv4 addresses have higher priority than IPv6 addresses. The first IPv4 address that is returned from the DNS server has the highest priority.

The port number and shared key settings of the primary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If the specified server resides on a VPN instance, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests, either. The device might generate incorrect accounting results.

Examples

# Specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

Related commands

algorithm loading-share enable

display radius scheme

key (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the primary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the primary RADIUS authentication server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 117 characters.

¡ In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 64 characters.

¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the primary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The service port and shared key settings of the primary RADIUS authentication server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a. Checks the weight value and number of currently served users for each active server.

b. Determines the most appropriate server in performance to receive an AAA request.

Examples

# Specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&! for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

algorithm loading-share enable

display radius scheme

key (RADIUS scheme view)

radius-server test-profile

secondary authentication (RADIUS scheme view)

vpn-instance (RADIUS scheme view)

radius dynamic-author server

Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.

Use undo radius dynamic-author server to disable the RADIUS DAS feature.

Syntax

radius dynamic-author server

undo radius dynamic-author server

Default

The RADIUS DAS feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs.

Examples

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server]

Related commands

client

port

radius nas-ip

Use radius nas-ip to specify a source address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error.

You can specify a maximum of 16 source IP addresses, including the following IP addresses:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

A newly specified public-network source IP address overwrites the previous address. Each VPN instance can have at most one private-network source IPv4 address and one private-network source IPv6 address.

When you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

The setting depends on the type of the startup configuration:

· If the device starts up with initial settings, no RADIUS scheme is defined.

· If the device starts up with the default configuration file, a RADIUS scheme named system is defined.

For more information about the startup configuration, see Fundamentals Configuration Guide.

Views

System view

Predefined user roles

network-admin

Parameters

radius-scheme-name: RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be used by more than one ISP domain at the same time.

The device supports at most 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to restore the default.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled and the UDP port 1812 is closed.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ password { cipher | simple } string ] [ interval interval ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.

password: Specifies the user password in the detection packets. If you do not specify a user password, the device randomly generates a user password for each detection packet. As a best practice, specify a user password to prevent the RADIUS server from mistaking detection packets that contain randomly generated passwords as attack packets.

cipher: Specifies the password in encrypted form.

simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

Usage guidelines

You can execute this command multiple times to configure multiple test profiles.

If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.

Examples

# Configure a test profile named abc for RADIUS server status detection at an interval of 10 minutes. The detection packet uses username admin and password 123 in plaintext.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin password simple 123 interval 10

Related commands

primary authentication (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

reset stop-accounting-buffer (for RADIUS)

Use reset stop-accounting-buffer to clear buffered RADIUS stop-accounting requests to which no responses have been received.

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }

Views

User view

Predefined user roles

network-admin

Parameters

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

Examples

# Clear nonresponded RADIUS stop-accounting requests buffered for user user0001@test.

<Sysname> reset stop-accounting-buffer user-name user0001@test

# Clear nonresponded RADIUS stop-accounting requests buffered from 0:0:0 to 23:59:59 on August 31, 2015.

<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2015 23:59:59-08/31/2015

Related commands

display stop-accounting-buffer (for RADIUS)

stop-accounting-buffer enable (RADIUS scheme view)

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retry-times

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.

Examples

# Set the maximum number of RADIUS packet transmission attempts to 5 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

radius scheme

timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.

To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

retry

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

retry stop-accounting (RADIUS scheme view)

Use retry stop-accounting to set the maximum number of transmission attempts for individual RADIUS stop-accounting requests.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retries

undo retry stop-accounting

Default

The maximum number of transmission attempts is 500 for individual RADIUS stop-accounting requests.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535.

Usage guidelines

The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters:

· RADIUS server response timeout timer (set by using the timer response-timeout command).

· Maximum number of times to transmit a RADIUS packet per round (set by using the retry command).

For example, the following settings exist:

· The RADIUS server response timeout timer is 3 seconds.

· The maximum number of times to transmit a RADIUS packet per round is five.

· The maximum number of stop-accounting request transmission attempts is 20.

A stop-accounting request is retransmitted if the device does not receive a response within 3 seconds. When all five transmission attempts in this round are used, the device buffers the request and starts another round of retransmission. If 20 consecutive rounds of attempts fail, the device discards the request.

Examples

# Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry stop-accounting 1000

Related commands

display stop-accounting-buffer (for RADIUS)

retry

timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 117 characters.

¡ In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 64 characters.

¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary RADIUS accounting servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of a secondary RADIUS accounting server must be the same as the settings configured on the server.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.

· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# For RADIUS scheme radius1, specify a secondary accounting server with the IP address 10.110.1.1 and the UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# For RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

algorithm loading-share enable

display radius scheme

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the secondary RADIUS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary RADIUS authentication server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 117 characters.

¡ In FIPS mode, the key is a string of 15 to 117 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 64 characters.

¡ In FIPS mode, the key is a string of 15 to 64 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary RADIUS authentication servers for a RADIUS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of a secondary RADIUS authentication server must be the same as the settings configured on the server.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out.

· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.

· When the RADIUS server load sharing feature is enabled, the device performs the following operations:

a. Checks the weight value and number of currently served users for each active server.

b. Determines the most appropriate server in performance to receive an AAA request.

Examples

# For RADIUS scheme radius1, specify a secondary authentication server with the IP address 10.110.1.2 and the UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# Specify two secondary authentication servers for RADIUS scheme radius2, with the server IP addresses of 10.110.1.1 and 10.110.1.2, and the UDP port number of 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

algorithm loading-share enable

display radius scheme

key (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius-server test-profile

vpn-instance (RADIUS scheme view)

security-policy-server

Use security-policy-server to specify a security policy server.

Use undo security-policy-server to remove a security policy server.

Syntax

security-policy-server { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo security-policy-server { { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] | all }

Default

No security policy server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the security policy server.

ipv6 ipv6-address: Specifies the IPv6 address of the security policy server.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the security policy server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the security policy server is on the public network, do not specify this option.

all: Specifies all security policy servers.

Usage guidelines

You can specify a maximum of eight security policy servers for a RADIUS scheme.

Examples

# Specify the security policy server 10.110.1.2 for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] security-policy-server 10.110.1.2

Related commands

display radius scheme

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All types of notifications for RADIUS are enabled.

Views

System view

Predefined user roles

network-admin

Parameters

accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.

accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100 and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.

authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:

· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

· Excessive authentication failures notification—The number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server specified for a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Sets the status of the primary RADIUS accounting server.

authentication: Sets the status of the primary RADIUS authentication server.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

· Changes the status of the primary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the RADIUS server load sharing feature is enabled, the device checks the weight value and number of currently served users only for servers in active state. The most appropriate active server is selected for communication.

When the primary server and all secondary servers are in blocked state, authentication or accounting fails.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of the primary authentication server in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

algorithm loading-share enable

display radius scheme

radius-server test-profile

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }

Default

Every secondary RADIUS server specified in a RADIUS scheme is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Sets the status of a secondary RADIUS accounting server.

authentication: Sets the status of a secondary RADIUS authentication server.

host-name: Specifies the hostname of a secondary RADIUS server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

active: Specifies the active state, the normal operation state.

block: Specifies the blocked state, the out-of-service state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

· Changes the status of the secondary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# Set the status of all the secondary authentication servers in RADIUS scheme radius1 to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

algorithm loading-share enable

display radius scheme

radius-server test-profile

state primary

stop-accounting-buffer enable (RADIUS scheme view)

Use stop-accounting-buffer enable to enable buffering of RADIUS stop-accounting requests to which no responses have been received.

Use undo stop-accounting-buffer enable to disable the buffering feature.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers the RADIUS stop-accounting requests to which no responses have been received.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made. The device resends the buffered request until it receives a server response or when the number of stop-accounting request transmission attempts reaches the upper limit. If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.

Examples

# Enable buffering of RADIUS stop-accounting requests to which no responses have been received.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] stop-accounting-buffer enable

Related commands

display stop-accounting-buffer (for RADIUS)

reset stop-accounting-buffer (for RADIUS)

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

· A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

· A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# Set the quiet timer for the servers to 10 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60.

Usage guidelines

When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 7 Recommended real-time accounting intervals

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response timeout period cannot be greater than 300 seconds.

Examples

# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

display radius scheme

retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The setting depends on the type of the startup configuration:

· If the device starts up with initial settings, the ISP domain name is included in a username.

· If the device starts up with the default configuration file, the ISP domain name is included in a username except for the predefined RADIUS scheme named system. When the username is sent to a RADIUS server in the system scheme, the ISP domain name is removed.

For more information about the startup configuration, see Fundamentals Configuration Guide.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the username to the RADIUS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN instance for a RADIUS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The RADIUS scheme belongs to the public network.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies a VPN instance by the name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN instance is also configured for an individual RADIUS server, the VPN instance specified for the RADIUS scheme does not take effect on that server.

Examples

# Specify VPN instance test for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] vpn-instance test

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.

packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 2 TACACS schemes

------------------------------------------------------------------

HWTACACS Scheme Name : tac

Index : 0

Primary Auth Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: Not configured

Single-connection: Disabled

Primary Author Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: Not configured

Single-connection: Disabled

Primary Acct Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: Not configured

Single-connection: Disabled

VPN Instance : Not configured

NAS IP Address : Not configured

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 100

Response Timeout Interval(seconds) : 5

Username Format : without-domain

------------------------------------------------------------------

HWTACACS Scheme Name : tac2

Index : 1

Primary Auth Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: 1

Single-connection: Disabled

Primary Author Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: 1

Single-connection: Disabled

Primary Acct Server:

Host name: tacacs.com

IP : 82.0.0.37 Port: 49 State: Active

VPN Instance: 1

Single-connection: Disabled

VPN Instance : Not configured

NAS IP Address : Not configured

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Stop-accounting packets buffering : Enabled

Retransmission times : 100

Response Timeout Interval(seconds) : 5

Username Format : without-domain

Table 8 Command output

Field	Description
Index	Index number of the HWTACACS scheme.
Primary Auth Server	Primary HWTACACS authentication server.
Primary Author Server	Primary HWTACACS authorization server.
Primary Acct Server	Primary HWTACACS accounting server.
Secondary Auth Server	Secondary HWTACACS authentication server.
Secondary Author Server	Secondary HWTACACS authorization server.
Secondary Acct Server	Secondary HWTACACS accounting server.
Host name	Hostname of the HWTACACS server. The field displays Not configured in the following situations: · The server is not configured. · The server is specified by IP address.
IP	IP address of the HWTACACS server. This field displays Not configured in the following situations: · The server is not configured. · The server is specified by hostname, and the hostname is not resolved.
Port	Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.
Single-connection	Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server.
State	Status of the HWTACACS server: active or blocked.
VPN Instance	VPN instance to which the HWTACACS server or scheme belongs. If no VPN instance is specified for the server or scheme, this field displays Not configured.
NAS IP Address	Source IP address for outgoing HWTACACS packets.
Server Quiet Period(minutes)	Quiet period for the primary servers, in minutes.
Realtime Accounting Interval(minutes)	Real-time accounting interval, in minutes.
Stop-accounting packets buffering	Whether buffering of nonresponded HWTACACS stop-accounting requests is enabled.
Retransmission times	Maximum number of transmission attempts for individual HWTACACS stop-accounting requests.
Response Timeout Interval(seconds)	HWTACACS server response timeout period, in seconds.
Username Format	Format for the usernames sent to the HWTACACS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered.

Related commands

reset hwtacacs statistics

display stop-accounting-buffer (for HWTACACS)

Use display stop-accounting-buffer to display information about buffered HWTACACS stop-accounting requests to which no responses have been received.

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display information about nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

Total entries: 2

Scheme IP address Username First sending time Attempts

hwt1 192.168.100.1 abc 23:27:16-08/31/2015 19

hwt1 192.168.90.6 bob 23:33:01-08/31/2015 20

Table 9 Command output

Field	Description
First sending time	Time when the stop-accounting request was first sent.
Attempts	Number of attempts that were made to send the stop-accounting request.

Related commands

reset stop-accounting-buffer (for HWTACACS)

retry stop-accounting (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

The source IP address of a packet sent to the server is the IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

You can specify a maximum of 16 source IP addresses, including the following IP addresses:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

Examples

# Set the IP address for the device to use as the source address for HWTACACS packets to 129.10.10.1.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS scheme exists.

Views

System view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme-name: HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to remove the configuration.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

accounting: Sets the shared key for secure HWTACACS accounting communication.

authentication: Sets the shared key for secure HWTACACS authentication communication.

authorization: Sets the shared key for secure HWTACACS authorization communication.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key string. This argument is case sensitive.

· In non-FIPS mode:

¡ A ciphertext password is a string of 1 to 373 characters.

¡ A plaintext password is a string of 1 to 255 characters.

· In FIPS mode:

¡ A ciphertext password is a string of 15 to 373 characters.

¡ A plaintext password is a string of 15 to 255 characters that must contain digits, uppercase letters, lowercase letters, and special characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Set the shared key for secure HWTACACS authentication communication to 123456TESTauth&! in plain text for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key for secure HWTACACS authorization communication to 123456TESTautr&! in plain text.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key for secure HWTACACS accounting communication to 123456TESTacct&! in plain text.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source address for outgoing HWTACACS packets.

Use undo nas-ip to delete a source address for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is the IP address configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

When you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

If you execute the command multiple times, the most recent configuration takes effect.

Examples

# Set the source address for outgoing HWTACACS packets to 10.1.1.1 for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to remove the configuration.

Syntax

primary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 255 characters.

¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of the primary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme test1.

<Sysname> system-view

[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary accounting (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to remove the configuration.

Syntax

primary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authentication server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

· In non-FIPS mode, the key is a string of 1 to 255 characters.

· In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of the primary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# Specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to remove the configuration.

Syntax

primary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the primary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the primary HWTACACS authorization server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 255 characters.

¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of the primary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

secondary authorization

vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

reset stop-accounting-buffer (for HWTACACS)

Use reset stop-accounting-buffer to clear buffered HWTACACS stop-accounting requests to which no responses have been received.

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Views

User view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Clear nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

Related commands

display stop-accounting-buffer (for HWTACACS)

stop-accounting-buffer enable (HWTACACS scheme view)

retry stop-accounting (HWTACACS scheme view)

Use retry stop-accounting to set the maximum number of transmission attempts for individual HWTACACS stop-accounting requests.

Use undo retry stop-accounting to restore the default.

Syntax

retry stop-accounting retries

undo retry stop-accounting

Default

The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests. The value range is 1 to 300.

Examples

# In HWTACACS scheme hwt1, set the maximum number of HWTACACS stop-accounting attempts to 300.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] retry stop-accounting 300

Related commands

display stop-accounting-buffer (for HWTACACS)

timer response-timeout (HWTACACS scheme view)

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary accounting [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]

Default

No secondary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS accounting server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 255 characters.

¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS accounting servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of a secondary HWTACACS accounting server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# Specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary accounting (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authentication [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authentication server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authentication server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 255 characters.

¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS authentication servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of a secondary HWTACACS authentication server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

Examples

# Specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&! for HWTACACS scheme hwt1

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { host-name | ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *

undo secondary authorization [ { host-name | ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]

Default

No secondary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

host-name: Specifies the hostname of the secondary HWTACACS authorization server, a case-insensitive string of 1 to 253 characters.

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key { cipher | simple } string: Sets the shared key for secure communication with the secondary HWTACACS authorization server.

· cipher string: Sets a ciphertext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 373 characters.

¡ In FIPS mode, the key is a string of 15 to 373 characters.

· simple string: Sets a plaintext shared key. The string argument is case sensitive.

¡ In non-FIPS mode, the key is a string of 1 to 255 characters.

¡ In FIPS mode, the key is a string of 15 to 255 characters and must contain digits, uppercase letters, lowercase letters, and special characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

You can configure a maximum of 16 secondary HWTACACS authorization servers for an HWTACACS scheme. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical hostname, IP address, port number, and VPN instance settings.

The port number and shared key settings of a secondary HWTACACS authorization server must be the same as the settings configured on the server. For security purposes, all shared keys, including shared keys configured in plain text, are saved in ciphertext.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# Specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&! for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

primary authorization

vpn-instance (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

Use stop-accounting-buffer enable to enable buffering of HWTACACS stop-accounting requests to which no responses have been received.

Use undo stop-accounting-buffer enable to disable buffering of HWTACACS stop-accounting requests to which no responses have been received.

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

Default

The device buffers HWTACACS stop-accounting requests to which no responses have been received.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to buffer an HWTACACS stop-accounting request to which no response has been received. The device resends the buffered request until it receives a server response or when the number of transmission attempts reaches the maximum (set by using the retry stop-accounting command). If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.

Examples

# Enable buffering of HWTACACS stop-accounting requests to which no responses have been received.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

Related commands

display stop-accounting-buffer (for HWTACACS)

reset stop-accounting-buffer (for HWTACACS)

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# Set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

Examples

# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the username.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the username to the HWTACACS server as the username is entered.

with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.

without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

Examples

# Configure the device to remove the ISP domain name from the username sent to the HWTACACS servers specified in HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN instance for an HWTACACS scheme.

Use undo vpn-instance to remove the configuration.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

The HWTACACS scheme belongs to the public network.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies a VPN instance by the name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.

Examples

# Specify VPN instance test for HWTACACS scheme hwt1.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] vpn-instance test

Related commands

display hwtacacs scheme

LDAP commands

authentication-server

Use authentication-server to specify the LDAP authentication server for an LDAP scheme.

Use undo authentication-server to remove the LDAP authentication server.

Syntax

authentication-server server-name

undo authentication-server server-name

Default

No LDAP authentication server is specified for an LDAP scheme.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

For an LDAP scheme, you can only specify one LDAP authentication server. If you execute the command for an LDAP scheme multiple times, the most recent configuration takes effect.

Examples

# Specify the LDAP authentication server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server ccc

Related commands

display ldap scheme

ldap server

display ldap scheme

Use display ldap scheme to display the LDAP scheme configuration.

Syntax

display ldap scheme [ scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

Total 1 LDAP schemes

------------------------------------------------------------------

LDAP Scheme Name : ldap-sch

Authentication Server : cc

IP : 2.2.2.2

Port : 389

VPN Instance : 2

LDAP Protocol Version : LDAPv2

Server Timeout Interval : 10 (seconds)

Base DN : ll

Search Scope : single-level

User Searching Parameters:

User Object Class : Not configured

Username Attribute : cn

Username Format : with-domain

------------------------------------------------------------------

Table 11 Command output

Field	Description
Authentication Server	Name of the LDAP authentication server. If no server is configured, this field displays Not configured.
IP	IP address of the LDAP authentication server. If no authentication server is specified, this field displays Not configured.
Port	Port number of the authentication server. If no port number is specified, this field displays the default port number.
VPN Instance	VPN instance to which the LDAP server belongs. If no VPN instance is specified, this field displays Not configured.
LDAP Protocol Version	LDAP version, LDAPv2 or LDAPv3.
Server Timeout Interval	LDAP server timeout period, in seconds.
Login Account DN	DN of the administrator.
Base DN	Base DN for user search.
Search Scope	User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN.
User Searching Parameters	User search parameters.
User Object Class	User object class for user DN search. If no user object class is configured, this field displays Not configured.
Username Attribute	User account attribute for login.
Username Format	Format for the username sent to the server.

ip

Use ip to configure the IP address and port number of the LDAP server.

Use undo ip to delete the LDAP server IP address and port number.

Syntax

ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ip

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

vpn-instance vpn-instance-name: Specifies a VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of the LDAP authentication server as 192.168.0.10 and 4300.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300

Related commands

ldap server

ipv6

Use ipv6 to configure the IPv6 address and port number of the LDAP server.

Use undo ipv6 to delete the LDAP server IPv6 address and port number.

Syntax

ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]

undo ipv6

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of the LDAP authentication server as 1:2::3:4 and 4300.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300

Related commands

ldap server

ldap scheme

Use ldap scheme to create an LDAP scheme and enter LDAP scheme view.

Use undo ldap scheme to delete an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP scheme is defined.

Views

System view

Predefined user roles

network-admin

Parameters

ldap-scheme-name: LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An LDAP scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 LDAP schemes.

Examples

# Create an LDAP scheme named ldap1 and enter LDAP scheme view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

ldap server

Use ldap server to create an LDAP server and enter LDAP server view.

Use undo ldap server to delete an LDAP server.

Syntax

ldap server server-name

undo ldap server server-name

Default

No LDAP server exists.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: LDAP server name, a case-insensitive string of 1 to 64 characters.

Examples

# Create an LDAP server ccc and enter LDAP server view.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to remove the configuration.

Syntax

undo login-dn

Default

No administrator DN is specified.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

dn-string: Administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city.

<Sysname> system-view

[Sysname] ldap server ldap1

[Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

undo login-password

Default

No administrator password is configured.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password string. This argument is case sensitive.

· If the simple keyword is specified, the password must be a string of 1 to 128 characters.

· If the cipher keyword is specified, the password must be a ciphertext string of 1 to 201 characters.

Usage guidelines

This command is effective only after the login-dn command is configured.

For security purposes, all passwords, including passwords configured in plain text, are saved in ciphertext.

Examples

# Configure the administrator password to abcdefg in plain text.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] login-password simple abcdefg

Related commands

display ldap scheme

protocol-version

Use protocol-version to specify the LDAP version.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

v2: Specifies the LDAP version LDAPv2.

v3: Specifies the LDAP version LDAPv3.

Usage guidelines

For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.

If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] protocol-version v2

Related commands

display ldap scheme

search-base-dn

Use search-base-dn to specify the base DN for user search.

Use undo search-base-dn to restore the default.

Syntax

search-base-dn base-dn

undo search-base-dn

Default

No base DN is specified for user search.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

Examples

# Specify the base DN for user search as dc=ldap,dc=com.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com

Related commands

display ldap scheme

ldap server

search-scope

Use search-scope to specify the user search scope.

Use undo search-scope to restore the default.

Syntax

search-scope { all-level | single-level }

undo search-scope

Default

The user search scope is all-level.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

all-level: Specifies that the search goes through all subdirectories of the base DN.

single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.

Examples

# Specify the search scope for the LDAP authentication as all subdirectories of the base DN.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-scope all-level

Related commands

display ldap scheme

ldap server

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.

Usage guidelines

If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Set the LDAP server timeout period to 15 seconds.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] server-timeout 15

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.

Use undo user-parameters to restore the default.

Syntax

user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { user-name-attribute | user-name-format | user-object-class }

Default

The username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.

Examples

# Set the user object class to person.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] user-parameters user-object-class person

Related commands

display ldap scheme

09-Security Command Reference

AAA commands

aaa nas-id profile

accounting command

accounting portal

domain

domain default enable

authorization-attribute (local user view/user group view)

display user-group

group

RADIUS commands

algorithm loading-share enable

display radius scheme

display radius statistics

key (RADIUS scheme view)

primary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

radius dynamic-author server

secondary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

state secondary

timer realtime-accounting (RADIUS scheme view)

timer response-timeout (RADIUS scheme view)

user-name-format (RADIUS scheme view)

HWTACACS commands

display hwtacacs scheme

primary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

timer quiet (HWTACACS scheme view)

timer response-timeout (HWTACACS scheme view)

user-name-format (HWTACACS scheme view)

vpn-instance (HWTACACS scheme view)

LDAP commands

ip

search-scope

server-timeout

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us