max-sessions: Specifies the maximum number of concurrent login users. The value range for this argument is 1 to 32 for FTP, SSH, and Telnet users, and 1 to 64 for HTTP and HTTPS users.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.

· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.

· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

· accounting default

· command accounting (Fundamentals Command Reference)

· hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting methods are used for all users that support these methods and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

accounting lan-access

Use accounting lan-access to specify accounting methods for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

Default

The default accounting methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.

· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

· accounting default

· local-user

· radius scheme

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

· accounting default

· hwtacacs scheme

· local-user

· radius scheme

accounting portal

Use accounting portal to specify accounting methods for portal users.

Use undo accounting portal to restore the default.

Syntax

accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

Default

The default accounting methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

· accounting default

· local-user

· radius scheme

accounting ppp

Use accounting ppp to specify accounting methods for PPP users.

Use undo accounting ppp to restore the default.

Syntax

accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting ppp

Default

The default accounting methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The following guidelines apply to broadcast accounting:

Examples

# In ISP domain test, perform local accounting for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp local

# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp radius-scheme rd local

# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

· accounting default

· local-user

· radius scheme

accounting quota-out

Use accounting quota-out to configure access control for users that have used up their data quotas.

Use undo accounting quota-out to restore the default.

Syntax

accounting quota-out { offline | online }

undo accounting quota-out

Default

The device logs off users that have used up their data quotas.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that have used up their data quotas.

online: Allows users that have used up their data quotas to stay online.

Examples

# In ISP domain test, configure the device to allow users that have used up their data quotas to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting quota-out online

accounting start-fail

Use accounting start-fail to configure access control for users that encounter accounting-start failures.

Use undo accounting start-fail to restore the default.

Syntax

accounting start-fail { offline | online }

undo accounting start-fail

Default

The device allows users that encounter accounting-start failures to stay online.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that encounter accounting-start failures.

online: Allows users that encounter accounting-start failures to stay online.

Examples

# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting start-fail online

accounting update-fail

Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.

Use undo accounting update-fail to restore the default.

Syntax

accounting update-fail { [ max-times times ] offline | online }

undo accounting update-fail

Default

The device allows users that have failed all their accounting-update attempts to stay online.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

max-times times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1.

offline: Logs off users that have failed all their accounting-update attempts.

online: Allows users that have failed all their accounting-update attempts to stay online.

Examples

# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting update-fail online

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication methods are used for all users that support these methods and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication ike

Use authentication ike to specify extended authentication methods for IKE users.

Use undo authentication ike to restore the default.

Syntax

authentication ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication ike

Default

The default authentication methods of the ISP domain are used for IKE extended authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local authentication through IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ike local

# In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ike radius-scheme rd local

Related commands

· authentication default

· local-user

· radius scheme

authentication lan-access

Use authentication lan-access to specify authentication methods for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

Default

The default authentication methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

· authentication default

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

· authentication default

· hwtacacs scheme

· ldap scheme

· local-user

· radius scheme

authentication portal

Use authentication portal to specify authentication methods for portal users.

Use undo authentication portal to restore the default.

Syntax

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

Default

The default authentication methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

· authentication default

· ldap scheme

· local-user

· radius scheme

authentication ppp

Use authentication ppp to specify authentication methods for PPP users.

Use undo authentication ppp to restore the default.

Syntax

authentication ppp { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication ppp

Default

The default authentication methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authentication for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp local

# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication ppp radius-scheme rd local

Related commands

· authentication default

· local-user

· radius scheme

authentication super

Use authentication super to specify methods for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

If you specify a scheme to provide the method for user role authentication, the following rules apply:

· If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role of which username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.

· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n represents a user role level. For example, to obtain a level-3 user role, the device uses the username string $enab3$.

For more information about user role authentication, see Fundamentals Configuration Guide.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

· authentication default

· hwtacacs scheme

· radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

· command authorization (Fundamentals Command Reference)

· hwtacacs scheme

· local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Non-login users can access the network.

· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization methods are used for all users that support these methods and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

· hwtacacs scheme

· local-user

· radius scheme

authorization ike

Use authorization ike to specify authorization methods for IKE extended authentication.

Use undo authorization ike to restore the default.

Syntax

authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ike

Default

The default authorization methods of the ISP domain are used for IKE extended authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ike radius-scheme radius-scheme-name local none command specifies one primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ike local

Related commands

· authorization default

· local-user

authorization lan-access

Use authorization lan-access to specify authorization methods for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

Default

The default authorization methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

· authorization default

· local-user

· radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

· authorization default

· hwtacacs scheme

· local-user

· radius scheme

authorization portal

Use authorization portal to specify authorization methods for portal users.

Use undo authorization portal to restore the default.

Syntax

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

Default

The default authorization methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

· authorization default

· local-user

· radius scheme

authorization ppp

Use authorization ppp to specify authorization methods for PPP users.

Use undo authorization ppp to restore the default.

Syntax

authorization ppp { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ppp

Default

The default authorization methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, perform local authorization for PPP users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp local

# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ppp radius-scheme rd local

Related commands

· authorization default

· local-user

· radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | idle-cut minute [ flow ] | igmp max-access-number number | ip-pool pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-group user-group-name | user-profile profile-name }

undo authorization-attribute { acl | idle-cut | igmp | ip-pool | ipv6-pool | ipv6-prefix | mld | primary-dns | secondary-dns | session-timeout | url | user-group | user-profile }

Default

No authorization attributes are configured for users in an ISP domain and the idle cut feature is disabled.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the ACL applies before portal authentication. This option is applicable only to LAN and portal users.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 600.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.

igmp max-access-number number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the number argument is 1 to 64. This option is applicable only to portal and PPP users.

ip-pool pool-name: Specifies an IPv4 address pool for users. The pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the ipv6-prefix prefix-length argument is 1 to 128. This option is applicable only to PPP users.

mld max-access-number number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the number argument is 1 to 64. This option is applicable only to portal and PPP users.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to PPP users.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to PPP users.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to PPP users.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to PPP users.

session-timeout minutes: Specifies the session timeout timer for users, in minutes. The value range for the minutes argument is 1 to 4294967295. The device logs off a user when the user's session timeout timer expires. This option is applicable only to PPP, portal, and LAN users.

url url-string: Specifies the URL to which PPP users are redirected after they pass authentication. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPP users.

user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.

user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to LAN, portal, and PPP users.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user.

You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.

Examples

# Configure the idle cut feature for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute idle-cut 30 10240

Related commands

display domain

basic-service-ip-type

Use basic-service-ip-type to specify the types of IP addresses that PPPoE users must rely on to use the basic services.

Use undo basic-service-ip-type to restore the default.

Syntax

basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *

undo basic-service-ip-type

Default

PPPoE users do not rely on any types of IP addresses to use the basic services.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ipv4: Specifies the IPv4 address type.

ipv6: Specifies the IPv6 address type.

ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.

Usage guidelines

This command takes effect only when the device acts as a PPPoE server.

A PPPoE user might request multiple services of different IP address types. By default, the device logs off a PPPoE user if the user does not obtain the types of IP addresses required by all services. This command enables the device to allow the user to come online if the user has obtained IP addresses of all the specified types for the basic services.

The device does not allow a PPPoE user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a PPPoE user to come online if the user does not obtain an IPv6 address.

Examples

# In ISP domain test, specify PPPoE users to rely on IPv4 addresses to use the basic services.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] basic-service-ip-type ipv4

dhcpv6-follow-ipv6cp

Use dhcpv6-follow-ipv6cp to set the DHCPv6 request timeout timer for PPPoE users.

Use undo dhcpv6-follow-ipv6cp to restore the default.

Syntax

dhcpv6-follow-ipv6cp timeout delay-time

undo dhcpv6-follow-ipv6cp

Default

The DHCPv6 request timeout timer for PPPoE users is 60 seconds.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

timeout delay-time: Specifies the DHCPv6 request timeout timer, in the range of 30 to 120 seconds.

Usage guidelines

This command takes effect only when the device acts as a PPPoE server.

After the device finishes IPv6CP negotiation with a PPPoE user, PPP instructs DHCPv6 to assign an IPv6 address to the user. The user cannot come online if the IP address assignment fails within the DHCPv6 request timeout timer and the user basic services rely on an IPv6 address.

As a best practice, increase the DHCPv6 request timeout timer in the following situations:

· The network communication is unstable.

· The ISP domain serves a large number of PPPoE users.

Examples

# In ISP domain test, set the DHCPv6 request timeout timer to 90 seconds for PPPoE users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90

Related commands

basic-service-ip-type

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

Domain: system

State: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out action: Offline

Service type: HSI

Session time: Exclude idle time

DHCPv6-follow-IPv6CP timeout: 60 seconds

Authorization attributes :

Idle-cut: Disabled

Session timeout: Disabled

IGMP access number: 4

MLD access number: 4

Domain: dm

State: Active

Super authentication scheme: RADIUS=rad

PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local

Command authorization scheme: HWTACACS=hw

LAN access authentication scheme: RADIUS=r4

Portal authentication scheme: LDAP=ldp

Default authentication scheme: LDAP=rad, Local, None

Default authorization scheme: Local

Default accounting scheme: None

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out action: Offline

ITA service poilcy: ita1

Service type: HSI

Session time: Include idle time

User basic service IP type: IPv4 IPv6 IPv6-PD

DHCPv6-follow-IPv6CP timeout: 60 seconds

Authorization attributes :

Idle-cut : Enabled

Idle timeout: 2 minutes

Flow: 10240 bytes

Session timeout: 34 minutes

IP pool: appy

User profile: test

ACL number: 3000

User group: ugg

IPv6 prefix: 1::1/34

IPv6 pool: ipv6pool

Primary DNS server: 6.6.6.6

Secondary DNS server: 3.6.2.3

URL: http://portal

IGMP access number: 12

MLD access number: 35

Default domain name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain.
Default authentication scheme	Default authentication method.
Default authorization scheme	Default authorization method.
Default accounting scheme	Default accounting method.
Accounting start failure action	Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting update failure max-times	Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.
Accounting update failure action	Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting quota out action	Access control for users that have used up their data quotas: · Online—Allows the users to stay online. · Offline—Logs off the users.
ITA service policy	ITA policy applied to the ISP domain.
Service type	Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period.
User basic service IP type	Types of IP addresses that PPPoE users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD.
DHCPv6-follow-IPv6CP timeout	DHCPv6 request timeout timer (in seconds) that starts after IPv6CP negotiation for PPPoE users.
Login authentication scheme	Authentication method for login users.
Login authorization scheme	Authorization method for login users.
Login accounting scheme	Accounting method for login users.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle-cut	Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state.
Idle timeout	Idle timeout period, in minutes.
Flow	Minimum traffic that a login user must generate in an idle timeout period, in bytes.
Session timeout	Session timeout timer for users, in minutes.
IP pool	Name of the IPv4 address pool authorized to users.
User profile	Name of the authorization user profile.
ACL number	Authorization ACL for users.
User group	Authorization user group for users.
IPv6 prefix	IPv6 address prefix authorized to users.
IPv6 pool	Name of the IPv6 address pool for users.
Primary DNS server	IP address of the primary DNS server for users.
Secondary DNS server	IP address of the secondary DNS server for users.
URL	Redirect URL for users.
IGMP max access number	Maximum number of IGMP groups that an IPv4 user can join concurrently.
MLD max access number	Maximum number of MLD groups that an IPv6 user can join concurrently.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
LDAP	LDAP scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Super authentication scheme	Authentication method for obtaining another user role without reconnecting to the device.
PPP authentication scheme	Authentication method for PPP users.
PPP authorization scheme	Authorization method for PPP users.
PPP accounting scheme	Accounting method for PPP users.
Command authorization scheme	Command line authorization method.
Command accounting scheme	Command line accounting method.
LAN access authentication scheme	Authentication method for LAN users.
LAN access authorization scheme	Authorization method for LAN users.
LAN access accounting scheme	Accounting method for LAN users.
Portal authentication scheme	Authentication method for portal users.
Portal authorization scheme	Authorization method for portal users.
Portal accounting scheme	Accounting method for portal users.
IKE authentication scheme	IKE extended authentication method.
IKE authorization scheme	Authorization method for IKE extended authentication.

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.

Examples

# Create an ISP domain named test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

· display domain

· domain default enable

· domain if-unknown

· state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.

Usage guidelines

The system has only one default ISP domain.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

· display domain

· domain

domain if-unknown

Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-domain-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

Parameters

isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

The device chooses an authentication domain for each user in the following order:

1. The authentication domain specified for the access module.

2. The ISP domain in the username.

3. The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

NOTE:

Support for the authentication domain configuration depends on the access module.

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

ita-policy

Use ita-policy to apply an ITA policy to users in an ISP domain.

Use undo ita-policy to restore the default.

Syntax

ita-policy policy-name

undo ita-policy

Default

No ITA policy is applied to users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an ITA policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The ITA policy assigned from a RADIUS server takes precedence over the ITA policy in an ISP domain. If an ISP domain user has been assigned an ITA policy from the RADIUS server, the ITA policy of the ISP domain does not take effect. The server-assigned ITA policy might not even exist on the device.

Examples

# Apply ITA policy ita1 to users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] ita-policy ita1

Related commands

ita policy

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN bindings exist.

Views

NAS-ID profile view

Predefined user roles

network-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

service-type (ISP domain view)

Use service-type to specify the service type for users in an ISP domain.

Use undo service-type to restore the default.

Syntax

service-type { hsi | stb | voip }

undo service-type

Default

The service type is hsi for users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hsi: Specifies the High-Speed Internet (HSI) service.

stb: Specifies the Set Top Box (STB) service.

voip: Specifies the Voice over IP (VoIP) service.

Usage guidelines

You can configure only one service type for an ISP domain.

When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.

When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.

When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.

For 802.1X and PPP (non-PPPoE) users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.

Examples

# Specify the STB service for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] service-type stb

session-time include-idle-time

Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The device excludes the idle timeout period from the user online duration sent to the server.

Views

ISP domain view

Predefined user roles

network-admin

Usage guidelines

Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the network accounting policy. The idle timeout period is authorized by the server after users pass authentication. For portal users, the idle timeout period set by using the portal [ ipv6 ] user-detect command takes priority over the idle timeout period authorized by the server.

If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.

· If the session-time include-idle-time command is used, the device adds the idle timeout period to the actual online duration. The online duration sent to the server is longer than the actual online duration of the user.

· If the undo session-time include-idle-time command is used, the device excludes the idle timeout period from the actual online duration. The online duration sent to the server is shorter than the actual online duration of the user.

Examples

# Configure the device to include the idle timeout period in the online duration sent to the server for the users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] session-time include-idle-time

Related commands

display domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable users of the domain from requesting network services. The online users are not affected.

Examples

# Place ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

user-address-type

Use user-address-type to specify the user address type in the ISP domain.

Use undo user-address-type to restore the default.

Syntax

user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }

undo user-address-type

Default

No user address type is specified for the ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ds-lite: Specifies the DS-Lite address type.

ipv6: Specifies the IPv6 address type.

nat64: Specifies the NAT64 address type.

private-ds: Specifies the private-DS address type.

private-ipv4: Specifies the private IPv4 address type.

public-ds: Specifies the public-DS address type.

public-ipv4: Specifies the public IPv4 address type.

Usage guidelines

Any change to the user address type does not affect online users.

Examples

# Specify the private-DS address type for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] user-address-type private-ds

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.

Examples

# Set the maximum number of concurrent logins to 5 for the local user account named abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns | session-timeout | url | user-profile | user-role role-name | vlan | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user are assigned the network-operator user role.

Views

Local user view

User group view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.

idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.

ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.

session-timeout minutes: Sets the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.

url url-string: Specifies the URL to which the user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

· For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, and user-profile.

· For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, session-timeout, and user-profile.

· For LAN users, only the following authorization attributes take effect: acl, idle-cut, session-timeout, user-profile, and vlan.

· For Telnet and terminal users, only the user-role and work-directory authorization attributes take effect.

· For HTTP and HTTPS users, only the user-role authorization attribute takes effect.

· For SSH and FTP users, only the user-role and work-directory authorization attributes take effect.

· For IKE users, only the ip-pool authorization attribute takes effect.

· For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an IRF master/subordinate switchover, do not specify slot information for the working directory.

To make sure the user has only the user roles authorized by this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

· display local-user

· display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attributes are configured for a local user.

Views

Local user view

Predefined user roles

network-admin

Parameters

call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.

subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.

ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN, portal, and PPP users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN, portal, and PPP users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN, portal, and PPP users.

Usage guidelines

To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.

Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packets. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the authentication packets. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.

· If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface through which the user accesses the device.

· If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface through which the user accesses the device.

· If the user is a portal user, specify the portal-enabled interface through which the user accesses the device. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.

Examples

# Bind IP address 3.3.3.3 with network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3

Related commands

display local-user

company

Use company to specify the company of a local guest.

Use undo company to restore the default.

Syntax

company company-name

undo company

Default

No company is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify company yyy for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] company yyy

description

Use description to configure a description for a network access user.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a network access user.

Views

Network access user view

Predefined user roles

network-admin

Parameters

text: Configures a description, a case-sensitive string of 1 to 255 characters.

Examples

# Configure a description for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] description Manager of MSC company

# Configure a description for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] description Manager of MSC company

Related commands

display local-user

display local-guest waiting-approval

Use display local-guest waiting-approval to display pending registration requests for local guests.

Syntax

display local-guest waiting-approval [ user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name cannot be a, al, or all, and cannot contain the following items:

· A domain name.

· Any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

If you do not specify a guest, this command displays pending registration requests for all local guests.

Usage guidelines

On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.

Examples

# Display all pending registration requests for local guests.

<Sysname> display local-guest waiting-approval

Total 1 guest informations matched.

Guest user Smith:

Full name : Smith Li

Company : YYY

Email : Smith@yyy.com

Phone : 139189301033

Description: The employee of YYY company

Table 2 Command output

Field	Description
Total 1 guest informations matched.	Number of local guests.
Full name	Full name of the local guest.
Company	Company name of the local guest.
Email	Email address of the local guest.
Phone	Phone number of the local guest.
Description	Description of the local guest.

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

manage: Device management user.

network: Network access user.

guest: Guest user account.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ike: IKE users that access the network through IKE extended authentication.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters and does not contain the domain name.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Device management user root:

State: Active

Service type: SSH/Telnet/Terminal

User group: system

Bind attributes:

Authorization attributes:

Work directory: cfa0:

User role list: network-admin

Password control configurations:

Password aging: Enabled (3 days)

Network access user jj:

State: Active

Service type: Lan-access

User group: system

Bind attributes:

IP address: 2.2.2.2

Location bound: GigabitEthernet1/0/1

MAC address: 0001-0001-0001

VLAN ID: 2

Calling number: 2:2

Authorization attributes:

Idle timeout: 33 minutes

Work directory: cfa0:

ACL number: 2000

User profile: pp

User role list: network-operator, level-0, level-3

Network access guest user user1:

State: Active

Service type: LAN access/Portal

User group: guest1

Full name: Jack

Company: cc

Email: Jack@cc.com

Phone: 131129237

Description: A guest from company cc

Sponsor full name: Sam

Sponsor department: security

Sponsor email: Sam@aa.com

Validity period:

Start date and time: 2015/04/01-08:00:00

Expiration date and time:2015/04/03-18:00:00

Total 3 local users matched.

Table 3 Command output

Field	Description
State	Status of the local user: active or blocked.
Service type	Service types that the local user can use, including FTP, HTTP, HTTPS, IKE, LAN access, portal, PPP, SSH, Telnet, and terminal.
User group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
IP address	IP address of the local user.
Location bound	Binding port of the local user.
MAC address	MAC address of the local user.
VLAN ID	Binding VLAN of the local user.
Calling number	Calling number of the ISDN user.
Authorization attributes	Authorization attributes of the local user.
Idle timeout	Idle timeout period of the user, in minutes.
Callback number	Authorized PPP callback number of the local user.
Work directory	Directory that the FTP, SFTP, or SCP user can access.
ACL number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User profile	Authorization user profile of the local user.
User role list	Authorized roles of the local user.
IP address	IPv4 address authorized to the local user.
IPv6 address	IPv6 address authorized to the local user.
IPv6 prefix	IPv6 address prefix authorized to the local user.
IPv6 pool	IPv6 address pool authorized to the local user.
Primary DNS server	IP address of the primary DNS server for the local user.
Secondary DNS server	IP address of the secondary DNS server for the local user.
URL	Redirect URL of the local user.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Full name	Name of the local guest.
Company	Company name of the local guest.
Email	Email address of the local guest.
Phone	Phone number of the local guest.
Description	Description of the local guest.
Sponsor full name	Name of the guest sponsor.
Sponsor department	Department of the guest sponsor.
Sponsor email	Email address of the guest sponsor.
Validity period	Validity period of the local guest.
Start date and time	Date and time from which the local guest begins to take effect.
Expiration date and time	Date and time at which the local guest expires.

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | name group-name [ byod-authorization ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

byod-authorization: Specifies BYOD authorization information. If you do not specify this keyword, the command does not display BYOD authorization information and only displays whether BYOD authorization attributes are configured.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

User group system:

Authorization attributes:

Work directory: cfa0:

BYOD authorization attributes: Not configured

User group jj:

Authorization attributes:

Idle timeout: 2 minutes

Callback number: 2:2

Work directory: cfa0:/

ACL number: 2000

VLAN ID: 2

User profile: pp

BYOD authorization attributes: Not configured

Password control configurations:

Password aging: Enabled (2 days)

Table 4 Command output

Field	Description
Authorization attributes	Authorization attributes of the user group.
BYOD authorization attributes	BYOD authorization attributes of the user group.
Idle timeout	Idle timeout period, in minutes.
Callback number	Authorized PPP callback number.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL number	Authorization ACL.
VLAN ID	Authorized VLAN.
User profile	Authorization user profile.
IPv6 prefix	IPv6 address prefix authorized to the user group.
IPv6 pool	IPv6 address pool authorized to the user group.
Primary DNS server	IP address of the primary DNS server authorized to the user group.
Secondary DNS server	IP address of the secondary DNS server authorized to the user group.
URL	Redirect URL for the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	This field appears only when password aging is enabled. The aging time is displayed in parentheses.
Password length	This field appears only when password length control is enabled. The minimum password length is displayed in parentheses.
Password composition	This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password.
Password complexity	This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.

email

Use email to configure the email address of a local guest.

Use undo email to restore the default.

Syntax

email email-string

undo email

Default

No email address is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.

Usage guidelines

The local guest uses the email address to receive notifications from the device.

Examples

# Configure the email address as abc@yyy.com for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] email abc@yyy.com

Related commands

display local-user

full-name

Use full-name to configure the name of a local guest.

Use undo full-name to restore the default.

Syntax

full-name name-string

undo full-name

Default

No name is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the name as abc Snow for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] full-name abc Snow

Related commands

display local-user

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-guest auto-delete enable

Use local-guest auto-delete enable to enable the guest auto-delete feature. This feature enables the device to automatically delete the local guest accounts when the accounts expire.

Use undo local-guest auto-delete enable to restore the default.

Syntax

local-guest auto-delete enable

undo local-guest auto-delete enable

Default

The guest auto-delete feature is disabled. The device does not automatically delete the local guest accounts when the accounts expire.

Views

System view

Predefined user roles

network-admin

Examples

# Enable the guest auto-delete feature.

<Sysname> system-view

[Sysname] local-guest auto-delete enable

Related commands

validity-datetime

local-guest email format

Use local-guest email format to configure the subject and body for the email notifications of local guest information.

Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.

Syntax

local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }

undo local-guest email format to { guest | manager | sponsor } { body | subject }

Default

No subject or body is configured for the email notifications of local guest information.

Views

System view

Predefined user roles

network-admin

Parameters

to: Specifies the email recipient.

guest: Specifies the local guest.

manager: Specifies the guest manager.

sponsor: Specifies the guest sponsor.

body body-string: Configures the body contents, a case-sensitive string of 1 to 255 characters.

subject sub-string: Configures the email subject, a case-sensitive string of 1 to 127 characters.

Usage guidelines

Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.

You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.

You must configure both the subject and body for each recipient.

Examples

# Configure the subject and body for the email notifications to send to the local guest.

<Sysname> system-view

[Sysname] local-guest email format to guest subject Guest account information

[Sysname] local-guest email format to guest body A guest account has been created for your use. The username, password, and valid dates for the account are given below.

Related commands

· local-guest email sender

· local-guest email smtp-server

· local-guest manager-email

· local-guest send-email

local-guest email sender

Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.

Use undo local-guest email sender to restore the default.

Syntax

local-guest email sender email-address

undo local-guest email sender

Default

No email sender address is configured for the email notifications of local guests sent by the device.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email sender address, a case-insensitive string of 1 to 255 characters.

Usage guidelines

If you do not specify an email sender address, the device cannot send email notifications.

The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the email sender address as abc@yyy.com for email notifications of local guests.

<Sysname> system-view

[Sysname] local-guest email sender abc@yyy.com

Related commands

· local-guest email format

· local-guest email smtp-server

· local-guest manager-email

· local-guest send-email

local-guest email smtp-server

Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.

Use undo local-guest email smtp-server to restore the default.

Syntax

local-guest email smtp-server url-string

undo local-guest email smtp-server

Default

No SMTP server is specified to send email notifications of local guests.

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the path of the SMTP server, a case-insensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and starts with smtp://.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the SMTP server at smtp://www.test.com/smtp to send email notifications of local guests.

<Sysname> system-view

[Sysname] local-guest email smtp-server smtp://www.test.com/smtp

Related commands

· local-guest email format

· local-guest email sender

· local-guest manager-email

· local-guest send-email

local-guest generate

Use local-guest generate to create local guests in batch.

Syntax

local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time

Views

System view

Predefined user roles

network-admin

Parameters

username-prefix name-prefix: Specifies the name prefix, a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.

suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.

group group-name: Specifies a user group by the name. The user group name is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group named system.

count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.

validity-datetime: Specifies the validity period of the local guests.

start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the end date and time of the validity period.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.

The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.

Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.

If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.

Examples

# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The validity period is 2016/06/01 00:00:00 to 2010/06/02 12:00:00.

<Sysname> system-view

[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2016/06/01 00:00:00 to 2016/06/02 12:00:00

Related commands

· display local-user

· local-user

local-guest manager-email

Use local-guest manager-email to configure the email address of the guest manager.

Use undo local-guest manager-email to restore the default.

Syntax

local-guest manager-email email-address

undo local-guest manager-email

Default

No email address is configured for the guest manager.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.

Usage guidelines

Use this command to specify the email address to which the device sends the local guest registration requests for approval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the email address of the guest manager as xyz@yyy.com.

<Sysname> system-view

[Sysname] local-guest manager-email xyz@yyy.com

Related commands

· local-guest email format

· local-guest email sender

· local-guest email smtp-server

· local-guest send-email

local-guest send-email

Use local-guest send-email to send emails to a local guest or guest sponsor.

Syntax

local-guest send-email user-name user-name to { guest | sponsor }

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

· Cannot be a, al, or all.

· Cannot contain a domain name.

· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

to: Specifies the email recipient.

guest: Specifies the local guest.

sponsor: Specifies the guest sponsor.

Usage guidelines

Guest managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.

Examples

# Send an email to notify local guest abc of the guest password and validity period information.

<Sysname> system-view

[Sysname] local-guest send-email user-name abc to guest

local-guest timer

Use local-guest timer to set the waiting-approval timeout timer for local guests.

Syntax

local-guest timer waiting-approval time-value

undo local-guest timer waiting-approval

Default

The setting is 24 hours.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the waiting-approval timeout timer in the range of 1 to 720, in hours.

Usage guidelines

The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.

Examples

# Set the waiting-approval timeout timer to 12 hours.

<Sysname> system-view

[Sysname] local-guest timer waiting-approval 12

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class { manage | network [ guest ] } ]

undo local-user { user-name class { manage | network } | all [ service-type { ftp | http | https | ike | lan-access | portal | ppp | ssh | telnet | terminal } | class { manage | network [ guest ] } ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

· Cannot contain a domain name.

· Cannot be a, al, or all.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

network: Network access user that accesses network resources through the device. Except guests, network access users can use IKE, LAN access, portal, and PPP services.

guest: Guest that can access network resources through the device during the validity period. Guests can use LAN and portal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ike: IKE users that access the network through IKE extended authentication.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Usage guidelines

If you do not specify the class { manage | network } option, this command adds a device management user.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2 and enter local user view.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

# Add a local guest named user3 and enter local guest view.

<Sysname> system-view

[Sysname] local-user user3 class network guest

[Sysname-luser-network(guest)-user3]

Related commands

· display local-user

· service-type (local user view)

local-user-export class network guest

Use local-user-export class network guest to export local guest account information to a .csv file in the specified path.

Syntax

local-user-export class network guest url url-string

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can import the user account information back to the device or to other devices that support the local-user-import class network guest command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network guest."

The device supports TFTP and FTP file transfer modes. Table 5 describes the valid URL formats of the .csv file.

Table 5 URL formats

Protocol	URL format	Description
TFTP	tftp://server/path/filename	Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
FTP	· With FTP user name and password: ftp://username:password@server/path/filename · Without FTP user name and password: ftp://server/path/filename	Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

· With FTP user name and password:
ftp://username:password@server/path/filename

· Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

Examples

# Export local guest account information to file guest.csv in path ftp://1.1.1.1/user/.

<Sysname> system-view

[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv

Related commands

· display local-user

· local-user-import class network guest

local-user-import class network guest

Use local-user-import class network guest to import local guest account information from a .csv file in the specified path to the device and create local guests based on the imported information.

Syntax

local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the source file path, a case-insensitive string of 1 to 255 characters.

validity-datetime: Specifies the guest validity period of the local guests.

to: Specifies the end date and time of the validity period.

auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups of the guests do not exist on the device. The local guests are automatically assigned to the created groups. If you do not specify this keyword, the device adds all imported local guests with nonexistent groups to the system-defined user group named system.

override: Enables the device to override the existing account with the same name as a guest account to be imported. If you do not specify this keyword, the command retains the existing account and does not import the local guest with the same name.

start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.

Usage guidelines

The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:

· Username—User name of the guest account. The user name is required for each account, and it must meet the following requirements:

? Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

? Cannot be a, al, or all.

An invalid name results in account import failure and interruption.

· Password—Password of the guest account. If the password is empty, the device generates a random password for the guest.

· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group system.

· Guest full name—Name of the guest.

· Guest company—Company of the guest.

· Guest email—Email address of the guest.

· Guest phone—Phone number of the guest.

· Description—Description of the guest.

· Sponsor full name—Name of the guest sponsor.

· Sponsor department—Department of the guest sponsor.

· Sponsor email—Email address of the guest sponsor.

Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,

Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com

The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file.

Table 6 URL formats

Protocol	URL format	Description
TFTP	tftp://server/path/filename	Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
FTP	· With FTP user name and password: ftp://username:password@server/path/filename · Without FTP user name and password: ftp://server/path/filename	Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

· With FTP user name and password:
ftp://username:password@server/path/filename

· Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

Examples

# Import guest account information from file ftp://1.1.1.1/user/guest.csv, and specify the guest validity period.

<Sysname> system-view

[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00

Related commands

· display local-user

· local-user-export class network guest

password

Use password to configure a password for a local user.

Use undo password to restore the default.

Syntax

password [ { cipher | hash | simple } string ]

undo password

Default

No password is configured for a local user. A local user can pass authentication after entering the correct username and passing attribute checks.

Views

Local user view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. This argument is case sensitive.

· The plaintext form of the password is a string of 1 to 63 characters.

· The hashed form of the password is a string of 1 to 110 characters.

· The encrypted form of the password is a string of 1 to 117 characters.

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password. Only device management users support passwords configured in interactive mode.

A non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user.

Examples

# Set the password of device management user user1 to 123456TESTplat&! in plain text.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Set the password of device management user test in interactive mode.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

# Set the password of network access user user2 to 123456TESTuser&! in plain text.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2] password simple 123456TESTuser&!

Related commands

display local-user

phone

Use phone to specify the phone number of a local guest.

Use undo phone to restore the default.

Syntax

phone phone-number

undo phone

Default

No phone number is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-).

Examples

# Specify the phone number as 138-137239201 for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] phone 138-137239201

reset local-guest waiting-approval

Use reset local-guest waiting-approval to clear pending registration requests for local guests.

Syntax

reset local-guest waiting-approval [ user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name cannot contain a domain name. If you do not specify a guest, this command clears information about all registration requests for local guests.

Examples

# Clear information about all registration requests for local guests.

<Sysname> reset local-guest waiting-approval

Related commands

display local-guest waiting-approval

service-type (local user view)

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }

undo service-type { ftp | ike | lan-access | { http | https | ssh | telnet | terminal } * | portal | ppp }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ike: Authorizes the user to use the IKE extended authentication service.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console.

portal: Authorizes the user to use the Portal service.

ppp: Authorizes the user to use the PPP service.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

sponsor-department

Use sponsor-department to specify the department of the guest sponsor for a local guest.

Use undo sponsor-department to restore the default.

Syntax

sponsor-department department-string

undo sponsor-department

Default

No department is specified for the guest sponsor of a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.

Examples

# Specify the department as test for the sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-department test

sponsor-email

Use sponsor-email to specify the email address of the guest sponsor for a local guest.

Use undo sponsor-email to restore the default.

Syntax

sponsor-email email-string

undo sponsor-email

Default

No email address is specified for the guest sponsor.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.

Examples

# Specify the email address as Sam@a.com for the sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com

sponsor-full-name

Use sponsor-full-name to specify the sponsor name for a local guest.

Use undo sponsor-full-name to restore the default.

Syntax

sponsor-full-name name-string

undo sponsor-full-name

Default

No sponsor name is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the sponsor name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify the sponsor name as Sam Li for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

validity-datetime

Use validity-datetime to specify the validity period for a local guest.

Use undo validity-datetime to restore the default.

Syntax

validity-datetime start-date start-time to expiration-date expiration-time

undo validity-datetime

Default

A local guest does not expire.

Views

Local guest view

Predefined user roles

network-admin

Parameters

start-date: Specifies the date on which the local guest becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the time when the local guest becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the expiration date and time for the local guest.

expiration-date: Specifies the date on which the local guest expires. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the time when the local guest expires. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

The expiration date and time must be later than the start date and time.

Expired local guest accounts cannot be used for authentication.

Examples

# Specify the validity period for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00

Related commands

display local-user

Local BYOD authorization commands

byod authorization

Use byod authorization to configure authorization attributes for a type of BYOD endpoints in a user group.

Use undo byod authorization to delete the authorization attributes for a type of BYOD endpoints in a user group.

Syntax

byod authorization device-type type-name { acl acl-number | callback-number callback-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | url url-string | user-profile profile-name | vlan vlan-id } *

undo byod authorization device-type type-name { acl | callback-number | idle-cut | ip-pool | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns | session-timeout | url | user-profile | vlan } *

Default

No authorization attributes are configured for any type of BYOD endpoints in a user group.

Views

User group view

Predefined user roles

network-admin

Parameters

device-type type-name: Specifies an endpoint type. The type-name argument is a case-insensitive string of 1 to 127 characters. If the type name contains spaces, you must enclose the type name into a pair of quotation marks (for example, "Chrome OS").

idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. After passing authentication, a local user can obtain an IP address from the pool.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. After passing authentication, a local user can obtain an IP address from the pool.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix. The value range for the prefix-length argument is 1 to 128. After passing authentication, a local user can use the IPv6 address prefix.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users.

session-timeout minutes: Sets the session timeout timer in minutes. The value range for the minutes argument is 1 to 1440. The device logs off a user after the user's session timeout timer expires.

url url-string: Specifies the URL to which a user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters.

user-profile profile-name: Specifies an authorization user profile by the name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

· For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, and user-profile.

· For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, session-timeout, and user-profile.

· For LAN users, only the following authorization attributes take effect: acl, session-timeout, user-profile, and vlan.

· For other types of local users, no authorization attribute takes effect.

For a user, an endpoint type-specific authorization attribute takes precedence over the same common authorization attribute specified for the user. A common authorization attribute specified for the user takes precedence over the same common authorization attribute specified for the user group to which the user belongs. To specify common authorization attributes, use the authorization-attribute command.

Examples

# Specify VLAN 3 as the authorization VLAN for endpoints of the iPhone 6 type in user group abc.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] byod authorization device-type iphone6 vlan 3

Related commands

· display byod rule

· display local-user

· display user-group

byod rule

Use byod rule to configure a BYOD endpoint identification rule.

Use undo byod rule to delete a BYOD endpoint identification rule.

Syntax

byod rule { dhcp-option option-string | http-user-agent agent-string | mac-address mac-address mask mac-mask } device-type type-name

undo byod rule { dhcp-option option-string | http-user-agent agent-string | mac-address mac-address mask mac-mask }

Default

Predefined BYOD endpoint identification rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

dhcp-option option-string: Specifies the DHCP Option 55 fingerprint. The option-string argument is a case-insensitive string of 1 to 255 characters. If the fingerprint contains spaces, you must enclose the fingerprint into a pair of quotation marks (for example, "Microsoft Windows 8").

http-user-agent agent-string: Specifies the HTTP user agent fingerprint. The agent-string argument is a case-insensitive string of 1 to 255 characters. If the fingerprint contains spaces, you must enclose the fingerprint into a pair of quotation marks (for example, "Apple iPod").

mac-address mac-address: Specifies the MAC address of an endpoint, in the H-H-H format. The address cannot be a multicast MAC address or an all-zero MAC address. You can omit the leading zeros in each section. For example, enter f-e2-1 to indicate 000f-00e2-0001.

mask mac-mask: Specifies the MAC address mask in the H-H-H format.

device-type type-name: Specifies an endpoint type, a case-insensitive string of 1 to 127 characters. If the type name contains spaces, you must enclose the type name into a pair of quotation marks (for example, "Chrome OS").

Usage guidelines

A BYOD endpoint identification rule defines the mapping between an endpoint type and a fingerprint string. The device obtains fingerprint information from the authentication request of an endpoint, and matches the fingerprint with the rules for the associated endpoint type.

A fingerprint string can match only one endpoint type. However, an endpoint type can be associated with multiple fingerprint strings. You can use the byod rule-order command to specify the fingerprint types supported by the device and their match priority order.

Examples

# Specify a rule to identify BYOD endpoints containing DHCP Option 55 fingerprint di2ns0ns as the iPhone 6 type.

<Sysname> system-view

[Sysname] byod rule dhcp-option di2ns0ns device-type iphone6

Related commands

· byod authorization

· display byod rule

byod rule-order

Use byod rule-order to specify the types of BYOD endpoint identification rules supported by the device and their priority order.

Use undo byod rule-order to restore the default.

Syntax

byod rule-order { dhcp-option | http-user-agent | mac-address } *

undo byod rule-order

Default

The device uses the following types of BYOD endpoint identification rules to identify an endpoint type and their match priority order is as follows:

1. DHCP Option 55-based rules.

2. HTTP user agent-based rules.

3. MAC address-based rules.

Views

System view

Predefined user roles

network-admin

Parameters

dhcp-option: Specifies the DHCP Option 55-based rules.

http-user-agent: Specifies the HTTP user agent-based rules.

mac-address: Specifies the MAC address-based rules.

Usage guidelines

The type of BYOD endpoint identification rules not specified by this command will not be used for endpoint identification.

The order of the keywords determines the priority order of the BYOD endpoint identification rule types. For example, if you configure the byod rule-order mac-address http-user-agent command, the device only uses the MAC address-based and HTTP user agent-based rules to identify an endpoint type. The MAC address-based rules take precedence over the HTTP user agent-based rules.

Examples

# Specify the priority order of BYOD endpoint identification rules as MAC address-based rules, HTTP user agent-based rules, and DHCP Option 55-based rules.

<Sysname> system-view

[Sysname] byod rule-order mac-address http-user-agent dhcp-option

Related commands

byod rule

display byod rule

Use display byod rule to display BYOD endpoint identification rules.

Syntax

display byod rule { dhcp-option [ option-string ] | http-user-agent [ agent-string ] | mac-address [ mac-address ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dhcp-option: Specifies identification rules based on DHCP Option 55 fingerprints.

option-string: Specifies a DHCP Option 55 fingerprint, a case-insensitive string of 1 to 255 characters. If you do not specify this argument, this command displays all identification rules based on DHCP Option 55 fingerprints.

http-user-agent: Specifies identification rules based on HTTP user agent fingerprints.

agent-string: Specifies an HTTP user agent fingerprint, a case-insensitive string of 1 to 255 characters. If you do not specify this argument, this command displays all identification rules based on HTTP user agent fingerprints.

mac-address: Specifies identification rules based on MAC addresses.

mac-address: Specifies the MAC address of an endpoint, in the H-H-H format. The address cannot be a multicast MAC address or an all-zero MAC address. You can omit the leading zeros in each section. For example, enter f-e2-1 to indicate 000f-00e2-0001. If you do not specify this argument, this command displays all identification rules based on MAC addresses.

Examples

# Display all identification rules based on DHCP Option 55 fingerprints.

<Sysname> display byod rule dhcp-option

Total 3 DHCP option rules matched.

DHCP option: 1

Device type: Defy

DHCP option: 1,

Device type: Galaxy Ace2 X

DHCP option: 1,121,33,3,6,12,15,26,28,51,54,58,59,119,252

Device type: Chrome OS

…

# Display all identification rules based on HTTP user agent fingerprints.

<Sysname> display byod rule http-user-agent

Total 2 HTTP user agent rules matched.

HTTP user agent: ##_MAX 4G 5.0 _T-Mobile_4.2.2_android_en_5.0.4428_DID999

Device type: Generic Android

HTTP user agent: ##_SM-G900V_Network Extender_4.4.4_android_en_5.0.4402_VZW007

Device type: Generic Android

…

# Display all identification rules based on MAC addresses.

<Sysname> display byod rule mac-address

Total 2 MAC rules matched.

MAC address: 0000-4600-0000 MAC mask: ffff-ff00-0000

Device type: OnePlus One

MAC address: 0001-3600-0000 MAC mask: ffff-ff00-0000

Device type: Generic Android

…

Table 7 Command output

Field	Description
Total n DHCP option rules matched.	Number of DHCP Option 55-based BYOD endpoint identification rules.
Total n HTTP user agent rules matched.	Number of HTTP user agent-based BYOD endpoint identification rules.
Total n MAC rules matched.	Number of MAC address-based BYOD endpoint identification rules.
DHCP option	DHCP Option 55 fingerprint.
HTTP user agent	HTTP user agent fingerprint.
MAC mask	MAC address mask.
Device type	BYOD endpoint type.

display byod rule-order

Use display byod rule-order to display BYOD endpoint identification rule types supported by the device and their priority order.

Syntax

display byod rule-order

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display BYOD endpoint identification rule types supported by the device and their priority order.

<Sysname> display byod rule-order

BYOD rule matching order: mac-address http-user-agent dhcp-option

Related commands

byod rule-order

RADIUS commands

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to restore the default.

Syntax

accounting-on enable [ interval seconds | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the seconds argument is 1 to 15, and the default setting is 3 seconds.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set by using the accounting-on enable command take effect immediately.

Examples

# In RADIUS scheme radius1, enable the accounting-on feature, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

accounting-on extended

Use accounting-on extended to enable the extended accounting-on feature.

Use undo accounting-on extended to disable the extended accounting-on feature.

Syntax

accounting-on extended

undo accounting-on extended

Default

The extended accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

network-operator

Usage guidelines

The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.

The extended accounting-on feature is applicable to LAN and PPP users. The user data is saved to the member devices through which the users access the IRF fabric.

When the extended accounting-on feature is enabled, the IRF fabric automatically sends an accounting-on packet to the RADIUS server after a member device reboot (IRF fabric not reboot). The packet contains the member device identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the IRF fabric through the member device.

The IRF fabric uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.

Execute the save command to ensure that the accounting-on extended command takes effect at the next member device reboot. For information about the save command, see Fundamentals Command Reference.

Examples

# Enable the extended accounting-on feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on extended

Related commands

· accounting-on enable

· display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

attribute 25 car

Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to configure the device to not interpret the RADIUS class attribute as CAR parameters.

Syntax

attribute 25 car

undo attribute 25 car

Default

The RADIUS class attribute is not interpreted as CAR parameters.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.

Examples

# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

display radius scheme

attribute 31 mac-format

Use attribute 31 mac-format to configure the MAC address format for RADIUS attribute 31.

Use undo attribute 31 mac-format to restore the default.

Syntax

attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }

undo attribute 31 mac-format

Default

A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase

Related commands

display radius scheme

attribute remanent-volume

Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.

Use undo attribute remanent-volume to restore the default.

Syntax

attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }

undo attribute remanent-volume unit

Default

The data measurement unit is kilobyte for the Remanent_Volume attribute.

Views

RADIUS scheme view

Predefined user roles

network-admin

network-operator

Parameters

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

Usage guidelines

Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.

Examples

# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte

Related commands

display radius scheme

client

Use client to specify a RADIUS DAC.

Use undo client to remove a RADIUS DAC.

Syntax

client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string ] *

undo client { ip ipv4-address | ipv6 ipv6-address }

Default

No RADIUS DACs are specified.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a DAC by its IPv4 address.

ipv6 ipv6-address: Specifies a DAC by its IPv6 address.

key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.

The device discards any DAE packets sent from DACs that are not specified for the DAS.

You can execute the client command multiple times to specify multiple DACs for the DAS.

Examples

# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456

Related commands

· radius dynamic-author server

· port

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display radius scheme

Use display radius scheme to display RADIUS scheme configuration.

Syntax

display radius scheme [ radius-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.

Examples

# Display the configuration of all RADIUS schemes.

<Sysname> display radius scheme

Total 1 RADIUS schemes

------------------------------------------------------------------

RADIUS scheme name : radius1

Index : 0

Primary authentication server:

IP : 2.2.2.2 Port: 1812

State: Active

Test profile: 132

Probe username: test

Probe interval: 60 minutes

Primary accounting server:

IP : 1.1.1.1 Port: 1813

State: Active

Second authentication server:

IP : 3.3.3.3 Port: 1812

State: Block

Test profile: Not configured

Second accounting server:

IP : 3.3.3.3 Port: 1813

State: Block (Mandatory)

Accounting-On function : Enabled

extended function : Enabled

retransmission times : 5

retransmission interval(seconds) : 2

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 22

NAS IP Address : 1.1.1.1

User Name Format : with-domain

Data flow unit : Megabyte

Packet unit : One

Attribute 15 check-mode : Strict

Attribute 25 : CAR

Attribute Remanent-Volume unit : Mega

Attribute 31 MAC format : hh:hh:hh:hh:hh:hh

------------------------------------------------------------------

Table 8 Command output

Field	Description
Index	Index number of the RADIUS scheme.
Primary authentication server	Information about the primary authentication server.
Primary accounting server	Information about the primary accounting server.
Second authentication server	Information about the secondary authentication server.
Second accounting server	Information about the secondary accounting server.
IP	IP address of the server. If no server is configured, this field displays Not configured.
Port	Service port number of the server. If no port number is specified, this field displays the default port number.
State	Status of the server: · Active—The server is in active state. · Block—The server is changed to blocked state automatically. · Block (Mandatory)—The server is set to blocked state manually.
Test profile	Test profile used for RADIUS server status detection.
Probe username	Username used for RADIUS server status detection.
Probe interval	Server status detection interval, in minutes.
Accounting-On function	Whether the accounting-on feature is enabled.
extended function	Whether the extended accounting-on feature is enabled.
retransmission times	Number of accounting-on packet transmission attempts.
retransmission interval(seconds)	Interval at which the device retransmits accounting-on packets, in seconds.
Timeout Interval(seconds)	RADIUS server response timeout period, in seconds.
Retransmission times	Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Retransmission Times for Accounting Update	Maximum number of accounting attempts.
Server Quiet Period(minutes)	Quiet period for the servers, in minutes.
Realtime Accounting Interval(minutes)	Interval for sending real-time accounting updates, in minutes.
NAS IP Address	Source IP address for outgoing RADIUS packets.
User Name Format	Format for the usernames sent to the RADIUS servers of the RADIUS scheme: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards a username as the username is entered.
Data flow unit	Measurement unit for data flows.
Packet unit	Measurement unit for packets.
Attribute 15 check-mode	RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
Attribute 25	RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters.
Attribute Remanent-Volume unit	Data measurement unit for the RADIUS Remanent_Volume attribute.
Attribute 31 MAC format	MAC address format for RADIUS attribute 31.

display radius statistics

Use display radius statistics to display RADIUS packet statistics.

Syntax

display radius statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS packet statistics.

<Sysname> display radius statistics

Auth. Acct. SessCtrl.

Request Packet: 0 0 0

Retry Packet: 0 0 -

Timeout Packet: 0 0 -

Access Challenge: 0 - -

Account Start: - 0 -

Account Update: - 0 -

Account Stop: - 0 -

Terminate Request: - - 0

Set Policy: - - 0

Packet With Response: 0 0 0

Packet Without Response: 0 0 -

Access Rejects: 0 - -

Dropped Packet: 0 0 0

Check Failures: 0 0 0

Table 9 Command output

Field	Description
Auth.	Authentication packets.
Acct.	Accounting packets.
SessCtrl.	Session-control packets.
Request Packet	Number of request packets.
Retry Packet	Number of retransmitted request packets.
Timeout Packet	Number of request packets timed out.
Access Challenge	Number of access challenge packets.
Account Start	Number of start-accounting packets.
Account Update	Number of accounting update packets.
Account Stop	Number of stop-accounting packets.
Terminate Request	Number of packets for logging off users forcibly.
Set Policy	Number of packets for updating user authorization information.
Packet With Response	Number of packets for which responses were received.
Packet Without Response	Number of packets for which no responses were received.
Access Rejects	Number of Access-Reject packets.
Dropped Packet	Number of discarded packets.
Check Failures	Number of packets with checksum errors.

Related commands

reset radius statistics

key (RADIUS scheme view)

Use key to set the shared key for secure RADIUS authentication or accounting communication.

Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.

Syntax

key { accounting | authentication } { cipher | simple } string

undo key { accounting | authentication }

Default

No shared key is configured for secure RADIUS authentication or accounting communication.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure RADIUS accounting communication.

authentication: Specifies the shared key for secure RADIUS authentication communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.

The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

Examples

# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] key accounting simple ok

Related commands

display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo nas-ip to delete the source IP address of the specified type for outgoing RADIUS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.

If the radius nas-ip command is not configured, the source IP address is the primary IP address of the outbound interface.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

A RADIUS scheme can have only one source IPv4 address and one source IPv6 address for outgoing RADIUS packets.

Examples

# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the source IP address for outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands

· display radius scheme

· radius nas-ip

port

Use port to specify the RADIUS DAS port.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The RADIUS DAS port number is 3799.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

port-number: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.

Examples

# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] port 3790

Related commands

· client

· radius dynamic-author server

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string ] *

undo primary accounting

Default

No primary RADIUS accounting server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.

port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the primary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.

If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.

Examples

# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!

Related commands

· display radius scheme

· key (RADIUS scheme view)

· secondary accounting (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name ] *

undo primary authentication

Default

No primary RADIUS authentication server is specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.

port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the primary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument specifies the test profile name, which is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Make sure the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

When you specify a test profile for the primary authentication server, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.

If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!

Related commands

· display radius scheme

· key (RADIUS scheme view)

· radius-server test-profile

· secondary authentication (RADIUS scheme view)

radius dscp

Use radius dscp to change the DSCP priority of RADIUS packets.

Use undo radius dscp to restore the default.

Syntax

radius [ ipv6 ] dscp dscp-value

undo radius [ ipv6 ] dscp

Default

The DSCP priority of RADIUS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.

dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.

Usage guidelines

Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmission priority.

Examples

# Set the DSCP priority of IPv4 RADIUS packets to 10.

<Sysname> system-view

[Sysname] radius dscp 10

radius dynamic-author server

Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.

Use undo radius dynamic-author server to restore the default.

Syntax

radius dynamic-author server

undo radius dynamic-author server

Default

The RADIUS DAS feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After the RADIUS DAS feature is enabled, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs.

Examples

# Enable the RADIUS DAS feature and enter RADIUS DAS view.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server]

Related commands

· client

· port

radius nas-ip

Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.

Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.

Syntax

radius nas-ip { ipv4-address | ipv6 ipv6-address }

undo radius nas-ip { ipv4-address | ipv6 ipv6-address }

Default

The source IP address of an outgoing RADIUS packet is the primary IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing RADIUS packets to avoid RADIUS packet loss caused by physical port errors.

If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.

· The setting in RADIUS scheme view takes precedence over the setting in system view.

You can specify a maximum of 16 source IP addresses, including:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

Examples

# Specify IP address 129.10.10.1 as the source address for outgoing RADIUS packets.

<Sysname> system-view

[Sysname] radius nas-ip 129.10.10.1

Related commands

nas-ip (RADIUS scheme view)

radius scheme

Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.

Use undo radius scheme to delete a RADIUS scheme.

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

Default

No RADIUS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A RADIUS scheme can be used by more than one ISP domain at the same time.

The device supports a maximum of 16 RADIUS schemes.

Examples

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1]

Related commands

display radius scheme

radius session-control client

Use radius session-control client to specify a RADIUS session-control client.

Use undo radius session-control client to remove the specified RADIUS session-control clients.

Syntax

radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string ] *

undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } }

Default

No RADIUS session-control clients are specified.

Views

System view

Predefined user roles

network-admin

Parameters

ip ipv4-address: Specifies a session-control client by its IPv4 address.

ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.

key: Specifies the shared key for secure communication with the session-control client.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

all: Specifies all session-control clients.

Usage guidelines

To verify the session-control packets sent from a RADIUS server running on IMC, specify the RADIUS server as a session-control client to the device. The IP address and shared key settings of the session-control client must be the same as the corresponding settings of the RADIUS server.

You can specify multiple session-control clients on the device.

The device matches a session-control packet to a session-control client based on the IP address setting, and then uses the shared key of the matched client to validate the packet.

The device searches the session-control client settings prior to searching all RADIUS scheme settings for a server with matching IP address setting. This process narrows the search scope for finding the matched RADIUS server.

The session-control client settings take effect only when the RADIUS session-control feature is enabled.

Examples

# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.

<Sysname> system-view

[Sysname] radius session-control client ip 10.110.1.2 key simple 12345

Related commands

radius session-control enable

Use radius session-control enable to enable the RADIUS session-control feature.

Use undo radius session-control enable to disable the RADIUS session-control feature.

Syntax

radius session-control enable

undo radius session-control enable

Default

The RADIUS session-control feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

An H3C IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812.

This feature must work with H3C IMC servers.

Examples

# Enable the RADIUS session-control feature.

<Sysname> system-view

[Sysname] radius session-control enable

radius-server test-profile

Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.

Use undo radius-server test-profile to delete a RADIUS test profile.

Syntax

radius-server test-profile profile-name username name [ interval interval ]

undo radius-server test-profile profile-name

Default

No RADIUS test profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.

username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.

interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.

Usage guidelines

You can execute this command multiple times to configure multiple test profiles.

If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.

You can specify the same test profile for multiple RADIUS servers.

When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.

Examples

# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.

<Sysname> system-view

[Sysname] radius-server test-profile abc username admin interval 10

Related commands

· primary authentication (RADIUS scheme view)

· secondary authentication (RADIUS scheme view)

reset radius statistics

Use reset radius statistics to clear RADIUS statistics.

Syntax

reset radius statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear RADIUS statistics.

<Sysname> reset radius statistics

Related commands

display radius statistics

retry

Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.

Use undo retry to restore the default.

Syntax

retry retries

undo retry

Default

The maximum number of RADIUS packet transmission attempts is 3.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.

Usage guidelines

Because RADIUS uses UDP packets to transmit data, the communication is not reliable.

· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.

· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.

If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:

· The maximum number of RADIUS packet transmission attempts.

· The RADIUS server response timeout period.

· The number of RADIUS authentication servers in the RADIUS scheme.

When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.

Examples

# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry 5

Related commands

· radius scheme

· timer response-timeout (RADIUS scheme view)

retry realtime-accounting

Use retry realtime-accounting to set the maximum number of accounting attempts.

Use undo retry realtime-accounting to restore the default.

Syntax

retry realtime-accounting retries

undo retry realtime-accounting

Default

The maximum number of accounting attempts is 5.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.

Usage guidelines

Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.

To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.

For example, the following conditions exist:

· The RADIUS server response timeout period is 3 seconds (set by using the timer response-timeout command).

· The maximum number of RADIUS packet transmission attempts is 3 (set by using the retry command).

· The real-time accounting interval is 12 minutes (set by using the timer realtime-accounting command).

· The maximum number of accounting attempts is 5 (set by using the retry realtime-accounting command).

In the above case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.

Examples

# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] retry realtime-accounting 10

Related commands

· retry

· timer realtime-accounting (RADIUS scheme view)

· timer response-timeout (RADIUS scheme view)

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

Use undo secondary accounting to remove a secondary RADIUS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary RADIUS accounting servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.

port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.

key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key accounting command.

If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.

If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.

Examples

# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

# In RADIUS scheme radius2, specify two secondary accounting servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813

[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary accounting (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication server.

Use undo secondary authentication to remove a secondary RADIUS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary RADIUS authentication servers are specified.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.

port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.

key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument represents the test profile name, which is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.

A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

When you specify a test profile for secondary authentication servers, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

The shared key configured by this command takes precedence over the shared key configured with the key authentication command.

If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.

Examples

# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

# In RADIUS scheme radius2, specify two secondary authentication servers with the server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1812.

<Sysname> system-view

[Sysname] radius scheme radius2

[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812

[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812

Related commands

· display radius scheme

· key (RADIUS scheme view)

· primary authentication (RADIUS scheme view)

· radius-server test-profile

snmp-agent trap enable radius

Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.

Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

Syntax

snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *

Default

All RADIUS SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

accounting-server-down: Specifies notifications to be sent when the RADIUS accounting server becomes unreachable.

accounting-server-up: Specifies notifications to be sent when the RADIUS accounting server becomes reachable.

authentication-error-threshold: Specifies notifications to be sent when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.

authentication-server-down: Specifies notifications to be sent when the RADIUS authentication server becomes unreachable.

authentication-server-up: Specifies notifications to be sent when the RADIUS authentication server becomes reachable.

Usage guidelines

If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.

When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS:

· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.

· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.

· Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

Examples

# Enable the device to send RADIUS accounting server unreachable notifications.

<Sysname> system-view

[Sysname] snmp-agent trap enable radius accounting-server-down

state primary

Use state primary to set the status of a primary RADIUS server.

Syntax

state primary { accounting | authentication } { active | block }

Default

The primary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the primary RADIUS accounting server.

authentication: Specifies the primary RADIUS authentication server.

active: Specifies the active state.

block: Specifies the blocked state.

Usage guidelines

During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:

· Changes the status of the primary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with a secondary server in active state.

When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.

When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of the primary authentication server to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state primary authentication block

Related commands

· display radius scheme

· radius-server test-profile

· state secondary

state secondary

Use state secondary to set the status of a secondary RADIUS server.

Syntax

state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ] { active | block }

Default

A secondary RADIUS server is in active state.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies a secondary RADIUS accounting server.

authentication: Specifies a secondary RADIUS authentication server.

ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.

ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.

port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.

active: Specifies the active state.

block: Specifies the blocked state.

Usage guidelines

If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.

If the device finds that a secondary server in active state is unreachable, the device performs the following operations:

· Changes the status of the secondary server to blocked.

· Starts a quiet timer for the server.

· Tries to communicate with another secondary server in active state.

When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.

· If you set the status of the server to blocked, the device stops detecting the status of the server.

· If you set the status of the server to active, the device starts to detect the status of the server.

Examples

# In RADIUS scheme radius1, set the status of all the secondary authentication servers to blocked.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] state secondary authentication block

Related commands

· display radius scheme

· radius-server test-profile

· state primary

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet timer period is 5 minutes in a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Usage guidelines

Make sure the server quiet timer is set correctly.

· A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.

· A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.

Examples

# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer quiet 10

Related commands

display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting interval [ second ]

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval: Specifies the real-time accounting interval in the range of 0 to 71582.

second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.

Usage guidelines

When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.

When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.

A short interval helps improve accounting precision but requires many system resources.

Table 10 Recommended real-time accounting intervals

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer realtime-accounting 51

Related commands

retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The RADIUS server response timeout period is 3 seconds.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.

Usage guidelines

If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.

· The maximum number of RADIUS packet transmission attempts.

· The RADIUS server response timeout period.

· The number of RADIUS authentication servers in the RADIUS scheme.

Examples

# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] timer response-timeout 5

Related commands

· display radius scheme

· retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of usernames to be sent to the RADIUS servers of a RADIUS scheme.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to the RADIUS servers of a RADIUS scheme.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the usernames to the RADIUS servers as the usernames are entered.

with-domain: Includes the ISP domain name in the usernames sent to the RADIUS servers.

without-domain: Excludes the ISP domain name from the usernames sent to the RADIUS servers.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.

If a RADIUS scheme defines that the usernames are sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.

For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.

If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users might fail.

Examples

# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] user-name-format without-domain

Related commands

display radius scheme

HWTACACS commands

data-flow-format (HWTACACS scheme view)

Use data-flow-format to set the data flow and packet measurement units for traffic statistics.

Use undo data-flow-format to restore the default.

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *

undo data-flow-format { data | packet }

Default

Traffic is counted in bytes and packets.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

data: Specifies the unit for data flows.

byte: Specifies the unit as byte.

giga-byte: Specifies the unit as gigabyte.

kilo-byte: Specifies the unit as kilobyte.

mega-byte: Specifies the unit as megabyte.

packet: Specifies the unit for data packets.

giga-packet: Specifies the unit as giga-packet.

kilo-packet: Specifies the unit as kilo-packet.

mega-packet: Specifies the unit as mega-packet.

one-packet: Specifies the unit as one-packet.

Usage guidelines

The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.

Examples

# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands

display hwtacacs scheme

Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.

Syntax

display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.

statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.

Examples

# Displays the configuration of all HWTACACS schemes.

<Sysname> display hwtacacs scheme

Total 1 TACACS schemes

------------------------------------------------------------------

HWTACACS Scheme Name : hwtac

Index : 0

Primary Auth Server:

IP : 2.2.2.2 Port: 49 State: Active

Single-connection: Enabled

Primary Author Server:

IP : 2.2.2.2 Port: 49 State: Active

Single-connection: Disabled

Primary Acct Server:

IP : Not Configured Port: 49 State: Block

Single-connection: Disabled

NAS IP Address : 2.2.2.3

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(minutes) : 12

Response Timeout Interval(seconds) : 5

Username Format : with-domain

Data flow unit : Byte

Packet unit : One

------------------------------------------------------------------

Table 11 Command output

Field	Description
Index	Index number of the HWTACACS scheme.
Primary Auth Server	Primary HWTACACS authentication server.
Primary Author Server	Primary HWTACACS authorization server.
Primary Acct Server	Primary HWTACACS accounting server.
Secondary Auth Server	Secondary HWTACACS authentication server.
Secondary Author Server	Secondary HWTACACS authorization server.
Secondary Acct Server	Secondary HWTACACS accounting server.
IP	IP address of the HWTACACS server. If no server is configured, this field displays Not configured.
Port	Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number.
Single-connection	Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server.
State	Status of the HWTACACS server: active or blocked.
NAS IP Address	Source IP address for outgoing HWTACACS packets.
Server Quiet Period(minutes)	Quiet period for the primary servers, in minutes.
Realtime Accounting Interval(minutes)	Real-time accounting interval, in minutes.
Response Timeout Interval(seconds)	HWTACACS server response timeout period, in seconds.
Username Format	Format for the usernames sent to the HWTACACS servers of the HWTACACS scheme: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards a username as the username is entered.
Data flow unit	Measurement unit for data flows.
Packet unit	Measurement unit for packets.

Related commands

reset hwtacacs statistics

hwtacacs nas-ip

Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.

Syntax

hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address }

undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address }

Default

The source IP address of an HWTACACS packet sent to the server is the primary IP address of the outbound interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

You can specify a maximum of 16 source IP addresses, including:

· Zero or one public-network source IPv4 address.

· Zero or one public-network source IPv6 address.

· Private-network source IP addresses.

Examples

# Specify IP address 129.10.10.1 as the source IP address for outgoing HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands

nas-ip (HWTACACS scheme view)

hwtacacs scheme

Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.

Use undo hwtacacs scheme to delete an HWTACACS scheme.

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

Default

No HWTACACS schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An HWTACACS scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 HWTACACS schemes.

Examples

# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1]

Related commands

display hwtacacs scheme

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.

Syntax

key { accounting | authentication | authorization } { cipher | simple } string

undo key { accounting | authentication | authorization }

Default

No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

accounting: Specifies the shared key for secure HWTACACS accounting communication.

authentication: Specifies the shared key for secure HWTACACS authentication communication.

authorization: Specifies the shared key for secure HWTACACS authorization communication.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

Usage guidelines

The shared keys configured on the device must match those configured on the HWTACACS servers.

Examples

# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!

# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.

[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!

# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.

[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!

Related commands

display hwtacacs scheme

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.

Use undo nas-ip to delete the source IP address of the specified type for outgoing HWTACACS packets.

Syntax

nas-ip { ipv4-address | ipv6 ipv6-address }

undo nas-ip [ ipv6 ]

Default

The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.

If the hwtacacs nas-ip command is not configured, the source IP address is the primary IP address of the outbound interface.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.

· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.

As a best practice, specify a loopback interface address as the source IP address for outgoing HWTACACS packets to avoid HWTACACS packet loss caused by physical port errors.

If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:

· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.

· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.

· The setting in HWTACACS scheme view takes precedence over the setting in system view.

You can specify only one source IPv4 address and one source IPv6 address for an HWTACACS scheme.

Examples

# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address for outgoing HWTACACS packets.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands

hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.

Use undo primary accounting to restore the default.

Syntax

primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary accounting

Default

No primary HWTACACS accounting server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.

ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.

port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary accounting (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.

Use undo primary authentication to restore the default.

Syntax

primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary authentication

Default

No primary HWTACACS authentication server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.

port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authentication (HWTACACS scheme view)

primary authorization

Use primary authorization to specify the primary HWTACACS authorization server.

Use undo primary authorization to restore the default.

Syntax

primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo primary authorization

Default

No primary HWTACACS authorization server is specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.

port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· secondary authorization

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.

Syntax

reset hwtacacs statistics { accounting | all | authentication | authorization }

Views

User view

Predefined user roles

network-admin

Parameters

accounting: Clears the HWTACACS accounting statistics.

all: Clears all HWTACACS statistics.

authentication: Clears the HWTACACS authentication statistics.

authorization: Clears the HWTACACS authorization statistics.

Examples

# Clear all HWTACACS statistics.

<Sysname> reset hwtacacs statistics all

Related commands

display hwtacacs scheme

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.

Use undo secondary accounting to remove a secondary HWTACACS accounting server.

Syntax

secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number ] * ]

Default

No secondary HWTACACS accounting servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.

port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.

Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary accounting (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.

Use undo secondary authentication to remove a secondary HWTACACS authentication server.

Syntax

secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number ]* ]

Default

No secondary HWTACACS authentication servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.

port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.

Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

Examples

# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authentication (HWTACACS scheme view)

secondary authorization

Use secondary authorization to specify a secondary HWTACACS authorization server.

Use undo secondary authorization to remove a secondary HWTACACS authorization server.

Syntax

secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection ] *

undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number ]* ]

Default

No secondary HWTACACS authorization servers are specified.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.

ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.

port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.

key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 1 to 373 characters.

single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. If the HWTACACS server supports the single-connection method, H3C recommends that you specify this keyword to reduce TCP connections for improving system performance.

Usage guidelines

Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.

An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.

If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.

Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address and port number settings.

You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.

Examples

# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!

Related commands

· display hwtacacs scheme

· key (HWTACACS scheme view)

· primary authorization

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.

Use undo timer quiet to restore the default.

Syntax

timer quiet minutes

undo timer quiet

Default

The server quiet period is 5 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.

Examples

# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands

display hwtacacs scheme

timer realtime-accounting (HWTACACS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.

Use undo timer realtime-accounting to restore the default.

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

Default

The real-time accounting interval is 12 minutes.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.

Usage guidelines

For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.

A short interval helps improve accounting precision but requires many system resources.

Number of users	Real-time accounting interval
1 to 99	3 minutes
100 to 499	6 minutes
500 to 999	12 minutes
1000 or more	15 minutes or longer

Examples

# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

Related commands

display hwtacacs scheme

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.

Use undo timer response-timeout to restore the default.

Syntax

timer response-timeout seconds

undo timer response-timeout

Default

The HWTACACS server response timeout time is 5 seconds.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.

Usage guidelines

HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.

The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS authentication servers in the scheme. Any violation will result in user logoffs before the authentication process is complete.

Examples

# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands

display hwtacacs scheme

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of usernames to be sent to the HWTACACS servers of an HWTACACS scheme.

Use undo user-name-format to restore the default.

Syntax

user-name-format { keep-original | with-domain | without-domain }

undo user-name-format

Default

The ISP domain name is included in the usernames sent to the HWTACACS servers of an HWTACACS scheme.

Views

HWTACACS scheme view

Predefined user roles

network-admin

Parameters

keep-original: Sends the usernames to the HWTACACS servers as the usernames are entered.

with-domain: Includes the ISP domain name in the usernames sent to the HWTACACS servers.

without-domain: Excludes the ISP domain name from the usernames sent to the HWTACACS servers.

Usage guidelines

A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.

If an HWTACACS scheme defines that the usernames are sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.

If the HWTACACS scheme is used for wireless users, specify the username format as keep-original. Otherwise, authentication of the wireless users might fail.

Examples

# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.

<Sysname> system-view

[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] user-name-format without-domain

Related commands

display hwtacacs scheme

LDAP commands

attribute-map

Use attribute-map to specify the LDAP attribute map in an LDAP scheme.

Use undo attribute-map to restore the default.

Syntax

attribute-map map-name

undo attribute-map

Default

An LDAP scheme does not use an LDAP attribute map.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

When the LDAP scheme used for authorization contains an LDAP attribute map, the device converts server-assigned LDAP attributes to device-recognizable AAA attributes based on the mapping entries.

You can specify only one LDAP attribute map in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

If you specify another attribute map or change the mapping entries, the new settings are effective only on the LDAP authorization that occurs after your operation.

Examples

# Specify LDAP attribute map map1 in LDAP scheme test.

<Sysname> system-view

[Sysname] ldap scheme test

[Sysname-ldap-test] attribute-map map1

Related commands

· display ldap-scheme

· ldap attribute-map

authentication-server

Use authentication-server to specify the LDAP authentication server for an LDAP scheme.

Use undo authentication-server to restore the default.

Syntax

authentication-server server-name

undo authentication-server

Default

No LDAP authentication server is specified for an LDAP scheme.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In LDAP scheme ldap1, specify the LDAP authentication server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authentication-server ccc

Related commands

· display ldap scheme

· ldap server

authorization-server

Use authorization-server to specify the LDAP authorization server for an LDAP scheme.

Use undo authorization-server to restore the default.

Syntax

authorization-server server-name

undo authorization-server

Default

No LDAP authorization server is specified for an LDAP scheme.

Views

LDAP scheme view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.

Usage guidelines

You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In LDAP scheme ldap1, specify the LDAP authorization server as ccc.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1] authorization-server ccc

Related commands

· display ldap scheme

· ldap server

display ldap scheme

Use display ldap scheme to display LDAP scheme configuration.

Syntax

display ldap scheme [ ldap-scheme-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.

Examples

# Display the configuration of all LDAP schemes.

<Sysname> display ldap scheme

Total 1 LDAP schemes

------------------------------------------------------------------

LDAP scheme name : aaa

Authentication server : aaa

IP : 1.1.1.1

Port : 111

LDAP protocol version : LDAPv3

Server timeout interval : 10 seconds

Base DN : Not configured

Search scope : all-level

User searching parameters:

User object class : Not configured

Username attribute : cn

Username format : with-domain

Authorization server : aaa

IP : 1.1.1.1

Port : 111

LDAP protocol version : LDAPv3

Server timeout interval : 10 seconds

Base DN : Not configured

Search scope : all-level

User searching parameters:

User object class : Not configured

Username attribute : cn

Username format : with-domain

Attribute map : map1

------------------------------------------------------------------

Table 13 Command output

Field	Description
Authentication server	Name of the LDAP authentication server. If no server is configured, this field displays Not configured.
Authorization server	Name of the LDAP authorization server. If no server is configured, this field displays Not configured.
IP	IP address of the LDAP server. If no server is specified, this field displays Not configured.
Port	Port number of the server. If no port number is specified, this field displays the default port number.
LDAP protocol version	LDAP version, LDAPv2 or LDAPv3.
Server timeout interval	LDAP server timeout period, in seconds.
Login account DN	DN of the administrator.
Base DN	Base DN for user search.
Search scope	User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN.
User searching parameters	User search parameters.
User object class	User object class for user DN search. If no user object class is configured, this field displays Not configured.
Username attribute	User account attribute for login.
Username format	Format for the usernames sent to the server.
Attribute map	LDAP attribute map used by the scheme. If no LDAP attribute map is used, this field displays Not configured.

ip

Use ip to configure the IP address of the LDAP server.

Use undo ip to restore the default.

Syntax

ip ip-address [ port port-number ]

undo ip

Default

An LDAP server does not have an IP address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IP address and port number of LDAP server ccc as 192.168.0.10 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300

Related commands

ldap server

ipv6

Use ipv6 to configure the IPv6 address of the LDAP server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ port port-number ]

undo ipv6

Default

An LDAP server does not have an IPv6 address.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the LDAP server.

port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.

Usage guidelines

The LDAP service port configured on the device must be consistent with the service port of the LDAP server.

If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the IPv6 address and port number of LDAP server ccc as 1:2::3:4 and 4300, respectively.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300

Related commands

ldap server

ldap attribute-map

Use ldap attribute-map to create an LDAP attribute map and enter its view, or enter the view of an existing LDAP attribute map.

Use undo ldap attribute-map to delete an LDAP attribute map.

Syntax

ldap attribute-map map-name

undo ldap attribute-map map-name

Default

No LDAP attribute maps exist.

Views

System view

Predefined user roles

network-admin

Parameters

map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute.

Examples

# Create an LDAP attribute map named map1 and enter LDAP attribute map view.

<Sysname> system-view

[Sysname] ldap attribute-map map1

[Sysname-ldap-map-map1]

Related commands

· attribute-map

· ldap scheme

· map

ldap scheme

Use ldap scheme to create an LDAP scheme and enter its view, or enter the view of an existing LDAP scheme.

Use undo ldap scheme to delete an LDAP scheme.

Syntax

ldap scheme ldap-scheme-name

undo ldap scheme ldap-scheme-name

Default

No LDAP schemes exist.

Views

System view

Predefined user roles

network-admin

Parameters

ldap-scheme-name: Specifies the LDAP scheme name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

An LDAP scheme can be used by more than one ISP domain at the same time.

You can configure a maximum of 16 LDAP schemes.

Examples

# Create an LDAP scheme named ldap1 and enter LDAP scheme view.

<Sysname> system-view

[Sysname] ldap scheme ldap1

[Sysname-ldap-ldap1]

Related commands

display ldap scheme

ldap server

Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server.

Use undo ldap server to delete an LDAP server.

Syntax

ldap server server-name

undo ldap server server-name

Default

No LDAP servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the LDAP server name, a case-insensitive string of 1 to 64 characters.

Examples

# Create an LDAP server named ccc and enter LDAP server view.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc]

Related commands

display ldap scheme

login-dn

Use login-dn to specify the administrator DN.

Use undo login-dn to restore the default.

Syntax

undo login-dn

Default

No administrator DN is specified.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Specify the administrator DN as uid=test, ou=people, o=example, c=city for LDAP server ldap1.

<Sysname> system-view

[Sysname] ldap server ldap1

[Sysname-ldap-server-ldap1] login-dn uid=test,ou=people,o=example,c=city

Related commands

display ldap scheme

login-password

Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.

Use undo login-password to restore the default.

Syntax

undo login-password

Default

No administrator password is configured.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 128 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.

Usage guidelines

This command is effective only after the login-dn command is configured.

Examples

# Configure the administrator password as abcdefg in plaintext form for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] login-password simple abcdefg

Related commands

· display ldap scheme

· login-dn

map

Use map to configure a mapping entry in an LDAP attribute map.

Use undo map to delete the specified mapping entries from the LDAP attribute map.

Syntax

map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute { user-group | user-profile }

undo map [ ldap-attribute ldap-attribute-name ]

Default

An LDAP attribute map does not contain mapping entries.

Views

LDAP attribute map view

Predefined user roles

network-admin

Parameters

ldap-attribute ldap-attribute-name: Specifies an LDAP attribute by its name. The ldap-attribute-name argument is a case-insensitive string of 1 to 63 characters.

prefix prefix-value delimiter delimiter-value: Specifies a partial value string of the LDAP attribute for attribute mapping. The prefix-value argument represents the position where the partial string starts. The prefix is a case-insensitive string of 1 to 7 characters, such as cn=. The delimiter-value argument represents the position where the partial string ends, such as a comma (,). If you do not specify the prefix prefix-value delimiter delimiter-value option, the mapping entry uses the entire value string of the LDAP attribute.

aaa-attribute: Specifies an AAA attribute.

user-group: Specifies the user group attribute.

user-profile: Specifies the user profile attribute.

Usage guidelines

Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.

An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.

If you do not specify an LDAP attribute for the undo map command, the command deletes all mapping entries from the LDAP attribute map.

Examples

# In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.

<Sysname> system-view

[Sysname] ldap attribute-map map1

[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group

Related commands

· ldap attribute-map

· user-group

· user-profile

protocol-version

Use protocol-version to specify the LDAP version.

Use undo protocol-version to restore the default.

Syntax

protocol-version { v2 | v3 }

undo protocol-version

Default

The LDAP version is LDAPv3.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

v2: Specifies the LDAP version LDAPv2.

v3: Specifies the LDAP version LDAPv3.

Usage guidelines

For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.

If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.

A Microsoft LDAP server supports only LDAPv3.

Examples

# Specify the LDAP version as LDAPv2 for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] protocol-version v2

Related commands

display ldap scheme

search-base-dn

Use search-base-dn to specify the base DN for user search.

Use undo search-base-dn to restore the default.

Syntax

search-base-dn base-dn

undo search-base-dn

Default

No base DN is specified for user search.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

Examples

# Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com

Related commands

· display ldap scheme

· ldap server

search-scope

Use search-scope to specify the user search scope.

Use undo search-scope to restore the default.

Syntax

search-scope { all-level | single-level }

undo search-scope

Default

The user search scope is all-level.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

all-level: Specifies that the search goes through all subdirectories of the base DN.

single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.

Examples

# Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] search-scope all-level

Related commands

· display ldap scheme

· ldap server

server-timeout

Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.

Use undo server-timeout to restore the default.

Syntax

server-timeout time-interval

undo server-timeout

Default

The LDAP server timeout period is 10 seconds.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.

Usage guidelines

If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.

Examples

# Set the LDAP server timeout period to 15 seconds for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] server-timeout 15

Related commands

display ldap scheme

user-parameters

Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.

Use undo user-parameters to restore the default of an LDAP user attribute.

Syntax

user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }

undo user-parameters { user-name-attribute | user-name-format | user-object-class }

Default

The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.

Views

LDAP server view

Predefined user roles

network-admin

Parameters

user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.

user-name-format { with-domain | without-domain }: Specifies the format of the usernames to be sent to the server. The with-domain keyword indicates that the usernames contain the domain name, and the without-domain keyword indicates that the usernames do not contain the domain name.

user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.

Usage guidelines

If the usernames on the LDAP server do not contain the domain name, specify the without-domain keyword. If the usernames contain the domain name, specify the with-domain keyword.

Examples

# Set the user object class to person for LDAP server ccc.

<Sysname> system-view

[Sysname] ldap server ccc

[Sysname-ldap-server-ccc] user-parameters user-object-class person

Related commands

· display ldap scheme

· login-dn

ITA policy commands

accounting-level

Use accounting-level to specify a traffic level for ITA accounting.

Use undo accounting-level to remove the ITA accounting configuration for a traffic level.

Syntax

accounting-level level { ipv4 | ipv6 }

undo accounting-level [ level ]

Default

No traffic levels are specified for ITA accounting.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

level: Specifies a traffic level in the range of 1 to 8.

ipv4: Counts the traffic as IPv4 traffic.

ipv6: Counts the traffic as IPv6 traffic.

Usage guidelines

By defining different traffic levels based on the destination addresses of users' traffic, you can use ITA to separate the traffic accounting statistics of different levels for each user.

Execute this command multiple times to specify multiple traffic levels for ITA accounting.

If you do not specify a level for the undo accounting-level command, this command removes the ITA accounting configuration for all traffic levels in the ITA policy.

Examples

# In ITA policy ita1, specify traffic levels 2 and 5, and count the level-2 traffic as IPv4 traffic and the level-5 traffic as IPv6 traffic.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting-level 2 ipv4

[Sysname-ita-policy-ita1] accounting-level 5 ipv6

Related commands

ita policy

accounting-merge enable

Use accounting-merge enable to enable the accounting merge feature.

Use undo accounting-merge enable to disable the accounting merge feature.

Syntax

accounting-merge enable

undo accounting-merge enable

Default

The accounting merge feature is disabled.

Views

ITA policy view

Predefined user roles

network-admin

Usage guidelines

When accounting merge is enabled, the device merges accounting statistics for the ITA traffic of all levels in the ITA policy. It reports the traffic as the lowest level of the policy to the accounting server.

Examples

# Enable the accounting merge feature for ITA policy ita1.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting-merge enable

Related commands

ita policy

accounting-method

Use accounting-method to configure the accounting method for an ITA policy.

Use undo accounting-method to restore the default.

Syntax

accounting-method { none | radius-scheme radius-scheme-name [ none ] }

undo accounting-method

Default

The default accounting method of an ITA policy is none.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Use this command to configure accounting methods for an ITA policy. ITA accounting is separated from accounting of other services.

You can specify one primary accounting method and one backup accounting method for an ITA policy.

When the primary method is invalid, the device uses the backup method. For example, the accounting-method radius-scheme radius-scheme-name none command specifies RADIUS accounting as the primary method and no accounting as the backup method. The device performs RADIUS accounting by default and does not perform accounting when the RADIUS server is invalid.

Examples

# Specify RADIUS accounting scheme radius1 for ITA policy ita1.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] accounting radius-scheme radius1

Related commands

· ita policy

· radius scheme

ita policy

Use ita policy to create an ITA policy and enter its view, or enter the view of an existing ITA policy.

Use undo ita policy to delete an ITA policy.

Syntax

ita policy policy-name

undo ita policy policy-name

Default

No ITA policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the ITA policy name, a case-insensitive string of 1 to 31 characters.

Examples

# Create an ITA policy named ita1 and enter ITA policy view.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1]

traffic-quota-out

Use traffic-quota-out to configure access control for users that have used up their ITA data quotas.

Use undo traffic-quota-out to restore the default.

Syntax

traffic-quota-out { offline | online }

undo traffic-quota-out

Default

Users cannot access the authorized IP subnets after their ITA data quotas are used up.

Views

ITA policy view

Predefined user roles

network-admin

Parameters

offline: Prohibits users from accessing the authorized IP subnets after their ITA data quotas are used up.

online: Permits users to access the authorized IP subnets after their ITA data quotas are used up.

Examples

# In ITA policy ita1, prohibit users from accessing the authorized IP subnets after their ITA data quotas are used up.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] traffic-quota-out offline

Related commands

ita policy

traffic-separate

Use traffic-separate enable to exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

Use undo traffic-separate enable to include the amount of ITA traffic into the overall traffic statistics that are sent to the accounting server.

Syntax

traffic-separate enable

undo traffic-separate enable

Default

The amount of ITA traffic is included in the overall traffic statistics that are sent to the accounting server.

Views

ITA policy view

Predefined user roles

network-admin

Examples

# In ITA policy ita1, exclude the amount of ITA traffic from the overall traffic statistics that are sent to the accounting server.

<Sysname> system-view

[Sysname] ita policy ita1

[Sysname-ita-policy-ita1] traffic-separate enable

Related commands

ita policy

802.1X commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays 802.1X information for all radios on the specified AP.

Usage guidelines

If you do not specify the sessions or statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

If you do not specify the ap ap-name [ radio radio-id ] option, this command displays all 802.1X information.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Global 802.1X parameters:

802.1X authentication : Enabled

CHAP authentication : Enabled

Max-tx period : 30 s

Handshake period : 15 s

Quiet timer : Disabled

Quiet period : 60 s

Supp timeout : 30 s

Server timeout : 100 s

Reauth period : 3600 s

Max auth requests : 2

EAD assistant function : Disabled

URL : http://www.dwsoft.com

Free IP : 6.6.6.0 255.255.255.0

EAD timeout : 30 min

Domain delimiter : @

Online 802.1X wired users : 1

Online 802.1X wireless users : 1

EAPOL packets: Tx 3, Rx 3

Sent EAP Request/Identity packets : 1

EAP Request/Challenge packets: 1

EAP Success packets: 1

EAP Failure packets: 0

Received EAPOL Start packets : 1

EAPOL LogOff packets: 1

EAP Response/Identity packets : 1

EAP Response/Challenge packets: 1

Error packets: 0

Online 802.1X users: 1

MAC address Auth state

0001-0000-0000 Authenticated

AP name: AP1 Radio ID: 1 SSID: wlan_dot1x_ssid

BSSID : 1111-1111-1111

802.1X authentication : Enabled

Handshake : Enabled

Handshake security : Disabled

Periodic reauth : Disabled

Mandatory auth domain : Not configured

Max online users : 4096

EAPOL packets: Tx 3, Rx 3

Sent EAP Request/Identity packets : 1

EAP Request/Challenge packets: 1

EAP Success packets: 1

EAP Failure packets: 0

Received EAPOL Start packets : 1

EAPOL LogOff packets: 1

EAP Response/Identity packets : 1

EAP Response/Challenge packets: 1

Error packets: 0

Online 802.1X users: 1

MAC address Auth state

0001-0000-0002 Authenticated

Table 14 Command output

Field	Description
Global 802.1X parameters	Global 802.1X configuration.
802.1X authentication	Whether 802.1X is enabled globally.
CHAP authentication	Performs EAP termination and uses CHAP to communicate with the RADIUS server. If EAP or PAP is enabled, this field is not available.
EAP authentication	Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. If CHAP or PAP is enabled, this field is not available.
PAP authentication	Performs EAP termination and uses PAP to communicate with the RADIUS server. If CHAP or EAP is enabled, this field is not available.
Max-tx period	Username request timeout timer in seconds.
Handshake period	Handshake timer in seconds.
Quiet timer	Status of the quiet timer, enabled or disabled.
Quiet period	Quiet timer in seconds.
Supp timeout	Client timeout timer in seconds.
Server timeout	Server timeout timer in seconds.
Reauth period	Periodic reauthentication timer in seconds.
Max auth requests	Maximum number of attempts for sending an authentication request to a client.
EAD assistant function	Whether EAD assistant is enabled.
URL	Redirect URL for unauthenticated users using a Web browser to access the network.
Free IP	Network segment accessible to unauthenticated users.
EAD timeout	EAD rule timer in minutes.
Domain delimiter	Domain delimiters supported by the device.
Online 802.1X wired users	Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
Online 802.1X wireless users	Number of wireless online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
EAPOL packets	Number of sent (Tx) and received (Rx) EAPOL packets.
Sent EAP Request/Identity packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge packets	Number of sent EAP-Request/MD5-Challenge packets.
EAP Success packets	Number of sent EAP-Success packets.
EAP Failure packets	Number of sent EAP-Failure packets.
Received EAPOL Start packets	Number of received EAPOL-Start packets.
EAPOL LogOff packets	Number of received EAPOL-LogOff packets.
EAP Response/Identity packets	Number of received EAP-Response/Identity packets.
EAP Response/Challenge packets	Number of received EAP-Response/MD5-Challenge packets.
Error packets	Number of received error packets.
Online 802.1X users	Number of online 802.1X users on the service template, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
MAC address	MAC addresses of the online 802.1X users.
Auth state	Authentication status of the online 802.1X users.
AP name	Name of the AP with which users are associated.
Radio ID	ID of the radio with which users are associated.
SSID	SSID with which users are associated.
BSSID	ID of the BSS with which users are associated.

display dot1x connection

Use display dot1x connection to display information about online 802.1X users.

Syntax

display dot1x connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name name-string ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays information about online 802.1X users that are connected to all radios on the specified AP.

slot slot-number: Specifies an IRF member device by its member ID.

user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters.

Usage guidelines

If you do not specify any parameters, this command displays information about all online 802.1X users.

Examples

# Display information about all online 802.1X users.

<Sysname> display dot1x connection

Total connections: 1

Slot ID: 1

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

IPv4 address : 192.168.1.1

IPv6 address : 2000:0:0:0:1:2345:6789:abcd

Authentication method : CHAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : 3001

Authorization user profile : N/A

Termination action : Default

Session timeout period : 2 sec

Online from : 2013/03/02 13:14:15

Online duration : 0 h 2 m 15 s

Table 15 Command output

Field	Description
Total connections	Number of online 802.1X users.
Slot ID	Member ID of the device.
User MAC address	MAC address of the user.
AP name	Name of the AP with which the user is associated.
Radio ID	ID of the radio with which the user is associated.
SSID	SSID with which the user is associated.
BSSID	ID of the BSS with which the user is associated.
Authentication domain	ISP domain used for 802.1X authentication.
IPv4 address	IPv4 address of the user. If the device does not get the IPv4 address of the user, this field is not available.
IPv6 address	IPv6 address of the user. If the device does not get the IPv6 address of the user, this field is not available.
Authentication method	EAP message handling method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.
Initial VLAN	VLAN to which the user belongs before 802.1X authentication.
Authorization VLAN	VLAN authorized to the user.
Authorization ACL number	ACL authorized to the user.
Authorization user profile	User profile authorized to the user.
Termination action	Action attribute assigned by the server when the session timeout timer expires: · Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer. · Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the periodic online reauthentication feature is enabled or not. If the device performs local authentication, this field displays N/A.
Session timeout period	Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A.
Online from	Time from which the 802.1X user came online.
Online duration	Online duration of the 802.1X user.

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The access device terminates or relays EAP packets.

· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and the username and password EAP authentication initiated by an iNode client.

? PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

? CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:

? Supports the EAP-Message and Message-Authenticator attributes.

? Uses the same EAP authentication method as the client.

If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands."

If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.

Usage guidelines

Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users who use this sign as the domain name delimiter.

If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

Examples

# Specify the at sign (@) and forward slash (/) as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @/

Related commands

display dot1x

dot1x ead-assistant enable

Use dot1x ead-assistant enable to enable the EAD assistant feature.

Use undo dot1x ead-assistant enable to disable the EAD assistant feature.

Syntax

dot1x ead-assistant enable

undo dot1x ead-assistant enable

Default

The EAD assistant feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The EAD assistant feature enables the access device to redirect a user seeking to access the network to download and install EAD client. This feature eliminates the tedious job of the administrator to deploy EAD clients.

The feature is mutually exclusive with MAC authentication. For EAD assistant to take effect on a service template, you must first disable MAC authentication on the service template.

To make the EAD assistant feature take effect on a service template, you must enable 802.1X on the service template.

Examples

# Enable the EAD assistant feature.

<Sysname> system-view

[Sysname] dot1x ead-assistant enable

Related commands

· display dot1x

· dot1x ead-assistant free-ip

· dot1x ead-assistant url

dot1x ead-assistant free-ip

Use dot1x ead-assistant free-ip to configure a free IP.

Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses.

Syntax

dot1x ead-assistant free-ip ip-address { mask-address | mask-length }

undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }

Default

No free IP is configured. Users cannot access any segments before they pass 802.1X authentication.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a freely accessible IP address segment, also called a free IP.

mask: Specifies an IP address mask.

mask-length: Specifies IP address mask length in the range of 1 to 32.

all: Removes all free IP addresses.

Usage guidelines

Execute this command multiple times to configure multiple free IPs.

With EAD assistant enabled on the device, unauthenticated 802.1X users can access the network resources in the free IP segments before they pass 802.1X authentication.

Examples

# Configure 192.168.1.1/16 as a free IP.

<Sysname> system-view

[Sysname] dot1x ead-assistant free-ip 192.168.1.1 255.255.0.0

Related commands

· display dot1x

· dot1x ead-assistant enable

· dot1x ead-assistant url

dot1x ead-assistant url

Use dot1x ead-assistant url to configure a redirect URL.

Use undo dot1x ead-assistant url to restore the default.

Syntax

dot1x ead-assistant url url-string

undo dot1x ead-assistant url

Default

No redirect URL is configured.

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the redirect URL, a case-insensitive string of 1 to 64 characters in the format http://string.

Usage guidelines

When an unauthenticated user uses a Web browser to access networks other than the free IP, the device redirects the user to the redirect URL.

The redirect URL must be on the free IP subnet.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the redirect URL as http://test.com.

<Sysname> system-view

[Sysname] dot1x ead-assistant url http://test.com

Related commands

· display dot1x

· dot1x ead-assistant enable

· dot1x ead-assistant free-ip

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry retries

undo dot1x retry

Default

The maximum number of attempts is 2.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Sets the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

Usage guidelines

The access device retransmits an authentication request to a client in any of the following situations:

· The device does not receive any responses from the client within the username request timeout timer. The timer is set by using the dot1x timer tx-period tx-period-value command for the EAP-Request/Identity packet.

· The device does not receive any responses from the client within the client timeout timer. The timer is set by using the dot1x timer supp-timeout supp-timeout-value command for the EAP-Request/MD5-Challenge packet.

The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

Examples

# Set the maximum number of attempts to 9 for sending an authentication request to a client.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

· display dot1x

· dot1x timer

dot1x timer

Use dot1x timer to set 802.1X timers.

Use undo dot1x timer to restore the defaults.

Syntax

dot1x timer { ead-timeout ead-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { ead-timeout | handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

Default

The following 802.1X timers apply:

· EAD rule timer: 30 minutes.

· Handshake timer: 15 seconds.

· Quiet timer: 60 seconds.

· Periodic reauthentication timer: 3600 seconds.

· Server timeout timer: 100 seconds.

· Client timeout timer: 30 seconds.

· Username request timeout timer: 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

ead-timeout ead-timeout-value: Sets the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.

handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.

quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.

reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.

server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.

tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the tx-period-value argument is 1 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

· In a low-speed network, increase the client timeout timer.

· In a vulnerable network, set the quiet timer to a high value.

· In a high-performance network with quick authentication response, set the quiet timer to a low value.

· In a network with authentication servers of different performance, adjust the server timeout timer.

The periodic reauthentication timer does not take effect if the server has assigned a session timeout timer to the device.

The change to the periodic reauthentication timer applies to the users who have been online only after the old timer expires. Other timer changes take effect immediately on the device.

The network device uses the following 802.1X timers:

· EAD rule timer (EAD timeout)—Sets the lifetime of each EAD rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download the EAD client or fail to pass authentication within the timer, they must reconnect to the network to access the free IP.

· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.

· Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

· Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication on a service template, use the dot1x re-authenticate command.

· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears 802.1X statistics for all radios on the specified AP.

Usage guidelines

If you do not specify any parameters, this command clears all 802.1X statistics.

Examples

# Clear all 802.1X statistics.

<Sysname> reset dot1x statistics

Related commands

display dot1x

802.1X client commands

dot1x supplicant anonymous identify

Use dot1x supplicant anonymous identify to configure an 802.1X client anonymous identifier.

Use undo dot1x supplicant anonymous identify to restore the default.

Syntax

dot1x supplicant anonymous identify identifier

undo dot1x supplicant anonymous identify

Default

No 802.1X client anonymous identifier exists.

Views

AP provision view

Predefined user roles

network-admin

Parameters

identifier: Specifies an 802.1X client anonymous identifier, a case-sensitive string of 1 to 253 characters.

Usage guidelines

At the first authentication phase, packets sent to the authenticator are not encrypted. The use of an 802.1X client anonymous identifier prevents the 802.1X client username from being disclosed at the first phase. The 802.1X client-enabled device sends the anonymous identifier to the authenticator instead of the 802.1X client username. The 802.1X client username will be sent to the authenticator in encrypted packets at the second phase.

If no 802.1X client anonymous identifier is configured, the device sends the 802.1X client username at the first phase.

The configured 802.1X client anonymous identifier takes effect only if one of the following EAP authentication methods is used:

· PEAP-MSCHAPv2.

· PEAP-GTC.

· TTLS-MSCHAPv2.

· TTLS-GTC.

If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device still uses the 802.1X client username at the first phase.

Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.

Examples

# Configure the 802.1X client anonymous identifier as bbb for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant anonymous identify bbb

Related commands

· dot1x supplicant enable

· dot1x supplicant username

dot1x supplicant eap-method

Use dot1x supplicant eap-method to specify an 802.1X client EAP authentication method.

Use undo dot1x supplicant eap-method to restore the default.

Syntax

dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 }

undo dot1x supplicant eap-method

Default

The MD5-Challenge authentication is used as the 802.1X client EAP authentication method.

Views

AP provision view

Predefined user roles

network-admin

Parameters

md5: Specifies the MD5-Challenge EAP authentication method.

peap-gtc: Specifies the PEAP-GTC EAP authentication method.

peap-mschapv2: Specifies the PEAP-MSCHAPv2 EAP authentication method.

ttls-gtc: Specifies the TTLS-GTC EAP authentication method.

ttls-mschapv2: Specifies the TTLS-MSCHAPv2 EAP authentication method.

Usage guidelines

Make sure the specified 802.1X client EAP authentication method is supported by the authentication server.

Examples

# Specify PEAP-GTC as the 802.1X client EAP authentication method for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant eap-method peap-gtc

Related commands

dot1x supplicant enable

Use dot1x supplicant enable to enable the 802.1X client feature.

Use undo dot1x supplicant enable to disable the 802.1X client feature.

Syntax

dot1x supplicant enable

undo dot1x supplicant enable

Default

The 802.1X client feature is disabled.

Views

AP provision view

Predefined user roles

network-admin

Usage guidelines

Make sure you have configured 802.1X authentication on the authenticator before you use this command.

If the 802.1X client-enabled AP has online clients, disabling the 802.1X client feature will log off all the online clients.

Examples

# Enable the 802.1X client feature for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant enable

dot1x supplicant password

Use dot1x supplicant password to set the 802.1X client password.

Use undo dot1x supplicant password to restore the default.

Syntax

dot1x supplicant password { cipher | simple } password

undo dot1x supplicant password

Default

No 802.1X client password exists.

Views

AP provision view

Predefined user roles

network-admin

Parameters

cipher: Specifies a ciphertext password.

simple: Specifies a plaintext password.

password: Specifies the password string. A plaintext password is a case-sensitive string of 1 to 127 characters. A ciphertext password is a case-sensitive string of 1 to 201 characters.

Examples

# Set the 802.1X client password to 123456 in plain text for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant password simple 123456

Related commands

dot1x supplicant enable

dot1x supplicant username

Use dot1x supplicant username to configure an 802.1X client username.

Use undo dot1x supplicant username to restore the default.

Syntax

dot1x supplicant username username

undo dot1x supplicant username

Default

No 802.1X client username exists.

Views

AP provision view

Predefined user roles

network-admin

Parameters

username: Specifies the 802.1X client username, a case-sensitive string of 1 to 253 characters.

Usage guidelines

802.1X client usernames can contain domain names. The supported domain name delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.

If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For more information about the domain name delimiters, see the dot1x domain-delimiter command.

Examples

# Configure the 802.1X client username as aaa for the AP ap1.

<Sysname> system-view

[Sysname] wlan ap ap1

[Sysname-wlan-ap-ap1] provision

[Sysname-wlan-ap-ap1-prvs] dot1x supplicant username aaa

Related commands

· dot1x domain-delimiter

· dot1x supplicant enable

MAC authentication commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics. The output includes configuration information, MAC authentication statistics, and online user statistics.

Syntax

display mac-authentication [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays MAC authentication settings and statistics for all radios on the specified AP.

Usage guidelines

If you do not specify any parameters, this command displays all MAC authentication settings and statistics.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

Global MAC authentication parameters:

MAC authentication : Enabled

User name format : MAC address in lowercase(xxxxxxxxxxxx)

Username : mac

Password : Not configured

Offline detect period : 300 s

Quiet period : 60 s

Server timeout : 100 s

Authentication domain : Not configured, use default domain

Online MAC-auth wired users : 0

Online MAC-auth wireless users : 1

Silent MAC users:

MAC address VLAN ID From port Port index

AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid

BSSID : 487a-daa0-74f0

MAC authentication : Enabled

Authentication domain : Not configured

Max online users : 4096

Authentication attempts : successful 1, failed 0

Current online users : 1

MAC address Auth state

2477-032b-db8c Authenticated

Table 16 Command output

Field	Description
MAC authentication	Whether MAC authentication is enabled globally.
User name format	User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xxxxxxxxxxxx) indicates that the MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. · If a shared account is used, this field displays Fixed account.
Username	Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. The device uses the MAC address of each user as the username and password for MAC authentication. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac.
Password	Password for MAC authentication. · If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays Not configured. · If a shared account is used and a password is configured, this field displays a string of asterisks (******).
Offline detect period	Offline detect timer.
Quiet period	Quiet timer.
Server timeout	Server timeout timer.
Authentication domain	MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain.
Online MAC-auth wired users	Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Online MAC-auth wireless users	Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Silent MAC users	Information about silent MAC addresses.
MAC address	Silent MAC address.
VLAN ID	ID of the VLAN to which the silent MAC address belongs.
From port	Name of the port that marks the MAC address as a silent MAC address.
Port index	Index of the port that marks the MAC address as a silent MAC address.
AP name	Name of the AP with which users are associated.
Radio ID	ID of the radio with which users are associated.
SSID	SSID with which users are associated.
BSSID	ID of the BSS with which users are associated.

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

display mac-authentication connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify this option, the command displays information about all online MAC authentication users that are connected to the specified AP.

slot slot-number: Specifies an IRF member device by its member ID.

user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H.

user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name.

Usage guidelines

If you do not specify any parameters, this command displays information about all online MAC authentication users.

Examples

# Display information about all online MAC authentication users.

<Sysname> display mac-authentication connection

Total connections: 1

Slot ID: 1

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

Initial VLAN : 1

Authorization VLAN : 100

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization URL : N/A

Termination action : Radius-request

Session timeout period : 2 sec

Online from : 2016/06/02 13:14:15

Online duration : 0h 2m 15s

Table 17 Command output

Field	Description
Total connections	Total number of online MAC authentication users.
Slot ID	Member ID of the device.
User MAC address	MAC address of the user.
AP name	Name of the AP with which the user is associated.
Radio ID	ID of the radio with which the user is associated.
SSID	SSID with which the user is associated.
BSSID	ID of the BSS with which the user is associated.
Authentication domain	MAC authentication domain to which the user belongs.
Initial VLAN	VLAN that holds the user before MAC authentication.
Authorization VLAN	VLAN authorized to the user.
Authorization ACL number	This field is not supported in the current software version. ACL authorized to the user.
Authorization user profile	This field is not supported in the current software version. User profile authorized to the user.
Authorization URL	This field is not supported in the current software version. Redirect URL authorized to the user.
Termination action	Action attribute assigned by the server when the session timeout timer expires. The following server-assigned action attributes are available: · Default—Logs off the online authenticated user when the session timeout timer expires. · Radius-request—Reauthenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A.
Session timeout period	Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A.
Online from	Time from which the MAC authentication user came online.
Online duration	Online duration of the MAC authentication user.

mac-authentication domain

Use mac-authentication domain to specify a global or service template-specific authentication domain.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

No authentication domain is specified for MAC authentication users. The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."

Views

System view

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.

Usage guidelines

A service template chooses an authentication domain for MAC authentication users in the following order:

1. Authentication domain specified on the service template.

2. Global authentication domain specified in system view.

3. Default authentication domain.

Examples

# Specify domain domain1 as the global MAC authentication domain.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

Related commands

· display mac-authentication

· domain default enable

mac-authentication timer server-timeout

Use mac-authentication timer server-timeout to set the server timeout timer for MAC authentication.

Use undo mac-authentication timer server-timeout to restore the default.

Syntax

mac-authentication timer server-timeout server-timeout-value

undo mac-authentication timer server-timeout

Default

The server timeout timer is 100 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds.

Usage guidelines

The server timeout timer sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

Default

Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.

password: Specifies a password for the shared user account.

cipher: Specifies the password in encrypted form.

simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password by using the following keywords:

· with-hyphen: Includes hyphens in the MAC address.

? six-section: Hyphenates the MAC address into six groups of two hexadecimal digits, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.

? three-section: Hyphenates the MAC address into three groups of four hexadecimal digits, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.

If you do not specify the six-section or three-section keyword, the MAC address is in six-section format.

· without-hyphen: Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.

· lowercase: Specifies letters in lower case.

· uppercase: Specifies letters in upper case.

Usage guidelines

If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.

If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

Examples

# Configure a shared account for MAC authentication users, set the username to abc and password to plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

Related commands

display mac-authentication

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.

Usage guidelines

If you do not specify any parameters, this command clears all MAC authentication statistics.

Examples

# Clear all MAC authentication statistics.

<Sysname> reset mac-authentication statistics

Related commands

display mac-authentication

Portal commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

aaa-fail nobinding enable

Use aaa-fail nobinding enable to enable AAA failure unbinding.

Use undo aaa-fail nobinding enable to restore the default.

Syntax

aaa-fail nobinding enable

undo aaa-fail nobinding enable

Default

AAA failure unbinding is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

If a portal user fails AAA in MAC-trigger authentication, the user cannot trigger authentication before the MAC-trigger entry of the user ages out. After the MAC-trigger entry ages out, the user triggers MAC-trigger authentication when it accesses the network.

After this feature is enabled, the device sets the MAC-trigger entry state for a user to unbound immediately after the user fails AAA in MAC-trigger authentication. Before the user's MAC-trigger entry ages out, the user can trigger normal portal authentication.

Examples

# Enable AAA failure unbinding for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aaa-fail nobinding enable

Related commands

display portal mac-trigger-server

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

· MAC address of the user

· Interface index

· VLAN ID

· Traffic statistics

· Aging timer

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Set the aging time to 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display portal mac-trigger-server

app-id

Use app-id to specify the APP ID for QQ authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

An APP ID for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the APP ID for QQ authentication.

Usage guidelines

This command is restricted to Hong Kong and Macao.

To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1. Register as a developer by using a valid QQ account.

2. Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the APP ID and APP key from the Tencent Open Platform after your application succeeds.

After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the APP ID, and the APP key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.

Examples

# Specify 101235509 as the APP ID for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-id 101235509

Related commands

display portal extend-auth-server

app-key

Use app-key to specify the APP key for QQ authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

An APP key for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the APP key in encrypted form.

simple: Specifies the APP key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

app-key: Specifies the APP key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

This command is restricted to Hong Kong and Macao.

To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1. Register as a developer by using a valid QQ account.

2. Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the APP ID and APP key from the Tencent Open Platform after your application succeeds.

Examples

# Specify 8a5428e6afdc3e2a2843087fe73f1507 in plaintext form as the APP key for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-key simple 8a5428e6afdc3e2a2843087fe73f1507

Related commands

display portal extend-auth-server

authentication-timeout

Use authentication-timeout to set the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

On receiving the MAC binding query response from the MAC binding server, the device starts the timeout timer for portal authentication.

If the user passes portal authentication before the timer expires, the device immediately deletes the MAC-trigger entry for the user. If the user does not pass portal authentication within the authentication timeout, the device deletes the MAC-trigger entry after the entry expires.

Examples

# Set the authentication timeout to 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display portal mac-trigger-server

auth-url

Use auth-url to specify the URL of the QQ authentication server.

Use undo auth-url to delete the URL of the QQ authentication server.

Syntax

auth-url url-string

undo auth-url

Default

The URL of QQ authentication server is https://graph.qq.com.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of the QQ authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual URL of the QQ authentication server.

Usage guidelines

This command is restricted to Hong Kong and Macao.

Examples

# Specify http://oauth.qq.com as the URL of the QQ authentication server.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] auth-url http://oauth.qq.com

Related commands

display portal extend-auth-server

binding-retry

Use binding-retry to set the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

This command is restricted to Hong Kong and Macao.

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display portal mac-trigger-server

captive-bypass enable

Use captive-bypass enable to enable the captive-bypass feature.

Use undo captive-bypass enable to disable the captive-bypass feature.

Syntax

captive-bypass [ android | ios [ optimize ] ] enable

undo captive-bypass [ android | ios [ optimize ] ] enable

Default

The captive-bypass feature is disabled. The device automatically pushes the portal authentication page to the iOS devices and some Android devices when they are connected to the network.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

android: Enables the captive-bypass feature for Android users.

ios: Enables the captive-bypass feature for iOS users.

optimize: Enables the optimized captive-bypass feature.

Usage guidelines

With this feature enabled, the device does not automatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network. The device pushes the portal authentication page only when the user accesses the Internet by using a browser or other methods.

The optimized captive-bypass feature applies only to iOS mobile clients. The device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can perform authentication on the page or press the home button to return to the desktop without performing authentication, and the Wi-Fi connection is not terminated.

You can repeat this command to enable the captive-bypass feature for both Android and iOS users.

If you do not specify any parameters, this command enables the captive-bypass feature for both Android and iOS users.

Examples

# Enable the captive-bypass feature.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass enable

# Enable the optimized captive-bypass feature for iOS users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass ios optimize enable

# Enable the captive-bypass feature for Android users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass android enable

Related commands

· display portal web-server

· display portal captive-bypass statistics

default-logon-page

Use default-logon-page to specify the default authentication page file for the local portal Web server.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page filename

undo default-logon-page

Default

No default authentication page file is specified for the local portal Web server.

Views

Local portal Web server view

Predefined user roles

network-admin

Parameters

filename: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web server.

Examples

# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal

Use display portal to display portal configuration and portal running state.

Syntax

display portal { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays portal configuration and portal running state for all radios of the AP.

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display portal configuration and portal running state on AP ap1.

<Sysname> display portal ap ap1

Portal information of ap1

Radio ID: 1

SSID: portal

Authorization : Strict checking

ACL : Disable

User profile : Disable

IPv4:

Portal status: Enabled

Portal authentication method: Direct

Portal Web server: wbs(active)

Secondary portal Web server: wbs sec

Portal mac-trigger-server: mts

Authentication domain: my-domain

Extend-auth domain: def

User-dhcp-only: Enabled

Max portal users: 1024

Bas-ip: 2.2.2.2

Action for sever detection:

Server type Server name Action

Web server wbs fail-permit

Portal server pts fail-permit

Destination authentication subnet:

IP address Mask

2.2.2.2 255.255.0.0

IPv6:

Portal status: Enabled

Portal authentication method: Direct

Portal Web server: wbsv6(active)

Secondary portal Web server: Not configured

Authentication domain: my-domain

Extend-auth domain: Not configured

User-dhcp-only: Disabled

Max portal users: 512

Bas-ipv6: 2000::1

Action for sever detection:

Server type Server name Action

Web server wbsv6 fail-permit

Portal server ptsv6 fail-permit

Destination authentication subnet:

IP address Prefix length

3000::1 64

# Display portal configuration and portal running state on VLAN-interface 30.

<Sysname> display portal interface Vlan-interface 30

Portal information of Vlan-interface30

NAS-ID profile: Not configured

Authorization : Strict checking

ACL : Disable

User profile : Disable

IPv4:

Portal status: Enabled

Portal authentication method: Direct

Portal Web server: pt

Secondary portal Web server: wbs sec(active)

Authentication domain: test

Pre-auth domain: Not configured

User-dhcp-only: Disabled

Pre-auth IP pool: Not configured

Max portal users: Not configured

Bas-ip: Not configured

User detection: Not configured

Portal temp-pass: Enabled Period: 30s

Action for server detection:

Server type Server name Action

-- -- --

Layer3 source network:

IP address Mask

Destination authentication subnet:

IP address Mask

IPv6:

Portal status: Disabled

Portal authentication method: Disabled

Portal Web server: Not configured

Secondary portal Web server: Not configured

Authentication domain: Not configured

Pre-auth domain: Not configured

User-dhcp-only: Disabled

Pre-auth IP pool: Not configured

Max portal users: Not configured

Bas-ipv6: Not configured

User detection: Not configured

Portal temp-pass: Disabled

Action for server detection:

Server type Server name Action

-- -- --

Layer3 source network:

IP address Prefix length

Destination authentication subnet:

IP address Prefix length

Table 18 Command output

Field	Description
Portal information of interface	Portal configuration on the interface.
Radio ID	ID of the radio.
SSID	Service set identifier.
NAS-ID profile	NAS-ID profile on the interface.
Authorization	Authorization information type: · ACL · User profile
Strict checking	Whether strict checking is enabled on portal authorization information.
IPv4	IPv4 portal configuration.
IPv6	IPv6 portal configuration.
Portal status	Portal authentication status on the interface: · Disabled—Portal authentication is disabled. · Enabled—Portal authentication is enabled. · Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication.
Portal authentication method	Authentication mode enabled on the interface. This field displays Direct if direct authentication is enabled.
Portal Web server	Name of the primary portal Web server specified on the interface. This field displays the (active) flag next to the server name if the server is being used.
Secondary portal Web server		Name of the backup portal Web server specified on the interface. This field displays the (active) flag next to the server name if the server is being used.
Portal mac-trigger-server	Name of the MAC binding server specified on the interface.
Authentication domain	Mandatory authentication domain on the interface.
Pre-auth domain	Preauthentication domain for portal users on the interface.
Extend-auth domain		Authentication domain configured for third-party authentication on an interface or service template.
User-dhcp-only	Status of the user-dhcp-only feature: · Enabled: Only users with IP addresses obtained through DHCP can perform portal authentication. · Disabled: Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online.
Pre-auth ip-pool	Name of the IP address pool specified for portal users before authentication.
Max portal users	Maximum number of portal users allowed on an interface.
Bas-ip	BAS-IP attribute of the portal packets sent to the portal authentication server.
Bas-ipv6	BAS-IPv6 attribute of the portal packets sent to the portal authentication server.
User detection	Configuration for online detection of portal users on the interface, including detection method (ARP, ICMP, ND, or ICMPv6), detection interval, maximum number of detection attempts, and user idle time.
Portal temp-pass		Status of the temporary pass feature: · Enabled—The temporary pass feature is enabled. · Disabled—The temporary pass feature is disabled. · Period—Temporary pass period during which a user can access the Internet temporarily. This field is displayed only if the temporary pass feature is enabled.
Action for server detection	Portal server detection configuration on the interface: · Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server. · Server name—Name of the server. · Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled.
Layer3 source subnet	Information of the portal authentication source subnet.
Destination authentication subnet	Information of the portal authentication destination subnet.
IP address	IP address of the portal authentication subnet.
Mask	Subnet mask of the portal authentication subnet.
Prefix length	Prefix length of the IPv6 portal authentication subnet address.

display portal auth-error-record

Use display portal auth-error-record to display portal authentication error records.

Syntax

display portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication error records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2100. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Examples

# Display all portal authentication error records.

<Sysname> display portal auth-error-record all

Total authentication error records: 2

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth error time : 2016-03-04 16:49:07

Auth error reason : The maximum number of users already reached.

User MAC : 0016-ecb7-a235

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.10

AP : ap1

SSID : byod

Auth error time : 2016-03-04 16:51:07

Auth error reason : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv4 address is 192.168.0.188.

<Sysname> display portal auth-error-record ip 192.168.0.188

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth error time : 2016-03-04 16:49:07

Auth error reason : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-error-record ipv6 2000::2

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 2000::2

AP : ap1

SSID : byod

Auth error time : 2016-03-04 16:49:07

Auth error reason : The maximum number of users already reached.

# Display portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth error time : 2016-03-04 14:22:25

Auth error reason : The maximum number of users already reached.

Table 19 Command output

Field	Description
Total authentication error records	Total number of portal authentication error records.
User MAC	MAC address of the portal user.
Interface	Access interface of the portal user.
User IP address	IP address of the portal user.
AP	AP name.
SSID	Service set identifier.
Auth error time	Time when the portal user encountered an authentication error, in the format of YYYY-MM-DD hh:mm:ss.
Auth error reason	Reason for the authentication error: · The maximum number of users already reached. · Failed to obtain user physical information. · Failed to receive the packet because packet length is 0. · Packet source unknown. Server IP:X.X.X.X, VRF index:0. · Packet validity check failed because packet length and version don't match. · Packet type invalid. · Packet validity check failed due to invalid authenticator. · Memory insufficient. · Portal is disabled on the interface. · The maximum number of users on the interface already reached. · Failed to get the access token of the cloud user. · Failed to get the user information of the cloud user. · Failed to get the access token of the QQ user. · Failed to get the openID of the QQ user. · Failed to get the user information of the QQ user. · Email authentication failed.

Related commands

· portal auth-error-record enable

· reset auth-error-record

display portal auth-fail-record

Use display portal auth-fail-record to display portal authentication failure records.

Syntax

display portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication failure records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal authentication failure records.

<Sysname> display portal auth-fail-record all

Total authentication fail records: 2

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 16:49:07

Auth failure reason : Authorization information does not exist.

User name : coco

User MAC : 0016-ecb7-a235

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.10

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 16:50:07

Auth failure reason : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv4 address is 192.168.0.8.

<Sysname> display portal auth-fail-record ip 192.168.0.188

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 16:49:07

Auth failure reason : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-fail-record ipv6 2000::2

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 2000::2

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 16:49:07

Auth failure reason : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose username is chap1.

<Sysname> display portal auth-fail-record username chap1

User name : chap1

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 16:49:07

Auth failure reason : Authorization information does not exist.

# Display portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name : chap1

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.188

AP : ap1

SSID : byod

Auth failure time : 2016-03-04 14:22:25

Auth failure reason : Authorization information does not exist.

Table 20 Command output

Field	Description
Total authentication fail records	Total number of portal authentication failure records.
User name	Username of the portal user.
User MAC	MAC address of the portal user.
Interface	Access interface of the portal user.
User IP address	IP address of the portal user.
AP	AP name.
SSID	Service set identifier.
Auth failure time	Time when the portal user failed authentication, in the format of YYYY/MM/DD hh:mm:ss.
Auth failure reason	Reason why the user failed portal authentication.

Related commands

· portal auth-fail-record enable

· reset portal auth-fail-record

display portal captive-bypass statistics

Use display portal captive-bypass statistics to display packet statistics for portal captive-bypass.

Syntax

display portal captive-bypass statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal captive-bypass packet statistics for all cards.

Examples

# Display portal captive-bypass packets on slot 1.

<Sysname> display portal captive-bypass statistics slot 1

Slot 1:

User type Packets

iOS : 1

Android : 0

Table 21 Command output

Field	Description
User type	Type of users: · iOS. · Android.
Packets	Number of portal captive-bypass packets sent to the users.

Field

Description

User type

Type of users:

· iOS.

· Android.

Packets

Number of portal captive-bypass packets sent to the users.

Related commands

captive-bypass enable

display portal dns free-rule-host

Use display portal dns free-rule-host to display IP addresses corresponding to host names in destination-based portal-free rules.

Syntax

display portal dns free-rule-host [ host-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. Valid characters include letters, digits, hyphens (-), underscores (_), dots (.), and asterisks (*). The host name cannot be ip or ipv6. If you do not specify a host name, this command displays IP addresses corresponding to all host names in destination-based portal-free rules.

Examples

# Display IP addresses corresponding to host name www.baidu.com in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host www.baidu.com

Host name IP

www.baidu.com 10.10.10.10

# Display IP addresses corresponding to host name *abc.com in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host *abc.com

Host name IP

*abc.com 12.12.12.12

111.8.33.100

3.3.3.3

Table 22 Command output

Field	Description
Host name	Host name specified in a destination-based portal-free rule.
IP	IP addresses corresponding to the host name.

display portal extend-auth-server

Use display portal extend-auth-server to display information about third-party authentication servers.

Syntax

display portal extend-auth-server { all | qq | mail }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all third-party authentication servers.

qq: Specifies the QQ authentication server.

mail: Specifies the email authentication server.

Usage guidelines

This command is restricted to Hong Kong and Macao.

Examples

# Display information about all third-party authentication servers.

<Sysname> display portal extend-auth-server all

Portal extend-auth-server: qq

Authentication URL : http://graph.qq.com

APP ID : 101235509

APP key : ******

Redirect URL : http://h3crd-lvzhou3.chinacloudapp.cn/portal/qqlogin.html

Portal extend-auth-server: mail

Mail protocol : POP3

Mail domain name : @qq.com

Table 23 Command output

Field	Description
Portal extend-auth-server	Type of the third-party authentication server.
Authentication URL	URL of the QQ authentication server.
APP ID	APP ID for QQ authentication.
APP key	APP key for QQ authentication.
Redirect URL	Redirection URL for QQ authentication success.
Mail protocol	Protocols of the email authentication service.
Mail domain name	Email domain name of the email authentication service.

Related commands

portal extend-auth-server

display portal local-binding mac-address

Use display portal local-binding mac-address to display information about local MAC-account binding entries.

Syntax

display portal local-binding mac-address { mac-address | all }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

all: Specifies all local MAC-account binding entries.

Examples

# Display information about all local MAC-account binding entries.

<Sysname> display portal local-binding mac-address all

Total MAC addresses: 5

MAC address Username Aging(hh:mm:ss)

0015-e9a6-7cfe wlan_user1 00:41:38

0000-e27c-6e80 wlan_user2 00:41:38

000f-e212-ff01 wlan_user3 00:41:38

001c-f08f-f804 wlan_user4 00:41:38

000f-e233-9000 wlan_user5 00:41:38

# Display information about the local MAC-account binding entry for the user with MAC address 0015-e9a6-7cfe.

<Sysname> display portal local-binding mac-address 0015-e9a6-7cfe

Total MAC addresses: 1

MAC address Username Aging(hh:mm:ss)

0015-e9a6-7cfe wlan_user1 00:41:38

Table 24 Command output

Field	Description
MAC address	MAC address of a portal user.
Username	Username of a portal user.
Aging	Remaining lifetime of the local MAC-account binding entry.

Related commands

local-binding enable

display portal logout-record

Use display portal logout-record to display portal user offline records.

Syntax

display portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal user offline records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal user offline records.

<Sysname> display portal logout-record all

Total logout records: 2

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.8

AP : ap1

SSID : byod

User login time : 2016-03-04 14:20:19

User logout time : 2016-03-04 14:22:05

Logout reason : Admin Reset

User name : coco

User MAC : 0016-ecb7-a235

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.10

AP : ap1

SSID : byod

User login time : 2016-03-04 14:10:15

User offline time : 2016-03-04 14:22:05

Offline reason : Admin Reset

# Display offline records for the portal user whose IP address is 192.168.0.8.

<Sysname> display portal logout-record ip 192.168.0.8

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.8

AP : ap1

SSID : byod

User login time : 2016-03-04 14:26:12

User logout time : 2016-03-04 14:27:35

Logout reason : Admin Reset

# Display offline records for the portal user whose username is chap1.

<Sysname> display portal logout-record username chap1

User name : chap1

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.8

AP : ap1

SSID : byod

User login time : 2016-03-04 17:20:19

User logout time : 2016-03-04 17:22:05

Logout reason : Admin Reset

# Display portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name : test@abc

User MAC : 0016-ecb7-a879

Interface : WLAN-BSS1/0/1

User IP address : 192.168.0.8

AP : ap1

SSID : byod

User login time : 2016-03-04 14:20:19

User logout time : 2016-03-04 14:22:05

Logout reason : Admin Reset

Table 25 Command output

Field	Description
Total logout records	Total number of portal user offline records.
User name	Username of the portal user.
User MAC	MAC address of the portal user.
Interface	Access interface of the portal user.
User IP address	IP address of the portal user.
AP	AP name.
SSID	Service set identifier.
User login time	Time when the portal user came online, in the format of YYYY-MM-DD hh:mm:ss.
User logout time	Time when the portal user went offline, in the format of YYYY-MM-DD hh:mm:ss.
Logout reason	Reason why the portal user went offline: · User Request. · Carrier Lost. · Service Lost. · Admin Reset. · NAS Request. · Idle Timeout. · Port Suspended. · Port Error. · Admin Reboot. · Session Timeout. · User Error. · Service Unavailable. · NAS Error. · Other Errors.

Related commands

· portal logout-record enable

· reset portal logout-record

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac-trigger server: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : vpn1

Aging time : 120 seconds

Free-traffic threshold : 1000 bytes

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Excluded attribute list : 1

Local-binding : Disabled

Local-binding aging time : 12 hours

AAA-fail nobinding : Disabled

Portal mac-trigger server: mts

Version : 1.0

Server type : IMC

IP : 4.4.4.2

Port : 50100

VPN instance : Not configured

Aging time : 300 seconds

Free-traffic threshold : 0 bytes

NAS-Port-Type : Not configured

Binding retry times : 3

Binding retry interval : 1 seconds

Authentication timeout : 3 minutes

Excluded attribute list : 1

Local-binding : Disabled

Local-binding aging-time : 12 hours

AAA-fail nobinding : Disabled

# Display information about MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac-trigger server: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : vpn1

Aging time : 120 seconds

Free-traffic threshold : 1000 bytes

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Excluded attribute list : 1

Local-binding : Disabled

Local-binding aging-time : 12 hours

AAA-fail nobinding : Disabled

Table 26 Command output

Field	Description
Portal mac-trigger-server	Name of the MAC binding server.
Version	Version of the portal protocol: · 1.0—Version 1. · 2.0—Version 2. · 3.0—Version 3.
Server type	Type of the MAC binding server: · CMCC—CMCC server. · IMC—H3C IMC server or H3C CAMS server.
IP	IP address of the MAC binding server.
Port	UDP port number on which the MAC binding server listens for MAC binding query packets.
VPN instance	VPN where the MAC binding server resides. Support for this field depends on the device model.
Aging time	Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.
Free-traffic threshold	Free-traffic threshold in bytes. If a user's traffic is below the threshold, the user can access the network without authentication.
NAS-Port-Type	NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.
Binding retry times	Maximum number of attempts for sending MAC binding queries to the MAC binding server.
Binding retry interval	Interval at which the device sends MAC binding queries to the MAC binding server.
Authentication timeout	Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.
Excluded attribute list	Numbers of attributes excluded from portal protocol packets.
Local-binding	Status of local MAC-trigger authentication: · Disabled. · Enabled.
Local-binding aging-time	Aging time for local MAC-account binding entries, in hours.
AAA-fail nobinding	Status of the AAA failure unbinding feature: · Disabled. · Enabled.

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers and MAC binding servers.

Syntax

display portal packet statistics [ extend-auth-server { cloud | mail | qq | wechat } | mac-trigger-server server-name | server server-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

extend-auth-server: Specifies a third-party authentication server. This keyword is restricted to Hong Kong and Macao.

cloud: Specifies the lvzhou cloud authentication server. This keyword is restricted to Hong Kong and Macao.

mail: Specifies the email authentication server. This keyword is restricted to Hong Kong and Macao.

qq: Specifies the QQ authentication server. This keyword is restricted to Hong Kong and Macao.

wechat: Specifies the WeChat authentication server. This keyword is restricted to Hong Kong and Macao.

mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command displays packet statistics for all third-party authentication servers, portal authentication servers, and MAC binding servers.

Examples

# Display packet statistics for portal authentication server pts.

<Sysname> display portal packet statistics server pts

Portal server : pts

Invalid packets: 0

Pkt-Type Total Drops Errors

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHAN 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_HEARTBEAT 0 0 0

NTF_USER_HEARTBEAT 2 0 0

ACK_NTF_USER_HEARTBEAT 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

# Display packet statistics for MAC binding server newpt.

<Sysname> display portal packet statistics mac-trigger-server newpt

MAC-trigger server: newpt

Invalid packets: 0

Pkt-Type Total Drops Errors

REQ_MACBIND 1 0 0

ACK_MACBIND 1 0 0

NTF_MTUSER_LOGON 1 0 0

NTF_MTUSER_LOGOUT 0 0 0

REQ_MTUSER_OFFLINE 0 0 0

# Display packet statistics for the lvzhou cloud authentication server.

<Sysname> display portal packet statistics extend-auth-server cloud

Extend-auth server: cloud

Update interval: 60s

Pkt-Type Success Error Timeout Conn-failure

REQ_ACCESSTOKEN 1 0 0 0

REQ_USERINFO 1 0 0 0

RESP_ACCESSTOKEN 1 0 0 0

RESP_USERINFO 1 0 0 0

POST_ONLINEDATA 0 0 0 0

RESP_ONLINEDATA 0 0 0 0

POST_OFFLINEUSER 1 0 0 0

AUTHENTICATION 0 1 0 0

Table 27 Command output

Field	Description
Portal server	Name of the portal authentication server.
Invalid packets	Number of invalid packets.
Pkt-Type	Packet type.
Total	Total number of packets.
Drops	Number of dropped packets.
Errors	Number of erroneous packets.
REQ_CHALLENGE	Challenge request packet the portal authentication server sent to the access device.
ACK_CHALLENGE	Challenge acknowledgment packet the access device sent to the portal authentication server.
REQ_AUTH	Authentication request packet the portal authentication server sent to the access device.
ACK_AUTH	Authentication acknowledgment packet the access device sent to the portal authentication server.
REQ_LOGOUT	Logout request packet the portal authentication server sent to the access device.
ACK_LOGOUT	Logout acknowledgment packet the access device sent to the portal authentication server.
AFF_ACK_AUTH	Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.
NTF_LOGOUT	Forced logout notification packet the access device sent to the portal authentication server.
REQ_INFO	Information request packet.
ACK_INFO	Information acknowledgment packet.
NTF_USERDISCOVER	User discovery notification packet the portal authentication server sent to the access device.
NTF_USERIPCHANGE	User IP change notification packet the access device sent to the portal authentication server.
AFF_NTF_USERIPCHAN	User IP change success notification packet the portal authentication server sent to the access device.
ACK_NTF_LOGOUT	Forced logout acknowledgment packet the portal authentication server sent to the access device.
NTF_HEARTBEAT	Server heartbeat packet the portal authentication server periodically sent to the access device.
NTF_USER_HEARTBEAT	User synchronization packet the portal authentication server sent to the access device.
ACK_NTF_USER_HEARTBEAT	User synchronization acknowledgment packet the access device sent to the portal authentication server.
NTF_CHALLENGE	Challenge request packet the access device sent to the portal authentication server.
NTF_USER_NOTIFY	User information notification packet the access device sent to the portal authentication server.
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.
MAC-trigger server	Name of the MAC binding server.
REQ_MACBIND	MAC binding request packet the access device sent to the MAC binding server.
ACK_MACBIND	MAC binding acknowledgment packet the MAC binding server sent to the access device.
NTF_MTUSER_LOGON	User logon notification packet the access device sent to the MAC binding server.
NTF_MTUSER_LOGOUT	User logout notification packet the access device sent to the MAC binding server.
REQ_MTUSER_OFFLINE	User offline request packet that the MAC binding server sent to the access device for forcible logout of a user.
Extend-auth server	Type of the third-party authentication server: · qq—QQ authentication server. · mail—Email authentication server. · wechat—WeChat authentication server. · cloud—Lvzhou cloud authentication server.
Update interval	Interval at which the device sends online user information to the lvzhou cloud server, in seconds. This field is displayed if the third-party authentication server is the lvzhou cloud authentication server.
Success	Number of packets that have been successfully sent or received.
Timeout	Number of packets that timed out of establishing a connection to the third-party authentication server.
Conn-failure	Number of packets that failed to establish a connection to the third-party authentication server.
Deny	Number of packets denied access to the third-party authentication server. This field is displayed if the third-party authentication server is the email authentication server.
REQ_ACCESSTOKEN	Access token request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is QQ, lvzhou cloud, or WeChat authentication server.
REQ_OPENID	Open ID request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the QQ authentication server.
REQ_USERINFO	User information request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the QQ, lvzhou cloud, or WeChat authentication server.
RESP_ACCESSTOKEN	Access token response packets the access device received from the third-party authentication server. This field is displayed if the third-party authentication server is the QQ, lvzhou cloud, or WeChat authentication server.
RESP_OPNEID	Open ID response packets the access device received from the third-party authentication server. This field is displayed if the third-party authentication server is the QQ authentication server.
RESP_USERINFO	User information response packets the access device received from the third-party authentication server. This field is displayed if the third-party authentication server is the QQ, lvzhou cloud, or WeChat authentication server.
REQ_POP3	POP3 authentication request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the email authentication server.
REQ_IMAP	IMAP authentication request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the email authentication server.
POST_ONLINEDATA	Cloud user information request packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the lvzhou cloud authentication server.
RESP_ONLINEDATA	Cloud user information response packets the access device received from the third-party authentication server. This field is displayed if the third-party authentication server is the lvzhou cloud authentication server.
POST_OFFLINEUSER	Cloud user offline packets the access device sent to the third-party authentication server. This field is displayed if the third-party authentication server is the lvzhou cloud or WeChat authentication server.
AUTHENTICATION	Result of third-party authentication.

Related commands

reset portal packet statistics

display portal permit-rule statistics

Use display portal permit-rule statistics to display statistics for portal permit rules.

Syntax

display portal permit-rule statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Portal permit rules refer to category 1 and category 2 portal filtering rules, which permit user packets to pass.

Examples

# Display statistics for portal permit rules.

<Sysname> display portal permit-rule statistics

Interface Free rules Fuzzy rules User rules

WLAN-BSS1/0/1 2 5 10

WLAN-BSS2/0/1 2 3 6

Table 28 Command output

Field	Description
Interface	Interface on which portal permit rules are used.
Free rules	Number of permit rules generated based on configured portal-free rules, excluding permit rules generated based on fuzzy matches of destination-based portal-free rules.
Fuzzy rules	Number of permit rules generated based on fuzzy matches of destination-based portal-free rules.
User rules	Number of permit rules generated after portal users pass authentication.

display portal redirect statistics

Use display portal redirect statistics to display portal redirect packet statistics.

Syntax

display portal redirect statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal redirect packet statistics for all member devices.

Examples

# Display portal redirect packet statistics on the specified slot.

<Sysname> display portal redirect statistics slot 1

Slot 1:

HttpReq: 3

HttpResp: 3

HttpsReq: 6

HttpsResp: 6

Table 29 Command output

Field	Description
HttpReq	Total number of HTTP redirect requests.
HttpResp	Total number of HTTP redirect responses.
HttpsReq	Total number of HTTPS redirect requests.
HttpsResp	Total number of HTTPS redirect responses.

Related commands

reset portal redirect statistics

display portal rule

Use display portal rule to display portal filtering rules.

Syntax

display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all portal filtering rules, including dynamic and static portal filtering rules.

dynamic: Displays dynamic portal filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.

static: Displays static portal filtering rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.

radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays portal filtering rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal filtering rules for all member devices.

Examples

# Display all portal filtering rules on VLAN-interface 100.

<Sysname> display portal rule all interface vlan-interface 100

IPv4 portal rules on Vlan-interface100:

Rule 1

Type : Static

Action : Permit

Protocol : Any

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : Any

MAC : 0000-0000-0000

Interface : Vlan-interface100

VLAN : 100

Destination:

IP : 192.168.0.111

Mask : 255.255.255.255

Port : Any

Rule 2

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 2.2.2.2

MAC : 000d-88f8-0eab

Interface : Vlan-interface100

VLAN : 100

Author ACL:

Number : 3001

Rule 3

Type : Static

Action : Redirect

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Interface : Vlan-interface100

VLAN : 100

Protocol : TCP

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : 80

Rule 4:

Type : Static

Action : Deny

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Interface : Vlan-interface100

VLAN : Any

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

IPv6 portal rules on Vlan-interface100:

Rule 1

Type : Static

Action : Permit

Protocol : Any

Status : Active

Source:

IP : ::

Prefix length : 0

Port : Any

MAC : 0000-0000-0000

Interface : Vlan-interface100

VLAN : 100

Destination:

IP : 3000::1

Prefix length : 64

Port : Any

Rule 2

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 3000::1

MAC : 0015-e9a6-7cfe

Interface : Vlan-interface100

VLAN : 100

Author ACL:

Number : 3001

Rule 3

Type : Static

Action : Redirect

Status : Active

Source:

IP : ::

Prefix length : 0

Interface : Vlan-interface100

VLAN : 100

Protocol : TCP

Destination:

IP : ::

Prefix length : 0

Port : 80

Rule 4:

Type : Static

Action : Deny

Status : Active

Source:

IP : ::

Prefix length : 0

Interface : Vlan-interface100

VLAN : 100

Destination:

IP : ::

Prefix length : 0

Author ACL:

Number : 3001

Rule 5:

Type : Static

Action : Match pre-auth ACL

Status : Active

Source:

Interface : Vlan-interface100

Pre-auth ACL:

Number : 3002

# Display all portal filtering rules on AP ap1.

<Sysname> display portal rule all ap ap1

IPv4 portal rules on ap1:

Radio ID : 1

SSID : portal

Rule 1

Type : Static

Action : Permit

Protocol : Any

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : 23

MAC : 0000-0000-0000

Interface : WLAN-BSS1/0/1

VLAN : any

Destination:

IP : 192.168.0.111

Mask : 255.255.255.255

Port : Any

Rule 2

Type : Static

Action : Redirect

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : Any

MAC : 0000-0000-0000

Interface : WLAN-BSS1/0/1

VLAN : any

Protocol : TCP

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : 80

Rule 3

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 2.2.2.2

Mask : 255.255.255.255

MAC : 000d-88f8-0eab

Interface : WLAN-BSS1/0/1

VLAN : 2

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Table 30 Command output

Field	Description
Radio ID	ID of the radio.
SSID	Service set identifier.
Rule	Number of the portal filtering rule. IPv4 portal filtering rules and IPv6 portal filtering rules are numbered separately.
Type	Type of the portal filtering rule: · Static—Static portal filtering rule. · Dynamic—Dynamic portal filtering rule.
Action	Action triggered by the portal filtering rule: · Permit—The interface allows packets to pass. · Redirect—The interface redirects packets. · Deny—The interface forbids packets to pass. · Match pre-auth ACL—The interface matches packets against the authorized ACL rules in the preauthentication domain.
Protocol	Transport layer protocol permitted by the portal filtering rule: · Any—Permits any transport layer protocol. · TCP—Permits TCP. · UDP—Permits UDP.
Status	Status of the portal filtering rule: · Active—The portal rule is effective. · Unactuated—The portal rule is not activated.
Source	Source information of the portal filtering rule.
IP	Source IP address.
Mask	Subnet mask of the source IPv4 address.
Prefix length	Prefix length of the source IPv6 address.
Port	Source transport layer port number.
MAC	Source MAC address.
Interface	Interface on which the portal filtering rule is implemented.
VLAN	Source VLAN ID.
Protocol	Protocol type for the portal filtering rule.
Destination	Destination information of the portal filtering rule.
IP	Destination IP address.
Port	Destination transport layer port number.
Mask	Subnet mask of the destination IPv4 address.
Prefix length	Prefix length of the destination IPv6 address.
Author ACL	Authorized ACL assigned to authenticated portal users. This field is displayed only for a dynamic portal filtering rule.
Pre-auth ACL	Authorized ACL assigned to preauthentication portal users. This field is displayed only for the Match pre-auth ACL action.
Number	Number of the authorized ACL. This field displays None if the AAA server does not assign an ACL.

display portal safe-redirect statistics

Use display portal safe-redirect statistics to display portal safe-redirect packet statistics.

Syntax

display portal safe-redirect statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics for all member devices.

Examples

# Display portal safe-redirect packet statistics on the specified slot.

<Sysname> display portal safe-redirect statistics slot 1

Slot 1:

Redirect statistics:

Success: 7

Failure: 8

Total : 15

Method statistics:

Get : 11

Post : 1

Others : 3

User agent statistics:

Safari: 3

Chrome: 2

Forbidden URL statistics:

www.qq.com: 4

Forbidden filename extension statistics:

.jpg: 0

Table 31 Command output

Field	Description
Success	Number of packets redirected successfully.
Failure	Number of packets failed redirection.
Total	Total number of packets.
Method statistics	Statistics of HTTP request methods.
Get	Number of packets with the GET request method.
Post	Number of packets with the POST request method.
Other	Number of packets with other request methods.
User agent statistics	Browser types (in HTTP User Agent) allowed by portal safe-redirect, and packet statistics for the browsers.
Forbidden URL statistics	URLs forbidden by portal safe-redirect, and packet statistics for the URLs.
Forbidden filename extension statistics	Filename extensions forbidden by portal safe-redirect, and packet statistics for the filename extensions.

Related commands

reset portal safe-redirect statistics

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

Type : IMC

IP : 192.168.0.111

VPN instance : vpn1

Port : 50100

Server detection : Timeout 60s Action: log, trap

User synchronization : Timeout 200s

Status : Up

Exclude-attribute : Not configured

Logout notification : Retry 3 interval 5s

Table 32 Command output

Field	Description
Type	Portal authentication server type: · CMCC: CMCC server. · IMC: IMC server.
Portal server	Name of the portal authentication server.
IP	IP address of the portal authentication server.
VPN instance	Name of the VPN instance to which the portal authentication server belongs. This field is not supported in the current software version.
Port	Listening port on the portal authentication server.
Server detection	Parameters for portal authentication server detection: · Detection timeout in seconds. · Actions (log and trap) triggered by the reachability status change of the portal authentication server.
User synchronization	User idle timeout in seconds for portal user synchronization.
Status	Reachability status of the portal authentication server: · N/A—Portal authentication server detection is disabled. Reachability status of the server is unknown. · Up—Portal authentication server detection is enabled. The server is reachable. · Down—Portal authentication server detection is enabled. The server is unreachable.
Exclude-attribute	Attributes that are not carried in portal protocol packets sent to the portal authentication server.
Logout-notification	Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

Related commands

· portal enable

· portal server

· server-detect (portal authentication server view)

· user-sync

display portal user

Use display portal user to display information about portal users.

Syntax

display portal user { all | ap ap-name [ radio radio-id ] | auth-type { cloud | email | local | mac-trigger | normal | qq | wechat } | interface interface-type interface-number | ip ip-address | ipv6 ipv6-address | mac mac-address | pre-auth [ interface interface-type interface-number | ip ip-address | ipv6 ipv6-address ] | username username } [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays information about all portal users.

radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays information about portal users for all radios of the AP.

auth-type: Specifies an authentication type.

cloud: Specifies the cloud authentication (a cloud portal authentication server performs portal authentication on portal users). This keyword is restricted to Hong Kong and Macao.

email: Specifies the email authentication. This keyword is restricted to Hong Kong and Macao.

local: Specifies the local authentication (a local portal authentication server performs portal authentication on portal users).

mac-trigger: Specifies the MAC-trigger authentication.

normal: Specifies the normal authentication (a remote portal authentication server performs portal authentication on portal users).

qq: Specifies QQ authentication. This keyword is restricted to Hong Kong and Macao.

wechat: Specifies WeChat authentication. This keyword is restricted to Hong Kong and Macao.

interface interface-type interface-number: Displays information about portal users on the specified interface.

ip ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

mac mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

pre-auth: Displays information about preauthentication portal users. A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users.

brief: Displays brief information about portal users.

verbose: Displays detailed information about portal users.

Usage guidelines

If you specify neither the brief nor the verbose keyword, this command displays portal authentication-related information for all portal users.

Examples

# Display information about all portal users.

<Sysname> display portal user all

Total portal users: 1

Username: def

AP name: ap1

Radio ID: 1

SSID: portal

Portal server: pts

State: Online

VPN instance: vpn1

MAC IP VLAN Interface

000d-88f8-0eac 4.4.4.4 2 Bss1/2

Authorization information:

DHCP IP pool: N/A

User profile: N/A

Session group profile: N/A

ACL number: 3000

# Display information about portal users that perform normal portal authentication.

<Sysname> display portal user auth-type normal

Total normal users: 1

Username: abc

Portal server: pts

State: Online

VPN instance: N/A

MAC IP VLAN Interface

000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1

Authorization information:

DHCP IP pool: N/A

User profile: abc (active)

Session group profile: cd (inactive)

ACL number: N/A

# Display information about the portal user whose MAC address is 000d-88f8-0eab.

<Sysname> display portal user mac 000d-88f8-0eab

Username: abc

Portal server: pts

State: Online

VPN instance: N/A

MAC IP VLAN Interface

000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1

Authorization information:

DHCP IP pool: N/A

User profile: abc (active)

Session group profile: cd (inactive)

ACL number: N/A

# Display information about the portal user whose username is abc.

<Sysname> display portal user username abc

Username: abc

Portal server: pts

State: Online

VPN instance: N/A

MAC IP VLAN Interface

000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1

Authorization information:

DHCP IP pool: N/A

User profile: abc (active)

Session group profile: cd (inactive)

ACL number: N/A

Table 33 Command output

Field	Description
Total portal users	Total number of portal users.
Total normal users	Total number of portal users that perform normal authentication.
Total local users	Total number of portal users that perform local authentication.
Total email users	Total number of portal users that perform email authentication.
Total cloud users	Total number of portal users that perform cloud authentication.
Total QQ users	Total number of portal users that perform QQ authentication.
Total WeChat users	Total number of portal users that perform WeChat authentication.
Total MAC-trigger users	Total number of portal users whose authentication type is MAC-trigger authentication.
Username	Name of the user.
AP name	Name of the AP.
Radio ID	ID of the radio.
SSID	Service set identifier.
Portal server	Name of the portal authentication server.
State	Current state of the portal user: · Initialized—The user is initialized and ready for authentication. · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Online—The user is online.
VPN instance	Name of the VPN instance to which the portal user belongs. If the portal user is on a public network, this field displays N/A. This field is not supported in the current software version.
MAC	MAC address of the portal user.
IP	IP address of the portal user.
VLAN	VLAN where the portal user resides.
Interface	Access interface of the portal user.
Authorization information	Authorization information for the portal user.
DHCP IP pool	Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A.
User profile	Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device.
ACL number	Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device.

# Display detailed information about the portal user with IP address with IP address 18.18.0.20.

<Sysname> display portal user ip 18.18.0.20 verbose

Basic:

AP name: ap1

Radio ID: 1

SSID: portal

Current IP address: 18.18.0.20

Original IP address: 18.18.0.20

Username: chap1

User ID: 0x10000001

Access interface: WLAN_BSS1/0/1

Service-VLAN/Customer-VLAN: 50/-

MAC address: 7854-2e1c-c59e

Authentication type: Normal

Domain name: portal

VPN instance: N/A

Status: Online

Portal server: pt

Vendor: Apple

Portal authentication method: Direct

AAA:

Realtime accounting interval: 720s, retry times: 5

Idle cut: N/A

Session duration: 0 sec, remaining: 0 sec

Remaining traffic: N/A

Online duration (hh:mm:ss): 1:53:7

DHCP IP pool: N/A

ACL&Multicast:

ACL number: N/A

User profile: N/A

Session group profile: N/A

Max multicast addresses: 4

Flow statistic:

Uplink packets/bytes: 6/412

Downlink packets/bytes: 0/0

Table 34 Command output

Field	Description
AP name	Name of the AP.
Radio ID	Radio ID.
SSID	Service set identifier.
Current IP address	IP address of the portal user after passing authentication.
Original IP address	IP address of the portal user during authentication.
Username	Name of the portal user.
User ID	Portal user ID.
Access interface	Access interface of the portal user.
Service-VLAN/Customer-VLAN	Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-.
MAC address	MAC address of the portal user.
Authentication type	Type of portal authentication: · Normal—Normal authentication. · Local—Local authentication. · Email—Email authentication. · Cloud—Cloud authentication. · QQ—QQ authentication. · WeChat—WeChat authentication. · MAC-trigger—MAC-trigger authentication.
Domain	ISP domain name for portal authentication.
VPN instance	VPN to which the portal user belongs. If the portal user is on a public network, this field displays N/A. This field is not supported in the current software version.
Status	Status of the portal user: · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Waiting SetRule—Deploying portal filtering rules to the user. · Online—The user is online. · Waiting Traffic—Waiting for traffic from the user. · Stop Accounting—Stopping accounting for the user. · Done—The user is offline.
Portal server	Name of the portal server.
Vendor	Vendor name of the endpoint.
Portal authentication method	Portal authentication method on the access interface. This field displays Direct if direct authentication is enabled.
AAA	AAA information about the portal user.
Realtime accounting interval	Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A.
Idle-cut	Idle timeout period and the minimum traffic threshold. If idle-cut is not authorized, this field displays N/A.
Session duration	Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A.
Remaining traffic	Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A.
Login time	Time when the user logged in. The field uses the device time format, for example, 2023-1-19 2:42:30 UTC.
ITA policy name	Name of the intelligent target accounting policy.
DHCP IP pool	Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A.
ACL number	Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device.
User profile	Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device.
Session group profile	Authorized session group profile: · N/A—The AAA server authorizes no session group profile. · active—The AAA server has authorized the session group profile successfully. · inactive—The AAA server failed to authorize the session group profile or the session group profile does not exist on the device.
Max multicast addresses	Maximum number of multicast groups the portal user can join.
Multicast address list	Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A.
Flow statistic	Flow statistics for the portal user.
Uplink packets/bytes	Packet and byte statistics of the upstream traffic.
Downlink packets/bytes	Packet and byte statistics of the downstream traffic.

# Display brief information about all portal users.

<Sysname> display portal user all brief

IP address MAC address Online duration Username

4.4.4.4 000d-88f8-0eac 1:53:7 def

Table 35 Command output

Field	Description
IP address	IP address of the portal user.
MAC address	MAC address of the portal user.
Online duration	Online duration of the portal user, in hh:ss:mm.
Username	Username of the portal user.

Related commands

portal enable

display portal user count

Use display portal user count to display the number of portal users.

Syntax

display portal user count

Views

Any view

Predefined user roles

network-admin

Examples

# Display the number of portal users.

<Sysname> display portal user count

Total number of users: 1

Related commands

· portal enable

· portal delete-user

display portal web-server

Use display portal web-server to display information about portal Web servers.

Syntax

display portal web-server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal Web servers.

Examples

# Display information about portal Web server wbs.

<Sysname> display portal web-server wbs

Portal Web server: wbs

Type : IMC

URL : http://www.test.com/portal

URL parameters : userurl=http://www.test.com/welcome

userip=source-address

VPN instance : Not configured

Server detection : Interval: 120s Attempts: 5 Action: log, trap

IPv4 status : Up

IPv6 status : N/A

Captive-bypass : Enabled

If-match : original-url: http://2.2.2.2, redirect-url: http://192.168.56.2

Table 36 Command output

Field	Description
Type	Portal Web server type: · CMCC—CMCC server. · IMC—IMC server.
Portal Web server	Name of the portal Web server.
URL	URL of the portal Web server.
URL parameters	URL parameters for the portal Web server.
VPN instance	Name of the VPN instance to which the portal Web server belongs. This field is not supported in the current software version.
Server detection	Parameters for portal Web server detection: · Detection interval in seconds. · Maximum number of detection attempts. · Actions (log and trap) triggered by the reachability status change of the portal Web server.
IPv4/IPv6 status	Current state of the portal Web server: · N/A—Portal Web server detection is disabled. Reachability status of the server is unknown. · Up—Portal Web server detection is enabled. The server is reachable. · Down—Portal Web server detection is enabled. The server is unreachable.
Captive-bypass	Status of the captive-bypass feature: · Disabled—Captive-bypass is disabled. · Enabled—Captive-bypass is enabled. · Optimize Enabled—Optimized captive-bypass is enabled.
If-match	Match rules configured for URL redirection.

Related commands

· portal enable

· portal web-server

· server-detect (portal Web server view)

display web-redirect rule

Use display web-redirect rule to display information about Web redirect rules.

Syntax

display web-redirect rule { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).

radio radio-id: Specifies a radio by its ID. The value range for this argument varies by device model. If you do not specify this option, the command displays Web redirect rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays Web redirect rules for the master device.

Examples

# Display all Web redirect rules on VLAN-interface 100.

<Sysname> display web-redirect rule interface vlan-interface 100

IPv4 web-redirect rules on vlan-interface 100:

Rule 1:

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 192.168.2.114

VLAN : Any

Rule 2:

Type : Static

Action : Redirect

Status : Active

Source:

VLAN : Any

Protocol : TCP

Destination:

Port : 80

IPv6 web-redirect rules on vlan-interface 100:

Rule 1:

Type : Static

Action : Redirect

Status : Active

Source:

VLAN : Any

Protocol : TCP

Destination:

Port : 80

# Display all Web redirect rules on AP ap1.

<Sysname> display web-redirect rule ap ap1

IPv4 web-redirect rules on ap1:

Radio ID: 1

SSID : portal

Rule 1:

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 192.168.2.114

VLAN : Any

Rule 2:

Type : Static

Action : Redirect

Status : Active

Source:

VLAN : Any

Protocol : TCP

Destination:

Port : 80

Table 37 Command output

Field	Description
Radio ID	ID of the radio.
SSID	Service set identifier.
Rule	Number of the Web redirect rule.
Type	Type of the Web redirect rule: · Static—Static Web redirect rule, generated when the Web redirect feature takes effect. · Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Action	Action in the Web redirect rule: · Permit—Allows packets to pass. · Redirect—Redirects the packets.
Status	Status of the Web redirect rule: · Active—The Web redirect rule is effective. · Deactive—The Web redirect rule is not effective.
Source	Source information in the Web redirect rule.
IP	Source IP address.
Mask	Subnet mask of the source IPv4 address.
Prefix length	Prefix length of the source IPv6 address.
VLAN	Source VLAN. If not specified, this field displays Any.
Protocol	Transport layer protocol in the Web redirect rule: · Any—No transport layer protocol is limited. · TCP—Transmission Control Protocol.
Destination	Destination information in the Web redirect rule.
Port	Destination transport layer port number. The default port number is 80.

exclude-attribute (MAC binding server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute attribute-number

undo exclude-attribute attribute-number

Default

No attributes are excluded from portal protocol packets.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

attribute-number: Specifies an attribute by its number in the range of 1 to 255.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. During MAC-trigger authentication, the device and the server cannot communicate if the device sends the portal authentication server a packet that contains an attribute unsupported by the server.

To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes.

Table 38 describes all attributes of the portal protocol.

Table 38 Portal attributes

Name	Number	Description
UserName	1	Name of the user to be authenticated.
PassWord	2	User password in plaintext form.
Challenge	3	Random challenge for CHAP authentication.
ChapPassWord	4	CHAP password encrypted by MD5.
TextInfo	5	The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
UpLinkFlux	6	Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.
DownLinkFlux	7	Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port	8	Port information, a string excluding the end character '\0'.
IP-Config	9	The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
BAS-IP	10	IP address of the access device.
Session-ID	11	Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.
Delay-Time	12	Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.
User-List	13	List of IP addresses of an IPv4 portal user.
EAP-Message	14	An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.
User-Notify	15	Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.
BAS-IPv6	100	IPv6 address of the access device.
UserIPv6-List	101	List of IPv6 addresses of an IPv6 portal user.

Examples

# Exclude the BAS-IP attribute (number 10) from portal packets sent to MAC binding server 123.

<Sysname> system-view

[Sysname] portal mac-trigger-server 123

[Sysname-portal-mac-trigger-server-123] exclude-attribute 10

Related commands

display portal server

exclude-attribute (portal authentication server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute number { ack-auth | ack-logout | ntf-logout }

undo exclude-attribute number { ack-auth | ack-logout | ntf-logout }

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 38 describes all attributes of the portal protocol.

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to set the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is detected.

Usage guidelines

A user can access the network without authentication if the user's network traffic (sent and received) is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

After traffic statistics are cleared for a user, the device repeats the MAC-based portal authentication procedure for the user. For more information about the MAC-based portal authentication procedure, see Security Configuration Guide.

In wireless networks where APs are configured to forward client data traffic, APs report traffic statistics to the AC at a regular interval. The AC can determine whether a user's traffic exceed the free-traffic threshold only after receiving the traffic statistics report from the associated AP. To set the interval for APs to report traffic statistics to the AC, use the portal client-traffic-report interval command.

Examples

# Set the free-traffic threshold for portal users to 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display portal mac-trigger-server

if-match

Use if-match to configure a match rule for URL redirection.

Use undo if-match to delete a URL redirection match rule.

Syntax

if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent string redirect-url url-string }

undo if-match { original-url url-string | user-agent user-agent }

Default

No URL redirection match rules exists.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

user-agent user-agent: Specifies a user agent string to match the HTTP User-Agent string in HTTP requests. The user agent string is a case-sensitive string of 1 to 255 characters. HTTP User-Agent string in HTTP requests includes information about hardware manufacturer, operating system, browser, and search engine.

Usage guidelines

A URL redirection match rule matches HTTP requests by user-requested URL or User-Agent information, and redirects the matching HTTP requests to the specified redirection URL.

For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP requests destined for the redirection URL to pass. For information about configuring portal-free rules, see the portal free-rule command.

For a portal Web server, you can configure the url command and the if-match command for URL redirection. The url command redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server for authentication. The if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the if-match command takes priority to perform URL redirection.

If you configure encryption for parameters in the redirection URL, you must add an encryption prompt field after the redirection URL address. For example, to redirect HTTP requests to URL 10.1.1.1 with encrypted URL parameters, specify the redirection URL as http://10.1.1.1?yyyy=. The value of yyyy depends on the portal Web server configuration. For more information, see the portal Web server configuration guide.

Examples

# Configure a match rule to redirect HTTP requests destined for the URL http://www.abc.com.cn to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

· display portal web-server

· portal free-rule

· url

· url-parameter

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

key: Specifies a shared key to be used to authenticate packets between the device and the MAC binding server. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.

Usage guidelines

Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display portal mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IP address of an IPv4 portal authentication server.

Use undo ip to delete the IP address of the IPv4 portal authentication server.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IP address of the IPv4 portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of the IPv4 portal authentication server.

key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters.

Usage guidelines

A portal authentication server has only one IP address. Therefore, in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address.

For security purposes, all keys, including keys specified in plain text, are saved in cipher text.

Examples

# Configure the IP address of the IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

· display portal server

· portal server

ipv6

Use ipv6 to specify the IP address of an IPv6 portal authentication server.

Use undo ipv6 to delete the IP address of the IPv6 portal authentication server.

Syntax

ipv6 ipv6-address [ key { cipher | simple } string ]

undo ipv6

Default

The IP address of the IPv6 portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IP address of the IPv6 portal authentication server.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters.

Usage guidelines

A portal authentication server has only one IP address. Therefore in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address.

For security purposes, all keys, including keys specified in plain text, are saved in cipher text.

Examples

# Configure the IP address of the IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

· display portal server

· portal server

local-binding aging-time

Use local-binding aging-time to set the aging time for local MAC-account binding entries.

Use undo local-binding aging-time to restore the default.

Syntax

local-binding aging-time minutes

undo local-binding aging-time

Default

The aging time for local MAC-account binding entries is 720 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the aging time for local MAC-account binding entries. The value range for this argument is 60 to 129600 minutes.

Usage guidelines

The local MAC-account binding entry of a portal user is deleted when the entry ages out. If the device detects traffic for the user next time, the device creates a local MAC-trigger entry for the user.

If you disable local MAC-trigger authentication, the device does not delete existing local MAC-account binding entries. These entries are automatically deleted when they age out.

Examples

# Set the aging time of local MAC-account binding entries to 240 minutes for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding aging-time 240

Related commands

· display portal mac-trigger-server

· local-binding enable

local-binding enable

Use local-binding enable to enable local MAC-trigger authentication.

Use undo local-binding enable to disable local MAC-trigger authentication.

Syntax

local-binding enable

undo local-binding enable

Default

Local MAC-trigger authentication is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to act as a local MAC binding server to provide local MAC-trigger authentication for local portal users.

After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC binding entry for the user. The local MAC binding entry records the MAC address and authentication information (username and password) of the user. Then, the user can be automatically connected to the network without manual authentication for subsequent network access attempts.

Examples

# Enable local MAC-trigger authentication for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding enable

Related commands

· display portal mac-trigger-server

· local-binding aging-time

logon-page bind

Use logon-page bind to bind an SSID, endpoint name, or endpoint type to an authentication page file.

Use undo logon-page bind to unbind the SSID, endpoint name, or endpoint type from the authentication page file.

Syntax

logon-page bind { device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } * file file-name

undo logon-page bind { all | device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } *

Default

No SSID, endpoint name, or endpoint type is bound to an authentication page file.

Views

Local portal Web server view

Predefined user roles

network-admin

Parameters

all: Specifies all SSIDs, endpoint names, and endpoint types.

device-type type-name: Specifies an endpoint type.

computer: Specifies the endpoint type as computer.

pad: Specifies the endpoint type as tablet.

phone: Specifies the endpoint type as mobile phone.

device-name device-name: Specifies an endpoint by its name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

ssid ssidname: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, digits, and spaces, but the start and end characters cannot be spaces. An SSID string cannot be f, fi, fil, or file.

file filename: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user SSID, endpoint name, or endpoint type.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's SSID, endpoint name, and endpoint type.

· If the binding exists, the device pushes the bound authentication pages to the user.

· If multiple matching binding entries are found, the device selects an entry in the following order:

a. The entry that specifies the SSID, endpoint name, and endpoint type.

b. The entry that specifies the SSID and endpoint name.

c. The entry that specifies the SSID and endpoint type.

d. The entry that specifies only the SSID.

e. The entry that specifies the endpoint name and endpoint type.

f. The entry that specifies only the endpoint name.

g. The entry that specifies only the endpoint type.

· If the binding does not exist, the device pushes the default authentication pages to the user. If the default authentication page file is not specified (by using the default-logon-page command), the user cannot perform local portal authentication.

When you configure this command, follow these restrictions and guidelines:

· If the name or contents of the file in a binding entry are changed, you must reconfigure the binding.

· To reconfigure or modify a binding, simply re-execute this command, without canceling the existing binding.

· If you execute this command multiple times to bind an SSID, endpoint name, or endpoint type to different authentication page files, the most recent configuration takes effect.

· You can configure multiple binding entries on the device.

Examples

# Create a local portal Web server and specify HTTP to exchange information with clients.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind SSID SSID1 to authentication page file file1.zip.

[Sysname-portal-local-websvr-http] logon-page ssid SSID1 file file1.zip

# Bind endpoint type phone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page device-type phone file file2.zip

Related commands

· default-logon-page

· portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

mail-domain-name

Use mail-domain-name to specify an email domain name for email authentication.

Use undo mail-address to restore the default.

Syntax

mail-domain-name string

undo mail-domain-name [ string ]

Default

No email domain names are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

string: Specifies an email domain name for email authentication, a case-sensitive string of 1 to 255 characters, in the format of @XXX.XXX.

Usage guidelines

After you configure this command, the device performs email authentication only on portal users that use the specified email domain names.

You can specify a maximum of 16 email domain names for email authentication.

Examples

# Specify @qq.com and @sina.com email domain names for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-domain-name @qq.com

[Sysname-portal-extend-auth-server-mail] mail-domain-name @Sina.com

Related commands

display portal extend-auth-server

mail-protocol

Use mail-protocol to specify protocols for email authentication.

Use undo mail-protocol to restore the default.

Syntax

mail-protocol { imap | pop3 } *

undo mail-protocol

Default

No protocols are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

imap: Specifies the Internet Message Access Protocol (IMAP).

pop3: Specifies the Post Office Protocol 3 (POP3).

Usage guidelines

This command specifies email protocols that the device uses to interact with the email authentication server to perform authentication and authorization on portal users who uses email authentication.

Examples

# Specify the POP3 protocol for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-protocol pop3

Related commands

display portal extend-auth-server

nas-port-type

Use nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is 0.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.

Examples

# Set the NAS-Port-Type value to 30 for RADIUS requests sent to MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display portal mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display portal mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The access device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the access device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to the portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

portal { bas-ip | bas-ipv6 }

Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to a portal authentication server.

Use undo portal { bas-ip | bas-ipv6 } to delete the BAS-IP or BAS-IPv6 attribute setting.

Syntax

portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }

undo portal { bas-ip | bas-ipv6 }

Default

The BAS-IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet. The BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet.

The BAS-IP attribute of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the interface. The BAS-IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the interface.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

bas-ip ipv4-address: Specifies BAS-IP for portal packets sent by the interface. The ipv4-address argument must be the IPv4 address of the device, and cannot be an all-zero address, all-one address, class D address, class E address, or loopback address.

bas-ip6 ipv6-address: Specifies BAS-IPv6 for portal packets sent by the interface. The ipv6-address argument must be the IPv6 address of the device, and cannot be a multicast address, all-zero address, or link-local address.

Usage guidelines

If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, unsolicited portal packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.

After this command takes effect, the source IP address for unsolicited notification portal packets the device sends to the portal authentication server is the configured BAS-IP or BAS-IPv6. Otherwise the source IP address of the packets is the IP address of the interface.

You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface or service template if the following conditions are met:

· The portal authentication server is an H3C IMC server.

· The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.

Examples

# Configure the BAS-IP attribute of outgoing portal packets as 2.2.2.2 on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal bas-ip 2.2.2.2

# Configure the BAS-IP attribute of outgoing portal packets as 2.2.2.2 on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal bas-ip 2.2.2.2

Related commands

display portal

portal { ipv4-max-user | ipv6-max-user }

Use portal { ipv4-max-user | ipv6-max-user } to set the maximum number of portal users allowed on a VLAN interface or a service template.

Use undo portal { ipv4-max-user | ipv6-max-user } to restore the default.

Syntax

portal { ipv4-max-user | ipv6-max-user } max-number

undo portal { ipv4-max-user | ipv6-max-user }

Default

The maximum number of portal users on a VLAN interface or a service template is not limited.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of portal users allowed on a VLAN interface or a service template, in the range of 1 to 4294967295.

Usage guidelines

If the specified maximum number is smaller than the number of current online portal users on a VLAN interface or a service template, the limit can be set successfully and does not impact the online portal users. However, the device does not allow new portal users to log in from the interface or service template until the number drops down below the limit.

Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all VLAN interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.

Examples

# Set the maximum number of IPv4 portal users to 100 on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal ipv4-max-user 100

# Set the maximum number of IPv4 portal users to 100 on service template service1.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal ipv4-max-user 100

Related commands

· display portal user

· portal max-user

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

For MAC-based quick portal authentication to take effect, perform the following tasks:

· Configure normal portal authentication.

· Configure a MAC binding server.

· Specify the MAC binding server on a portal enabled VLAN interface or service template.

Examples

# Specify MAC binding server mts on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal apply web-server

Use portal [ ipv6 ] apply web-server to specify a portal Web server on a VLAN interface or a service template. The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server.

Use undo portal [ ipv6 ] apply web-server to delete the portal Web server specified on the VLAN interface or service template.

Syntax

portal [ ipv6 ] apply web-server server-name [ secondary ]

undo portal [ ipv6 ] apply web-server [ server-name ]

Default

No portal Web server is specified on a VLAN interface or a service template.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.

secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server.

server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. If you do not specify a server name in the undo form of this command, all portal Web servers on the interface or service template are removed.

Usage guidelines

IPv4 and IPv6 portal authentication can both be enabled on a VLAN interface or on a service template. You can specify both a primary portal Web server and a backup portal Web server after enabling each type (IPv4 or IPv6) of portal authentication.

The device first uses the primary portal Web server for portal authentication. When the primary portal Web server is unreachable but the backup portal Web server is reachable, the device uses the backup portal Web server. When the primary portal Web server becomes reachable, the device switches back to the primary portal Web server for portal authentication.

To automatically switch between the primary portal Web server and the backup portal Web server, configure portal Web server detection on both servers.

Examples

# Specify portal Web server wbs as the primary portal Web server on VLAN-interface 100 for portal authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal apply web-server wbs

# Specify portal Web server wbs as the backup portal Web server on service template service1 for portal authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal apply web-server wbs secondary

Related commands

· display portal

· portal fail-permit server

· portal web-server

· server-detect (portal web-server view)

portal auth-error-record enable

Use portal auth-error-record enable to enable portal authentication error recording.

Use undo portal auth-error-record enable to disable portal authentication error recording.

Syntax

portal auth-error-record enable

undo portal auth-error-record enable

Default

Portal authentication error recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save all portal authentication error records and to periodically send the records to the lvzhou cloud server or other servers.

Examples

# Enable portal authentication error recording.

<Sysname> system-view

[Sysname] portal auth-error-record enable

Related commands

display portal auth-error-record

portal auth-error-record export

Use portal auth-error-record export to export portal authentication error records to a path.

Syntax

portal auth-error-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication error records are exported. The URL is a case-insensitive string of 1 to 255 characters.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 39 describes the valid URL format for each method.

Table 39 URL formats

Protocol	URL format	Remarks
FTP	ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.
TFTP	tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/	N/A
HTTP	http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]:21/test/.

Examples

# Export all portal authentication error records to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export tftp://1.1.1.1/record/autherror/

# Export portal authentication error records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export tftp://1.1.1.1/record/autherror/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

· display portal auth-error-record

· portal auth-error-record enable

· reset portal auth-error-record

portal auth-error-record max

Use portal auth-error-record max to set the maximum number of portal authentication error records.

Use undo portal auth-error-record max to restore the default.

Syntax

portal auth-error-record max number

undo portal auth-error-record max

Default

The maximum number of portal authentication error records is 32000.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication error records, in the range of 1 to 4294967295.

Usage guidelines

When the maximum number of portal authentication error records is reached, the new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication error records to 50.

<Sysname> system-view

[Sysname] portal auth-error-record max 50

Related commands

display portal auth-error-record

portal auth-fail-record enable

Use portal auth-fail-record enable to enable portal authentication failure recording.

Use undo portal auth-fail-record enable to disable portal authentication failure recording.

Syntax

portal auth-fail-record enable

undo portal auth-fail-record enable

Default

Portal authentication failure recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save portal authentication failure records and to periodically send the records to the lvzhou cloud server or other servers.

Examples

# Enable portal authentication failure recording.

<Sysname> system-view

[Sysname] portal auth-fail-record enable

Related commands

display portal auth-fail-record

portal auth-fail-record export

Use portal auth-fail-record export to export portal authentication failure records to a path.

Syntax

portal auth-fail-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication failure records are exported. The URL is a case-insensitive string of 1 to 255 characters.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 40 describes the valid URL format for each method.

Table 40 URL formats

Protocol	URL format	Remarks
FTP	ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.
TFTP	tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/	N/A
HTTP	http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.

Examples

# Export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/

# Export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export tftp://1.1.1.1/record/authfail/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

· display portal auth-fail-record

· portal auth-fail-record enable

· reset portal auth-fail-record

portal auth-fail-record max

Use portal auth-fail-record max to set the maximum number of portal authentication failure records.

Use undo portal auth-fail-record max to restore the default.

Syntax

portal auth-fail-record max number

undo portal auth-fail-record max

Default

The maximum number of portal authentication failure records is 32000.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication failure records, in the range of 1 to 4294967295.

Usage guidelines

When the maximum number of portal authentication failure records is reached, the new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication failure records to 50.

<Sysname> system-view

[Sysname] portal auth-fail-record max 50

Related commands

display portal auth-fail-record

portal authorization strict-checking

Use portal authorization strict-checking to enable strict checking on portal authorization information.

Use undo portal authorization strict-checking to restore the default.

Syntax

portal authorization { acl | user-profile } strict-checking

undo portal authorization { acl | user-profile } strict-checking

Default

The strict checking mode is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

acl: Enables strict checking on authorized ACLs.

user-profile: Enables strict checking on authorized user profiles.

Usage guidelines

You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.

Examples

# Enable strict checking on authorized ACLs on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] portal authorization acl strict-checking

# Enable strict checking on authorized ACLs on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal authorization acl strict-checking

Related commands

display portal

portal captive-bypass optimize delay

Use portal captive-bypass optimize delay to set the captive-bypass detection timeout time.

Use undo portal captive-bypass optimize delay to restore the default.

Syntax

portal captive-bypass optimize delay seconds

undo portal captive-bypass optimize delay

Default

The captive-bypass detection timeout time is 6 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the captive-bypass detection timeout time, in the range of 6 to 60 seconds.

Usage guidelines

This command applies only to iOS mobile clients.

With optimized captive-bypass enabled, the device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can perform authentication on the page or press the home button to return to the desktop without performing authentication, and the Wi-Fi connection is not disabled.

Optimized captive-bypass might fail in some conditions. For example, when the network condition is poor, the device cannot receive a server detection packet from an iOS mobile device within the captive-bypass detection timeout time. Therefore, the Wi-Fi connection might be terminated on the iOS mobile device. To avoid such failure, you can set a longer captive-bypass detection timeout time when the network condition is poor.

Examples

# Set the captive-bypass detection timeout time to 20 seconds.

<Sysname> system-view

[Sysname] portal captive-bypass optimize delay 20

Related commands

captive-bypass enable

portal client-gateway interface

Use portal client-gateway interface to configure the gateway for portal clients to access the AC during authentication.

Use undo portal client-gateway interface to restore the default.

Syntax

portal client-gateway interface interface-type interface-number

undo portal client-gateway interface

Default

No gateway is specified for portal clients to access the AC during authentication.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

When the client traffic forwarding location is at APs, execute this command to specify the gateway for portal clients to access the AC during authentication.

Examples

# Configure VLAN-interface 100 as the gateway for portal clients to access the AC during authentication.

<Sysname> system-view

[Sysname] portal client-gateway interface vlan-interface 10

portal client-traffic-report interval

Use portal client-traffic-report interval to set the interval at which an AP reports traffic statistics to the AC.

Use undo portal client-traffic-report interval to restore the default.

Syntax

portal client-traffic-report interval interval

undo portal client-traffic-report interval

Default

An AP reports traffic statistics to the AC at an interval of 60 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which an AP reports traffic statistics to the AC, in the range of 1 to 3600 seconds.

Usage guidelines

Before you execute this command, make sure the client traffic forwarding location is at APs.

Examples

# Set the interval at which an AP reports traffic statistic to the AC to 120 seconds.

<Sysname> system-view

[Sysname] portal client-traffic-report interval 120

Related commands

client forwarding-location (WLAN Command Reference)

portal delete-user

Use portal delete-user to log out online portal users.

Syntax

portal delete-user { ipv4-address | all | auth-type { cloud | email | local | normal | qq | wechat } | interface interface-type interface-number | ipv6 ipv6-address | mac mac-address | username username }

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of an IPv4 online portal user.

all: Specifies IPv4 and IPv6 online portal users on all interfaces.

auth-type: Specifies online portal users by the authentication type.

cloud: Specifies the cloud authentication.

email: Specifies the email authentication.

local: Specifies the local authentication.

normal: Specifies the normal authentication.

qq: Specifies the QQ authentication.

wechat: Specifies the WeChat authentication.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface.

ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.

mac mac-address: Specifies the MAC address of an online portal user, in the format of H-H-H.

username username: Specifies the username of an online portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Log out the portal user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

# Log out the portal user whose MAC address is 000d-88f8-0eab.

<Sysname> system-view

[Sysname] portal delete-user mac 000d-88f8-0eab

# Log out all portal users that come online through email authentication.

<Sysname> system-view

[Sysname] portal delete-user auth-type email

# Log out the portal user whose username is abc.

<Sysname> system-view

[Sysname] portal delete-user username abc

Related commands

display portal user

portal device-id

Use portal device-id to specify the device ID.

Use undo portal device-id to restore the default.

Syntax

portal device-id device-id

undo portal device-id

Default

No device ID is specified for the device.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies a device ID for the device, a case-sensitive string of 1 to 63 characters.

Usage guidelines

The portal authentication server uses device IDs to identify the devices that send protocol packets to the portal server.

Make sure the configured device ID is different than any other access devices communicating with the same portal authentication server.

Examples

# Set the device ID of the device to 0002.0010.100.00.

<Sysname> system-view

[Sysname] portal device-id 0002.0010.100.00

portal domain

Use portal [ ipv6 ] domain to configure a portal authentication domain on a VLAN interface or a service template. All portal users accessing through the VLAN interface must use the authentication domain.

Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain.

Syntax

portal [ ipv6 ] domain domain-name

undo portal [ ipv6 ] domain

Default

No portal authentication domain is configured on a VLAN interface or a service template.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.

domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on a VLAN interface or on a service template.

Do not specify the ipv6 keyword for IPv4 portal users.

Examples

# Configure the authentication domain for IPv4 portal users as my-domain on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal domain my-domain

# Configure the authentication domain for IPv4 portal users as my-domain on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal domain my-domain

Related commands

display portal

portal enable

Use portal [ ipv6 ] enable to enable portal authentication.

Use undo portal [ ipv6 ] enable to disable portal authentication.

Syntax

In VLAN interface view:

portal enable method direct

portal ipv6 enable method direct

undo portal [ ipv6 ] enable

In service template view:

portal [ ipv6 ] enable method direct

undo portal [ ipv6 ] enable

Default

Portal authentication is disabled.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Enables IPv6 portal authentication. If you do not specify this keyword, IPv4 portal authentication is enabled.

Usage guidelines

Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication.

You can enable both IPv4 and IPv6 portal authentication on a VLAN interface or on a service template.

Do not enable portal authentication on both a VLAN interface and a service template.

Examples

# Enable IPv4 portal authentication on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal enable method direct

# Enable IPv4 portal authentication on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal enable method direct

Related commands

display portal

portal extend-auth domain

Use portal extend-auth domain to specify the authentication domain for third-party authentication.

Use undo portal extend-auth domain to remove the authentication domain for third-party authentication.

Syntax

portal extend-auth domain domain-name

undo portal extend-auth domain

Default

No authentication domain is specified for third-party authentication.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is restricted to Hong Kong and Macao.

The specified ISP domain takes effect only on IPv4 portal users that use third-party authentication.

Examples

# Specify authentication domain my-domain for third-party authentication on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal extend-auth domain my-domain

Related commands

display portal

portal extend-auth-server

Use portal extend-auth-server to create a third-party authentication server and enter its view, or enter the view of an existing third-party authentication server.

Use undo portal extend-auth-server to delete a third-party authentication server.

Syntax

portal extend-auth-server { qq | mail }

undo portal extend-auth-server { qq | mail }

Default

No third-party authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

qq: Specifies the QQ authentication server.

mail: Specifies the email authentication server.

Usage guidelines

This command is restricted to Hong Kong and Macao.

The device supports using the QQ or email authentication server as a third-party portal authentication server for portal authentication. A portal user can use a QQ or email account instead of a portal account to perform portal authentication. If the user passes third-party authentication, the third-party server notifies the third-party authentication success of the user to the device. Then, the device interacts with the local portal Web server to complete the remaining process of portal authentication.

Examples

# Create a QQ authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq]

# Create an email authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail]

Related commands

display portal extend-auth-server

portal fail-permit server

Use portal [ ipv6 ] fail-permit server to enable the portal fail-permit feature for a portal authentication server.

Use undo portal [ ipv6] fail-permit server to disable the portal fail-permit feature for the portal authentication server.

Syntax

portal [ ipv6 ] fail-permit server server-name

undo portal [ ipv6] fail-permit server

Default

Portal fail-permit is disabled for the portal authentication server.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal authentication server. If you do not specify this keyword, the specified authentication server is IPv4 portal authentication server.

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

When portal fail-permit is enabled for a portal authentication server and portal Web servers on a VLAN interface, the interface disables portal authentication in either of the following conditions:

· All portal Web servers are unreachable.

· The specified portal authentication server is unreachable.

Portal authentication resumes on the VLAN interface when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, users who failed portal authentication and unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.

If you configure this command multiple times, the most recent configuration takes effect.

Examples

# Enable portal fail-permit for portal authentication server pts1 on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal fail-permit server pts1

Related commands

display portal

portal fail-permit web-server

Use portal [ ipv6 ] fail-permit web-server to enable the portal fail-permit feature for portal Web servers.

Use undo portal [ ipv6 ] fail-permit web-server to disable the portal fail-permit feature for portal Web servers.

Syntax

portal [ ipv6 ] fail-permit web-server

undo portal [ ipv6] fail-permit web-server

Default

Portal fail-permit is disabled for portal Web servers.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal Web servers. If you do not specify this keyword, IPv4 portal Web servers are specified.

Usage guidelines

When portal fail-permit is enabled for a portal authentication server and portal Web servers, the VLAN interface or service template disables portal authentication in either of the following conditions:

· All portal Web servers are unreachable.

· The specified portal authentication server is unreachable.

Portal authentication resumes on the VLAN interface or service template when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, users who failed portal authentication and unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.

On the same VLAN interface or service template, the portal Web server is unreachable when both the primary and backup portal Web servers are unreachable.

Examples

# Enable portal fail-permit for the portal Web servers on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal fail-permit web-server

Related commands

display portal

portal free-all except destination

Use portal free-all except destination to configure an IPv4 portal authentication destination subnet on a VLAN interface.

Use undo portal free-all except destination to delete the IPv4 portal authentication destination subnets on the VLAN interface.

Syntax

portal free-all except destination ipv4-network-address { mask-length | mask }

undo portal free-all except destination [ ipv4-network-address ]

Default

No IPv4 portal authentication destination subnet is configured on a VLAN interface. Portal users must pass portal authentication to access any subnet.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ipv4-network-address: Specifies an IPv4 portal authentication subnet address.

mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32.

mask: Specifies the subnet mask in dotted decimal format.

Usage guidelines

Portal users on a VLAN interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.

You can configure multiple authentication destination subnets.

If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface.

Examples

# Configure an IPv4 portal authentication destination subnet of 11.11.11.0/24 on VLAN-interface 2. Portal users need to pass authentication to access this subnet and can access other subnets without authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal free-all except destination 11.11.11.0 24

Related commands

display portal

portal free-rule

Use portal free-rule to configure an IP-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

undo portal free-rule { rule-number | all }

Default

No IP-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number in the range of 1 to 4294967295.

destination: Specifies the destination information.

source: Specifies the source information.

ip ip-address: Specifies an IPv4 address for the portal-free rule.

{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format.

ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

ip any: Represents any IPv4 address.

ipv6 any: Represents any IPv6 address.

tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535.

udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535.

all: Specifies all portal-free rules.

interface interface-type interface-number: Specifies a VLAN interface on which the portal-free rule takes effect.

Usage guidelines

You can specify both the source and destination keyword for a portal-free rule. If you specify only one keyword, the other keyword does not act as a filtering criterion.

If you specify both a source port number and a destination port number for a portal-free rule, the two port numbers must belong to the same transport layer protocol.

If you do not specify a VLAN interface, the portal-free rule takes effect on all portal-enabled VLAN interfaces.

You cannot configure two portal-free rules with the same filtering criteria.

Examples

# Configure an IPv4-based portal-free rule: specify the rule number as 1, the source IP address as 10.10.10.1/24, the destination IP address as 20.20.20.1, the destination TCP port number as 23, and the interface as VLAN-interface 100.

<Sysname> system-view

[Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24 interface vlan-interface 100

With this rule, users in subnet 10.10.10.1/24 do not need to pass portal authentication through GigabitEthernet 1/0/1 when they access services provided on TCP port 23 of host 20.20.20.1.

# Configure an IPv6-based portal-free rule: specify the rule number as 2, the source IP address as 2000::1/64, the destination IP address as 2001::1, the destination TCP port number as 23, and the interface as VLAN-interface 100.

<Sysname> system-view

[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface vlan-interface 100

With this rule, users in subnet 2000::1/64 do not need to pass portal authentication through VLAN-interface 100 when they access services provided on TCP port 23 of host 2001::1.

Related commands

display portal rule

portal free-rule destination

Use portal free-rule destination to configure a destination-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number destination host-name

undo portal free-rule { rule-number | all }

Default

No destination-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number in the range of 1 to 4294967295.

destination: Specifies the destination host.

host-name: Specifies the destination host by its name, a case-insensitive string that can contain letters, digits, hyphens (-), underscores (_), dots (.), and asterisks (*).

all: Specifies all portal-free rules.

Usage guidelines

You can configure a hostname in one of the following ways:

· For exact match—Specify a complete hostname. For example, if you configure the hostname as abc.com.cn in the portal-free rule, only packets that contain the hostname abc.com.cn match the rule. Packets that carry any other hostnames (such as dfabc.com.cn) do not match the rule.

· For fuzzy match—Specify a hostname by placing the asterisk (*) wildcard character at the beginning or end of the hostname string. For example, if you configure the hostname as *abc.com.cn, abc*, or *abc*, packets that carry the hostname ending with abc.com.cn, starting with abc, or including abc match the rule.

The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

The configured hostname cannot contain only asterisks (*).

You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists.

Examples

# Configure a destination-based portal-free rule numbered 4 to allow portal users whose HTTP/HTTPS requests carry hostname www.h3c.com to access network resources without portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 4 destination www.h3c.com

Related commands

display portal rule

portal free-rule source

Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number source { ap ap-name | { interface interface-type interface-number | mac mac-address | vlan vlan-id } * }

undo portal free-rule { rule-number | all }

Default

No source-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number in the range of 1 to 4294967295.

interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule.

mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H.

vlan vlan-id: Specifies a source VLAN ID for the portal-free rule.

all: Specifies all portal-free rules.

Usage guidelines

If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN.

If portal users have come online before source-based portal-free rules are configured, the device keeps accounting on traffic of the users even if they match these rules.

Examples

# Configure a source-based portal-free rule numbered 3 to allow the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 3 source mac 1-1-1 vlan 10

# Configure a source-based portal-free rule numbered 4 to allow portal users on AP 10 to access network resources without portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 4 source ap ap10

Related commands

display portal rule

portal host-check enable

Use portal host-check enable to enable validity check on wireless portal clients.

Use undo portal host-check enable to disable validity check on wireless portal clients.

Syntax

portal host-check enable

undo portal host-check enable

Default

The device checks wireless portal client validity according to ARP entries only.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, you must enable wireless client validity check on the AC.

This feature enables the AC to validate a client by looking up the client information in the WLAN snooping table, DHCP snooping table, and ARP table. If the client information exists, the AC determines the client to be valid for portal authentication.

Examples

# Enable validity check on wireless portal clients.

<Sysname> system-view

[Sysname] portal host-check enable

portal ipv6 free-all except destination

Use portal ipv6 free-all except destination to configure an IPv6 portal authentication destination subnet.

Use undo portal ipv6 free-all except destination to delete IPv6 portal authentication destination subnets.

Syntax

portal ipv6 free-all except destination ipv6-network-address prefix-length

undo portal ipv6 free-all except destination [ ipv6-network-address ]

Default

No IPv6 portal authentication destination subnet is configured on a VLAN interface. Portal users must pass portal authentication to access any IPv6 subnet.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ipv6-network-address: Specifies an IPv6 portal authentication destination subnet.

prefix-length: Specifies the prefix length of the IPv6 subnet, in the range of 0 to 128.

Usage guidelines

You can configure multiple authentication destination subnets.

If you do not specify the ipv6-network-address argument in the undo portal ipv6 free-all except destination command, this command deletes all IPv6 portal authentication destination subnets on the interface.

Examples

# Configure an IPv6 portal authentication destination subnet of 1::2/16 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal ipv6 free-all except destination 1::2 16

Related commands

display portal

portal ipv6 user-detect

Use portal ipv6 user-detect to enable online detection of IPv6 portal users.

Use undo portal user-detect to disable online detection of IPv6 portal users.

Syntax

portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ]

undo portal ipv6 user-detect

Default

Online detection of IPv6 portal users is disabled.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

· icmpv6—ICMPv6 detection.

· nd—ND detection.

retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Sets the user idle timeout in the range of 60 to 3600 seconds. The default is 180 seconds. When the timeout expires, online detection of portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows:

· ICMPv6 detection—Sends ICMPv6 requests to the user at configurable intervals to detect the user status.

? If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.

? If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

· ND detection—Sends ND requests to the user and detects the ND entry status of the user at configurable intervals.

? If the ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

? If the ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface.

Examples

# Enable online detection of IPv6 portal users on VLAN-interface 100. Configure the detection type as ND, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal ipv6 user-detect type nd retry 5 interval 10 idle 300

Related commands

display portal

portal local-web-server

Use portal local-web-server to create a local portal Web server and enter its view, or enter the view of an existing local portal Web server.

Use undo portal local-web-server to delete the local portal Web server.

Syntax

portal local-web-server { http | https [ ssl-server-policy policy-name ] [ tcp-port port-number ] }

undo portal local-web-server { http | https }

Default

No local portal Web servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

http: Configures the local portal Web server to use HTTP to exchange authentication information with clients.

https: Configures the local portal Web server to use HTTPS to exchange authentication information with clients.

ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters. If you do not specify this option, HTTPS is associated with the SSL server policy that uses the self-signed certificate. That SSL server policy supports all cipher suites.

tcp-port port-number: Specifies the listening TCP port number for the HTTPS-based local portal Web service. The value range for the port-number argument is 1 to 65535. The default port number is 443.

Usage guidelines

After a local portal Web server is configured on the access device, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.

For a VLAN interface to use the local portal Web server, the URL of the portal Web server specified for the VLAN interface must meet the following requirements:

· The IP address in the URL must be a local IP address on the device (except the IP address 127.0.0.1).

· The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.

You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.

You cannot change the associated SSL server policy for HTTPS by executing this command repeatedly. To change the SSL server policy for HTTPS:

1. Delete the local portal Web server by using the portal local-web-server https ssl-server-policy command.

2. Re-create the local portal Web server and specify a new SSL server policy by using the portal local-web-server https ssl-server-policy command.

When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines:

· For HTTPS-based local portal Web service and other services that use HTTPS:

? If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

? If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.

· Do not configure the same TCP port number for HTTP-based local portal Web service and HTTPS-based local portal Web service.

Examples

# Configure a local portal Web server. Use HTTP to exchange authentication information with clients.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http]

# Configure a local portal Web server. Use HTTPS to exchange authentication information with clients, and specify SSL server policy policy1 for HTTPS.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1

[Sysname-portal-local-websvr-https]

# Change the SSL server policy to policy2.

[Sysname] undo portal local-web-server https

[Sysname] portal local-web-server https ssl-server-policy policy2

[Sysname-portal-local-websvr-https]

# Create an HTTPS-based local portal Web service. In the service, the associated SSL server policy is policy1 and the listening port number is 442.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442

[Sysname-portal-local-websvr-https] quit

Related commands

· default-logon-page

· portal local-web-server

· ssl server-policy

portal logout-record enable

Use portal logout-record enable to enable portal user offline recording.

Use undo portal logout-record enable to disable portal user offline recording.

Syntax

portal logout-record enable

undo portal logout-record enable

Default

Portal user offline recording is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save all portal user offline records and to periodically send the records to the lvzhou cloud server or other servers.

Examples

# Enable portal user offline recording.

<Sysname> system-view

[Sysname] portal logout-record enable

Related commands

display portal logout-record

portal logout-record export

Use portal logout-record export to export portal user offline records to a path.

Syntax

portal logout-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal user offline records are exported. The URL is a case-insensitive string of 1 to 255 characters.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 41 describes the valid URL format for each method.

Table 41 URL formats

Protocol	URL format	Remarks
FTP	ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.
TFTP	tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/	N/A
HTTP	http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/	The username and password must be the same as those on the server. If the server authenticates only the username, no password is required.

Examples

# Export all portal user offline records to path tftp://1.1.1.1/record/logout/.

<Sysname> system-view

[Sysname] portal logout-record export url tftp://1.1.1.1/record/logout/

# Export portal user offline records in the time rang of 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/logout/.

<Sysname> system-view

[Sysname] portal logout-record export tftp://1.1.1.1/record/logout/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal logout-record

portal logout-record enable

reset portal logout-record

portal logout-record max

Use portal logout-record max to set the maximum number of portal user offline records.

Use undo portal logout-record max to restore the default.

Syntax

portal logout-record max number

undo portal logout-record max

Default

The maximum number of portal user offline records is 32000.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal user offline records, in the range of 1 to 4294967295.

Usage guidelines

When the maximum number of portal user offline records is reached, the new record overwrites the oldest one.

Examples

# Set the maximum number of portal user offline records to 50.

<Sysname> system-view

[Sysname] portal logout-record max 50

Related commands

display portal logout-record

portal mac-trigger-server

Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.

Use undo portal mac-trigger-server to delete the MAC binding server.

Syntax

portal mac-trigger-server server-name

undo portal mac-trigger-server server-name

Default

No MAC binding servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address and the free-traffic threshold.

Examples

# Create MAC binding server mts and enter its view.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts]

Related commands

· display portal mac-trigger-server

· portal apply mac-trigger-server

portal max-user

Use portal max-user to set the maximum number of total portal users allowed in the system.

Use undo portal max-user to restore the default.

Syntax

portal max-user max-number

undo portal max-user

Default

The total number of portal users allowed in the system is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of total portal users in the system. The value range is 1 to 4294967295.

Usage guidelines

If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in.

This command sets the maximum number of online IPv4 and IPv6 portal users in all.

Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.

Examples

# Set the maximum number of online portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

Related commands

· display portal user

· portal { ipv4-max-user | ipv6-max-user }

portal nas-id profile

Use portal nas-id-profile to specify a NAS-ID profile for a VLAN interface.

Use undo portal nas-id-profile to restore the default.

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

Default

No NAS-ID profile is specified for a VLAN interface.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs. To configure a NAS-ID profile, use the aaa nas-id profile command. For more information, see "AAA commands."

If a VLAN interface is specified with a NAS-ID profile, the VLAN interface prefers to use the bindings defined in the profile.

If no NAS-ID profile is specified for a VLAN interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS-ID.

Examples

# Specify the NAS-ID profile aaa for VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-id-profile aaa

Related commands

aaa nas-id profile

portal nas-port-id format

Use portal nas-port-id format to specify the NAS-Port-Id attribute format.

Use undo portal nas-port-id format to restore the default.

Syntax

portal nas-port-id format { 1 | 2 | 3 | 4 }

undo portal nas-port-id format

Default

The format for the NAS-Port-Id attribute is format 2.

Views

System view

Predefined user roles

network-admin

Parameters

1: Uses format 1 for the NAS-Port-Id attribute.

2: Uses format 2 for the NAS-Port-Id attribute.

3: Uses format 3 for the NAS-Port-Id attribute.

4: Uses format 4 for the NAS-Port-Id attribute.

Usage guidelines

The NAS-Port-Id format supported by RADIUS servers varies by vendor. Use this command to specify the format of the NAS-Port-Id attribute in the RADIUS packets sent for portal users to the RADIUS server. The device then automatically constructs a value for the NAS-Port-Id attribute in the specified format to meet the RADIUS server requirements.

Format 1 contains three space-separated strings: interface-type port-location access-node-id. Spaces are not allowed within a string.

· The interface-type string specifies the interface type of the NAS port. Available options include:

? atm—ATM interface.

? eth—Common Ethernet interface.

? trunk—Ethernet trunk interface.

? 0—The interface type information will be reported by the access node to the BRAS.

· The port-location string represents the location of the access line on the BRAS. Its format is NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

Field	Description
NAS_slot	Slot number of the BRAS, in the range of 0 to 31.
NAS_subslot	Subslot number of the BRAS, in the range of 0 to 31.
NAS_Port	Port number of the BRAS, in the range of 0 to 63.
XPI.XCI	For ATM interfaces: · XPI is VPI in the range of 0 to 255. · XCI is VCI in the range of 0 to 65535. For Ethernet interfaces or Ethernet trunk interfaces: · XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

For the access node to report its access line information to the BRAS, all fields will be set to 0s except for the XPI and XCI fields.

· The access-node-id string specifies the attributes the of BRAS. Its format is AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port:ANI_XPI.ANI_XCI, in which the :ANI_XPI.ANI_XCI portion is optional.

Field	Description
AccessNodeIdentifier	Identifier description of the access node, a string not longer than 50 characters without spaces.
ANI_rack	Rack number of the access node, in the range of 0 to 15.
ANI_frame	Frame number of the access node, in the range of 0 to 31.
ANI_slot	Slot number of the access node, in the range of 0 to 127.
ANI_subslot	Subslot number of the access node, in the range of 0 to 31.
ANI_port	Port number of the access node, in the range of 0 to 255.
ANI_XPI.ANI_XCI	Optional. This field is mainly used to carry CPE-side service information, identifying the further service type requirement. For example, use this field to identify specific services in a multi-PVC scenario. For ATM interfaces: · ANI_XPI is VPI in the range of 0 to 255 · ANI_XCI is VCI in the range of 0 to 65535. For Ethernet interfaces or Ethernet trunk interfaces: · ANI_XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · ANI_XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

If the device does not have rack, frame, or subslot information, 0 is padded in the corresponding field.

For ATM interfaces, all fields in the access-node-id string are filled with 0s except for the ANI_XPI and ANI_XCI fields.

· Examples of format 1:

NAS-Port-Id	Description
atm 31/31/7:255.65535 0/0/0/0/0/0	The subscriber interface is an ATM interface. The slot number is 31, the BRAS subslot number is 31, the BRAS port number is 7, the VPI is 255, and the VCI is 65535.
eth 31/31/7:1234.2345 0/0/0/0/0/0	The subscriber interface is an Ethernet interface. The slot number is 31, the subslot number is 31, the port number is 7, the PVLAN is 1234, and the CVLAN is 2345. If there is no PVLAN, 1234 will be replaced with 4096.
eth 31/31/7:4096.2345 guangzhou001/1/31/63/31/127	The subscriber interface is an Ethernet interface. The slot number is 31, the subslot number is 31, the port number is 7, and the VLAN ID is 2345. The access node identifier of the DSLAM is guangzhou001, the rack number is 1, the frame number is 31, the slot number is 63, subslot number is 31, and the port number is 127.
0 0/0/0:4096.1234 guangzhou001/0/31/63/31/127	The 0 and 0/0/0 strings indicate that BRAS does not have access line information and will use the information received from the access node. After receiving access line information from the access node, the BRAS transparently delivers the information or complements the BRAS access link information as configured. For example, the BRAS complements the access line information as eth 31/31/7:4096.1234 guangzhou001/0/31/63/31/127.

Format 2 is SlotID/00/IfNO/VlanID.

· SlotID—The number of the slot the user accesses, a string of 2 characters.

· IFNO—The number of the interface the user accesses, a string of 3 characters.

· VlanID—The number of VLAN the user accesses, a string of 9 characters.

Format 3 is SlotID/00/IfNO/VlanID/DHCP option.

· SlotID—The number of the slot the user accesses, a string of 2 characters.

· IFNO—The number of the interface the user accesses, a string of 3 characters.

· VlanID—The number of VLAN the user accesses, a string of 9 characters.

· DHCP option—DHCP option 82 is appended for IPv4 users and DHCP option 18 is appended for IPv6 users.

Format 4 is slot=**;subslot=**;port=**;vlanid=**;vlanid2=**;.

· For non-VLAN interfaces, the slot=**;subslot=**;port=**;vlanid=0; format is used.

· For interfaces that terminate only the outermost VLAN tag, the slot=**;subslot=**;port=**;vlanid=**; format is used.

Examples

# Set the format of the NAS-Port-Id attribute to format 1.

<Sysname> system-view

[Sysname] portal nas-port-id format 1

portal nas-port-type

Use portal nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo portal nas-port-type to restore the default.

Syntax

portal nas-port-type { ethernet | wireless }

undo portal nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is the user's access interface type value obtained by the access device.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ethernet: Specifies the NAS-Port-Type attribute value as Ethernet (number 15).

wireless: Specifies the NAS-Port-Type attribute value as WLAN-IEEE 802.11 (number 19).

Usage guidelines

As the access device, the BAS might not be able to correctly obtain a user's interface type when multiple network devices exist between the BAS and the portal client. For example, the access interface type obtained by the BAS for a wireless portal user might be the type of the wired interface that authenticated the user. For the BAS to send correct user interface type to the RADIUS server, use this command to specify the correct NAS-Port-Type value.

Examples

# Specify the NAS-Port-Type value in RADIUS requests sent to RADIUS server as WLAN-IEEE 802.11 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-port-type wireless

# Specify the NAS-Port-Type value in RADIUS requests sent to RADIUS server as WLAN-IEEE 802.11 on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal nas-port-type wireless

Related commands

display portal interface

portal oauth user-sync interval

Use portal oauth user-sync interval to set the user synchronization interval for portal authentication using OAuth.

Use undo portal oauth user-sync interval to restore the default.

Syntax

portal oauth user-sync interval interval

undo portal oauth user-sync interval

Default

The user synchronization interval is 60 seconds for portal authentication using OAuth.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the user synchronization interval, in seconds. The value for this argument can be 0 or in the range of 60 to 3600.

Usage guidelines

If portal authentication uses OAuth, the device periodically reports user information to the portal authentication server for user synchronization on the server. To disable user synchronization from the device to the portal authentication server, set the user synchronization interval to 0 seconds on the device.

Examples

# Set the user synchronization interval to 120 seconds for portal authentication using OAuth.

<Sysname> system-view

[Sysname] portal oauth user-sync interval 120

portal outbound-filter enable

Use portal [ ipv6 ] outbound-filter enable to enable outgoing packets filtering.

Use undo portal [ ipv6 ] outbound-filter enable to disable outgoing packets filtering.

Syntax

portal [ ipv6 ] outbound-filter enable

undo portal [ ipv6 ] outbound-filter enable

Default

Outgoing packets filtering is disabled. A portal-enabled interface can send any packets.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies outgoing IPv6 packets. If you do not specify this keyword, the command is for outgoing IPv4 packets.

Usage guidelines

When you enable this feature on a portal-enabled VLAN interface or service template, the device permits the interface or service template to send the following packets:

· Packets whose destination IP addresses are IP addresses of authenticated portal users.

· Packets that match portal-free rules.

Other outgoing packets on the VLAN interface or service template are dropped.

Examples

# Enable outgoing packets filtering on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 20

[Sysname–Vlan-interface20] portal outbound-filter enable

# Enable outgoing packets filtering on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal outbound-filter enable

Related commands

portal enable

portal packet log enable

Use portal packet log enable to enable logging for portal protocol packets.

Use undo portal packet log enable to disable logging for portal protocol packets.

Syntax

portal packet log enable

undo portal packet log enable

Default

Portal protocol packet logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal protocol packets, including the username, IP address, authentication type, packet type, SSID, and AP MAC. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for portal protocol packets.

<Sysname> system-view

[Sysname] portal packet log enable

Related commands

portal redirect log enable

portal user log enable

portal pre-auth domain

Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users on a VLAN interface.

Use undo portal [ ipv6 ] pre-auth domain to restore the default.

Syntax

portal [ ipv6 ] pre-auth domain domain-name

undo portal [ ipv6 ] pre-auth domain

Default

No preauthentication domain is specified on a VLAN interface.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

domain-name: Specifies an existing ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the following characters: slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

Usage guidelines

Make sure you specify an existing ISP domain as a preauthentication domain. If the specified ISP domain does not exist, the device might operate incorrectly.

You must delete a preauthentication domain (by using the undo portal [ ipv6 ] pre-auth domain command) and reconfigure it in the following situations:

· You create the ISP domain after specifying it as the preauthentication domain.

· You delete the specified ISP domain and then re-create it.

The preauthentication domain takes effect only on portal users with IP addresses assigned by DHCP or DHCPv6.

After you configure a preauthentication domain on a portal-enabled VLAN interface, the device authorizes users on the VLAN interface as follows:

1. After an unauthenticated user obtains an IP address, the user is assigned with authorization attributes configured for the preauthentication domain.

The authorization attributes in a preauthentication domain include ACL, user profile, and CAR.

An unauthenticated user who is authorized with the authorization attributes in a preauthentication domain is called a preauthentication user.

2. After the user passes portal authentication, the user is assigned with new authorization attributes from the AAA server.

3. After the user goes offline, the user is reassigned with the authorization attributes in the preauthentication domain.

If you change the preauthentication domain on a VLAN interface, the VLAN interface uses the new preauthentication domain for both new and existing preauthentication users.

If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users. Existing preauthentication users use the original authorization attributes.

If the ACL in the preauthentication domain does not exist or the ACL has no rules, the device does not control user access. Users can access any network resources without passing portal authentication.

Follow these guidelines when you configure a preauthentication ACL rule:

· Do not specify a source address. If you specify a source address, users cannot trigger portal authentication.

· Do not set the destination address to any. All packets will be permitted to pass and therefore users can access any resources before portal authentication.

Examples

# Create the preauthentication domain abc for VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] portal pre-auth domain abc

Related commands

display portal

portal pre-auth ip-pool

Use portal pre-auth ip-pool to specify a preauthentication IP address pool for portal users on a VLAN interface.

Use undo portal pre-auth ip-pool to restore the default.

Syntax

portal [ ipv6 ] pre-auth ip-pool pool-name

undo portal [ ipv6 ] pre-auth ip-pool

Default

No preauthentication IP address pool is specified for portal users on a VLAN interface.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

pool-name: Specifies an IP address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation:

· Portal users access the network through a subinterface of the portal-enabled interface.

· The subinterface does not have an IP address.

· Portal users need to obtain IP addresses through DHCP.

DHCP assigns an IP address from the specified IP address pool to a user. Then, the user can use this IP address to perform portal authentication.

Make sure the specified IP address pool exists and is correctly configured.

Examples

# Create the IPv4 address pool abc for VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal pre-auth ip-pool abc

Related commands

· dhcp server ip-pool (Layer 3—IP Services Command Reference)

· display portal

· ipv6 dhcp pool (Layer 3—IP Services Command Reference)

portal redirect log enable

Use portal redirect log enable to enable logging for portal redirect.

Use undo portal redirect log enable to disable logging for portal redirect.

Syntax

portal redirect log enable

undo portal redirect log enable

Default

Portal redirect logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal redirect packets, including the user IP address, MAC address, SSID, BAS IP, and Web server IP address. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for portal redirect.

<Sysname> system-view

[Sysname] portal redirect log enable

Related commands

portal packet log enable

portal user log enable

portal refresh enable

Use portal refresh { arp | nd } enable to enable ARP or ND entry conversion for portal clients.

Use undo portal refresh { arp | nd } enable to disable ARP or ND entry conversion.

Syntax

portal refresh { arp | nd } enable

undo portal refresh { arp | nd } enable

Default

ARP or ND entry conversion is enabled for portal clients.

Views

System view

Predefined user roles

network-admin

Parameters

arp: Specifies the ARP entries.

nd: Specifies the ND entries.

Usage guidelines

When you enable this feature at a time:

· ARP or ND entries for portal users who pass authentication after the time are converted to Rule ARP or ND entries. Rule ARP or ND entries will not be aged.

· ARP or ND entries for portal users who pass authentication before the time will be aged when their respective aging timers expire.

When you disable this feature at a time :

· ARP or ND entries for portal users who pass authentication after the time will be aged when their respective aging timers expire.

· Rule ARP or ND entries created for portal users before the time are still Rule ARP or ND entries.

Examples

# Disable ARP entry conversion for portal clients.

<Sysname> system-view

[Sysname] undo portal refresh arp enable

portal roaming enable

Use portal roaming enable to enable portal roaming.

Use undo portal roaming enable to disable portal roaming.

Syntax

portal roaming enable

undo portal roaming enable

Default

Portal roaming is disabled. An online portal user cannot roam in its VLAN.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command applies only to portal users that log in from VLAN interfaces.

This command cannot be executed when online users or preauthentication portal users are present on the device.

If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.

Examples

# Enable portal roaming.

<Sysname> system-view

[Sysname] portal roaming enable

portal safe-redirect enable

Use portal safe-redirect enable to enable the portal safe-redirect feature.

Use undo portal safe-redirect enable to disable the portal safe-redirect feature.

Syntax

portal safe-redirect enable

undo portal safe-redirect enable

Default

The portal safe-redirect feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Portal redirects all HTTP requests except HTTP requests that match portal-free rules to the portal Web server, which might overload the server.

Portal safe-redirect filters HTTP requests by HTTP request method, browser type (in HTTP User Agent), and destination URL, and redirects only the permitted HTTP requests.

As a best practice to avoid server overload and improve security, enable portal safe-redirect on the device.

Examples

# Enable the portal safe-redirect feature.

<Sysname> system-view

[Sysname] portal safe-redirect enable

Related commands

portal safe-redirect forbidden-url

portal safe-redirect method

portal safe-redirect user-agent

portal safe-redirect forbidden-file

Use portal safe-redirect forbidden-file to configure a filename extension forbidden by portal safe-redirect. If the URL of an HTTP request includes the specified filename extension, the device does not redirect the HTTP request.

Use undo portal safe-redirect forbidden-file to delete a portal safe-redirect forbidden filename extension.

Syntax

portal safe-redirect forbidden-file filename-extension

undo portal safe-redirect forbidden-file filename-extension

Default

No forbidden filename extensions are configured. The device redirects HTTP requests regardless of the filename extension in the URL.

Views

System view

Predefined user roles

network-admin

Parameters

filename-extension: Specifies a filename extension forbidden by portal safe-redirect, a case sensitive string of 1 to 16 characters.

Usage guidelines

You can configure multiple portal safe-redirect forbidden filename extensions.

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify .jpg as a portal safe-redirect forbidden filename extension.

<Sysname> system-view

[Sysname] portal safe-redirect forbidden-file .jpg

Related commands

portal safe-redirect enable

portal safe-redirect forbidden-url

Use portal safe-redirect forbidden-url to configure a URL forbidden by portal safe-redirect.

Use undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbidden URL.

Syntax

portal safe-redirect forbidden-url user-url-string

undo portal safe-redirect forbidden-url user-url-string

Default

No forbidden URLs are configured. The device can redirect HTTP requests with any URLs.

Views

System view

Predefined user roles

network-admin

Parameters

user-url-string: Specifies a URL forbidden by portal safe-redirect, a case sensitive string of 1 to 256 characters.

Usage guidelines

You can execute this command multiple times to configure multiple portal safe-redirect forbidden URLs. The device does not redirect HTTP requests destined for the specified URLs to the portal Web server.

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify http://www.abc.com as a portal safe-redirect forbidden URL.

<Sysname> system-view

[Sysname] portal safe-redirect forbidden-url http://www.abc.com

Related commands

portal safe-redirect enable

portal safe-redirect method

Use portal safe-redirect method to specify HTTP request methods permitted by portal safe-redirect.

Use undo portal safe-redirect method to delete HTTP request methods permitted by portal safe-redirect.

Syntax

portal safe-redirect method { get | post }*

undo portal safe-redirect method { get | post }*

Default

After portal safe-redirect is enabled, the device redirects only HTTP requests with the GET method.

Views

System view

Predefined user roles

network-admin

Parameters

get: Specifies the GET request method.

post: Specifies the POST request method.

Usage guidelines

After you specify HTTP request methods for portal safe-redirect, the device redirects only the HTTP requests with the specified methods to the portal Web server.

Before you execute this command, make sure the portal safe-redirect feature is enabled.

If you configure this command multiple times, the most recent configuration takes effect.

Examples

# Specify the GET request method for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect method get

Related commands

portal safe-redirect enable

portal safe-redirect user-agent

Use portal safe-redirect user-agent to specify a browser type for portal safe-redirect.

Use undo portal safe-redirect user-agent to delete a browser type for portal safe-redirect.

Syntax

portal safe-redirect user-agent user-agent-string

undo portal safe-redirect user-agent user-agent-string

Default

After portal safe-redirect is enabled, the device redirects the HTTP packets matching any browser types in Table 42.

Views

System view

Predefined user roles

network-admin

Parameters

user-agent-string: Specifies a browser type in HTTP User Agent, a case-sensitive string of 1 to 255 characters. You can specify the browser types as shown in Table 42.

Table 42 Browser type and description

Browser type	Description
Safari	Apple browser
Chrome	Google browser
Firefox	Firefox browser
UC	UC browser
QQBrowser	QQ browser
LBBROWSER	Cheetah browser
TaoBrowser	Taobao browser
Maxthon	Maxthon browser
BIDUBrowser	Baidu browser
MSIE 10.0	Microsoft IE 10.0 browser
MSIE 9.0	Microsoft IE 9.0 browser
MSIE 8.0	Microsoft IE 8.0 browser
MSIE 7.0	Microsoft IE 7.0 browser
MSIE 6.0	Microsoft IE 6.0 browser
MetaSr	Sogou browser

Usage guidelines

You can execute this command for multiple times to specify multiple browser types. The device redirects an HTTP request only when its User-Agent string contains a specified browser type.

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify browser types Chrome and Safari for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect user-agent Chrome

[Sysname] portal safe-redirect user-agent Safari

Related commands

portal safe-redirect enable

portal server

Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.

Use undo portal server to delete the specified portal authentication server.

Syntax

portal server server-name

undo portal server server-name

Default

No portal authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In portal authentication server view, you can configure the following parameters and features for the portal authentication server:

· IP address of the server.

· Pre-shared key for communication between the access device and the server.

· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

· Server detection feature.

You can configure multiple portal authentication servers for an access device.

Examples

# Create the portal authentication server pts and enter its view.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts]

Related commands

display portal server

portal temp-pass enable

Use portal temp-pass enable to enable portal temporary pass and set the temporary pass period.

Use undo portal temp-pass enable to disable portal temporary pass.

Syntax

portal temp-pass [ period period-value ] enable

undo portal temp-pass enable

Default

Portal temporary pass is disabled.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

period period-value: Specifies the temporary pass period. The value range for the period-value argument is 10 to 180 seconds, and the default is 30 seconds.

Usage guidelines

This command is restricted to Hong Kong and Macao.

Typically, a portal user cannot access the network before passing portal authentication. This feature allows a user to access the Internet temporarily if the user uses a WeChat account to perform portal authentication. During the temporary pass period, the user provides WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication.

Examples

# On service template service1, enable portal temporary pass and set the temporary pass period to 25 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal temp-pass period 25 enable

Related commands

display portal

portal user-detect

Use portal user-detect to enable online detection of IPv4 portal users.

Use undo portal user-detect to disable online detection of IPv4 portal users.

Syntax

portal user-detect type { arp | icmp } [ retry retries] [ interval interval ] [ idle time ]

undo portal user-detect

Default

Online detection of IPv4 portal users is disabled.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

· arp—ARP detection.

· icmp—ICMP detection.

retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Sets a user idle timeout in the range of 60 to 3600 seconds. The default is 180 seconds. When the timeout expires, online detection of IPv4 portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows:

· ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.

? If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

· ARP detection—Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals.

? If the ARP entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

? If the ARP entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users. Make sure the access device does not block ICMP packets before you enable ICMP detection on an interface.

Examples

# Enable online detection of IPv4 portal users on VLAN-interface 100. Configure the detection type as ARP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300

Related commands

display portal

portal user-dhcp-only

Use portal user-dhcp-only to allow only portal clients with DHCP-assigned IP addresses to pass portal authentication.

Use undo portal user-dhcp-only to restore the default.

Syntax

portal [ ipv6 ] user-dhcp-only

undo portal [ ipv6 ] user-dhcp-only

Default

Both portal clients with DHCP-assigned IP addresses and portal clients with static IP addresses can pass portal authentication.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal clients. Do not specify this keyword for IPv4 portal clients.

Usage guidelines

After this command is configured, portal clients with static IP addresses cannot pass portal authentication.

To ensure that IPv6 portal clients can pass portal authentication when this feature is configured, disable the temporary IPv6 address feature on terminal devices. Otherwise, IPv6 portal clients will use temporary IPv6 addresses to access the IPv6 network and will fail portal authentication.

Examples

# Configure VLAN-interface 100 to allow only portal clients with DHCP-assigned IP addresses to pass portal authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal user-dhcp-only

# Configure service template service1 to allow only portal clients with DHCP-assigned IP addresses to pass portal authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal user-dhcp-only

Related commands

display portal

portal user-logoff after-client-offline enable

Use portal user-logoff after-client-offline enable to automatically log out portal users after the wireless clients go offline.

Use undo portal user-logoff after-client-offline enable to restore the default.

Syntax

portal user-logoff after-client-offline enable

undo portal user-logoff after-client-offline enable

Default

Automatic logout is disabled for wireless portal users. Portal users will not be automatically logged out after the wireless clients are disconnected from the wireless network.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After automatic logout is enabled for wireless portal users, the device will automatically log out a portal user after the user is disconnected from the wireless network.

Examples

# Enable automatic logging out of portal users after the wireless clients go offline.

<Sysname> system-view

[Sysname] portal user-logoff after-client-offline enable

portal user-logoff ssid-switch enable

Use portal user-logoff ssid-switch enable to enable the device to log out wireless portal users when they switch SSIDs.

Use undo portal user-logoff ssid-switch enable to disable the device from logging out wireless portal users when they switch SSIDs.

Syntax

portal user-logoff ssid-switch enable

undo portal user-logoff ssid-switch enable

Default

The device does not log out wireless portal users when they switch SSIDs and the users stay online.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to log out portal users on the original service template when they switch SSIDs so that they can pass authentication on the new service template.

Examples

# Enable the device to log out wireless portal users when they switch SSIDs.

<Sysname> system-view

[Sysname] portal user-logoff ssid-switch enable

portal user log enable

Use portal user log enable to enable logging for portal user logins and logouts.

Use undo portal user log enable to disable logging for portal user logins and logouts.

Syntax

portal user log enable

undo portal user log enable

Default

Portal user login and logout logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, name of the access interface, VLAN, SSID, AP's MAC address, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for portal user logins and logouts.

<Sysname> system-view

[Sysname] portal user log enable

Related commands

portal packet log enable

portal redirect log enable

portal web-server

Use portal web-server to create a portal Web server and enter its view, or enter the view of an existing portal Web server.

Use undo portal web-server to delete the specified portal Web server.

Syntax

portal web-server server-name

undo portal web-server server-name

Default

No portal Web servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server. In portal Web server view, you can configure the URL and URL parameters for the portal Web server and the portal Web server detection feature.

Examples

# Create portal Web server wbs and enter its view.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs]

Related commands

· display portal web-server

· portal apply web-server

redirect-url

Use redirect-url to specify the URL to which portal users are redirected after they pass QQ authentication.

Use undo redirect-url to restore the default.

Syntax

redirect-url url-string

undo redirect-url

Default

Portal users are redirected to URL http://lvzhou.h3c.com/portal/qqlogin.html after they pass QQ authentication.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL to which portal users are redirected after they pass QQ authentication. The URL is a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command is restricted to Hong Kong and Macao.

After a portal user passes QQ authentication, the user is redirected to the specified webpage to complete portal authentication.

You must enable DNS proxy and specify the IP address of an interface on the device as the DNS server.

Examples

# Specify http://www.abc.com/portal/qqlogin.html as the redirection URL for QQ authentication success.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html

Related commands

display portal extend-auth-server

reset portal auth-error-record

Use reset portal auth-error-record to clear portal authentication error records.

Syntax

reset portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal authentication error records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

Examples

# Clear all portal authentication error records.

<Sysname> reset portal auth-error-record all

# Clear portal authentication error records for the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal auth-error-record ipv4 11.1.0.1

# Clear portal authentication error records for the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal auth-error-record ipv6 2000::2

# Clear portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal auth-error-record

reset portal auth-fail-record

Use reset portal auth-fail-record to clear portal authentication failure records.

Syntax

reset portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal authentication failure records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Clear all portal authentication failure records.

<Sysname> reset portal auth-fail-record all

# Clear portal authentication failure records for the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal auth-fail-record ipv4 11.1.0.1

# Clear portal authentication failure records for the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal auth-fail-record ipv6 2000::2

# Clear portal authentication failure records for the portal user whose username is abc.

<Sysname> reset portal auth-fail-record username abc

# Clear portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal auth-fail-record

reset portal captive-bypass statistics

Use reset portal captive-bypass statistics to clear portal captive-bypass packet statistics.

Syntax

reset portal captive-bypass statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears portal captive-bypass packet statistics for all cards.

Examples

# Clear portal captive-bypass packet statistics on slot 1.

<Sysname> reset portal captive-bypass statistics slot 0

Related commands

display portal captive-bypass statistics

reset portal local-binding mac-address

Use reset portal local-binding mac-address to clear local MAC-account binding entries.

Syntax

reset portal local-binding mac-address { mac-address | all }

Views

User view

Predefined user roles

network-admin

Parameters

mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

all: Specifies all local MAC-account binding entries.

Examples

# Clear all local MAC-account binding entries.

<Sysname> reset portal local-binding mac-address all

Related commands

· display portal local-binding mac-address

· local-binding aging-time

reset portal logout-record

Use reset portal logout-record to clear portal user offline records.

Syntax

reset portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal user offline records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Clear all portal user offline records.

<Sysname> reset portal logout-record all

# Clear offline records for the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal logout-record ipv4 11.1.0.1

# Clear offline records for the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal logout-record ipv6 2000::2

# Clear offline records for the portal user whose username is abc.

<Sysname> reset portal logout-record username abc

# Clear portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal logout-record

reset portal packet statistics

Use reset portal packet statistics to clear packet statistics for portal authentication servers.

Syntax

reset portal packet statistics [ extend-auth-server { cloud | mail | qq | wechat } | mac-trigger-server server-name | server server-name ]

Views

User view

Predefined user roles

network-admin

Parameters

extend-auth-server server-name: Specify a third-party authentication server. This keyword is restricted to Hong Kong and Macao.

cloud: Specify the lvzhou cloud authentication server. This keyword is restricted to Hong Kong and Macao.

mail: Specify the email authentication server. This keyword is restricted to Hong Kong and Macao.

qq: Specify the QQ authentication server. This keyword is restricted to Hong Kong and Macao.

wechat: Specify the WeChat authentication server. This keyword is restricted to Hong Kong and Macao.

mac-trigger-server: Specify a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a MAC binding server, this command clears packet statistics for the specified portal authentication server.

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command clears packet statistics for all third-party authentication server, MAC binding server, and portal authentication servers.

Examples

# Clear packet statistics for the portal authentication server pts.

<Sysname> reset portal packet statistics server pts

# Clear packet statistics for MAC binding server newps.

<Sysname> reset portal packet statistics mac-trigger-server newpt

# Clear packet statistics for the lvzhou cloud authentication server.

<Sysname> reset portal packet statistics extend-auth-server cloud

Related commands

display portal packet statistics

reset portal redirect statistics

Use reset portal redirect statistics to reset portal redirect packet statistics.

Syntax

reset portal redirect statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears portal redirect packet statistics for all member devices.

Examples

# Clear redirect packet statistics on the specified slot.

<Sysname> reset portal redirect statistics slot 0

Related commands

display portal safe-redirect statistics

reset portal safe-redirect statistics

Use reset portal safe-redirect statistics to clear portal safe-redirect packet statistics.

Syntax

reset portal safe-redirect statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears statistics for all member devices.

Examples

# Clear portal safe-redirect packet statistics on the specified slot.

<Sysname> reset portal safe-redirect statistics slot 0

Related commands

display portal safe-redirect statistics

server-detect (portal authentication server view)

Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.

Use undo server-detect to disable portal authentication server detection.

Syntax

server-detect [ timeout timeout ] { log | trap } *

undo server-detect

Default

Portal authentication server detection is disabled.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.

{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server. You can select one of the following options or both:

· log—When reachability status of the portal authentication server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal authentication server.

· trap—When reachability status of the portal authentication server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal authentication server.

Usage guidelines

The portal authentication server detection feature is effective only when the portal authentication server supports server heartbeat. Now only the IMC portal authentication server supports server heartbeat.

If the device receives portal packets from the portal authentication server before the detection timeout expires and verifies the correctness of the packets, the device considers the portal authentication server is reachable. Otherwise, the device considers the portal authentication server is unreachable.

The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.

Examples

# Enable server detection for the portal authentication server pts:

· Set the detection timeout to 600 seconds.

· Configure the device to send a log message and a trap message if the server reachability status changes.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-detect timeout 600 log trap

Related commands

portal server

server-detect (portal Web server view)

Use server-detect to enable portal Web server detection.

Use undo server-detect to disable portal Web server detection.

Syntax

server-detect [ interval interval ] [ retry retries ] { log | trap } *

undo server-detect

Default

Portal Web server detection is disabled.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default is 5 seconds.

retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3. If the number of consecutive failed detections reaches this threshold, the device considers the server as unreachable.

{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal Web server. You can select one of the following options or both:

· log—When reachability status of the portal Web server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal Web server.

· trap—When reachability status of the portal Web server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal Web server.

Usage guidelines

The access device performs server detection independently. No configuration on the portal Web server is required for the detection.

Examples

# Enable server detection for the portal Web server wbs:

· Set the detection interval to 600 seconds.

· Set the maximum number of consecutive detection failures to 2.

· Configure the device to send a log message and a trap massage after server reachability status changes.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log trap

Related commands

portal web-server

server-register

Use server-register to set the interval at which the device registers with a portal authentication server.

Use undo server-register to restore the default.

Syntax

server-register [ interval interval-value ]

undo server-register

Default

The device does not register with a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the register interval in the range of 1 to 3600 seconds. The default interval is 600 seconds.

Usage guidelines

This feature is typically used in scenarios where a NAT device exists between a portal authentication server and an access device.

After this feature is enabled, the access device automatically sends register packets to the portal authentication server. The register packet contains the access device name. After the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

Only CMCC portal authentication servers support this feature.

Examples

# Configure the device to register with the portal authentication server at an interval of 120 seconds.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-register interval 120

Related commands

server-type

server-type (MAC binding server view)

Use server-type to specify the type of a MAC binding server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the MAC binding server is IMC.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the MAC binding server type as CMCC.

imc: Specifies the MAC binding server type as IMC.

Examples

# Specify the type of the MAC binding server as cmcc.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] server-type cmcc

server-type (portal server view/portal web-server view)

Use server-type to specify the type of a portal authentication server or portal Web server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc | oauth }

undo server-type

Default

The type of the portal authentication server and portal Web server is IMC.

Views

Portal authentication server view

Portal Web server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the portal server type as CMCC.

imc: Specifies the portal server type as IMC.

oauth: Specifies the portal server type as lvzhou cloud. This keyword is supported only in portal Web server view. This keyword is restricted to Hong Kong and Macao.

Usage guidelines

Specify the portal server type on the device with the server type the device actually uses.

Examples

# Specify the type of the portal authentication server as cmcc.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-type cmcc

# Specify the type of the portal Web server as cmcc.

<Sysname> system-view

[Sysname] web-server pts

[Sysname-portal-websvr-pts] server-type cmcc

Related commands

display portal server

tcp-port

Use tcp-port to configure a listening TCP port for the local portal Web server.

Use undo tcp-port to restore the default.

Syntax

tcp-port port-number

undo tcp-port

Default

The listening TCP port number for HTTP is 80 and that for HTTPS is the TCP port number set by using the portal local-web-server command. If not set by the portal local-web-server command, the HTTPS listening TCP port number is 443.

Views

Local portal Web server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening TCP port number in the range of 1 to 65535.

Usage guidelines

To use the local portal Web server, make sure the port number in the portal Web server URL and the port number configured in this command are the same.

For successful local portal authentication, follow these guidelines:

· Do not configure the listening TCP port number for a local portal Web server as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.

· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.

· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.

· Do not configure the same listening port number for HTTP and HTTPS.

· For the HTTPS-based local portal Web service and other services that use HTTPS:

? If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

? If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

Examples

# Set the HTTP service listening port number to 2331 for the local portal Web server.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] tcp-port 2331

Related commands

portal local-web-server

url

Use url to configure a URL for a portal Web server.

Use undo url to restore the default.

Syntax

url url-string

undo url

Default

No URL is specified for the portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://. If the URL you specify does not start with http:// or https://, the system considers the URL begins with http:// by default.

Examples

# Configure the URL for the portal Web server wbs as http://www.test.com/portal.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url http://www.test.com/portal

Related commands

display portal web-server

url-parameter

Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user.

Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.

Syntax

url-parameter param-name { nas-id | nas-port-id | original-url | source-address | ssid | { ap-mac | source-mac } [ encryption { aes | des } key { cipher | simple } string ] | value expression | vlan }

undo url-parameter param-name

Default

No URL parameters are configured for a portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.

nas-id: Specifies the NAS-ID.

nas-port-id: Specifies the NAS-Port-Id.

original-url: Specifies the URL of the original webpage that a portal user visits.

source-address: Specifies the user IP address.

ssid: Specifies the SSID of the AP.

ap-mac: Specifies the MAC address of the AP.

source-mac: Specifies the user MAC address.

aes: Specifies AES to encrypt the specified URL parameter.

des: Specifies DES to encrypt the specified URL parameter.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· For a DES-encrypted ciphertext key, the string length is 41 characters.

· For a DES-encrypted plaintext key, the string length is 8 characters.

· For an AES-encrypted ciphertext key, the string length is 1 to 73 characters.

· For an AES-encrypted plaintext key, the string length is 1 to 31 characters.

value expression: Specifies a custom case-sensitive string of 1 to 256 characters.

vlan: Specifies the user VLAN ID.

Usage guidelines

You can configure multiple URL parameters.

If you configure a URL parameter multiple times, the most recent configuration takes effect.

After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.abc.com/welcome commands. Then, the access device sends to the user whose IP address is 1.1.1.1 the URL http://www.test.com/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.

When you configure the param-name argument in this command, you must use the URL parameter name supported by the actual portal server. Different portal server types support different URL parameter names.

For example, the IMC server supports parameter names userurl, userip, and usermac for the keywords original-url, source-address, and source-mac, respectively. To carry the user IP information in the portal Web server URL, you must configure the parameter name as userip and specify the source-address keyword.

If you specify the encryption algorithm for a parameter, the redirection URL carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then the access device sends to the user with MAC address 1111-1111-1111 the URL http://www.test.com/portal?usermac=xxxxxxxxx&userip=1.1.1.1&userurl= http://www.test.com/welcome, where xxxxxxxxx represents the encrypted user MAC address.

Examples

# Configure URL parameters userip and userurl for portal Web server wbs. Configure the value of the userip parameter as source-address (the IP addresses of users) and that of the userurl parameter as http://www.abc.com/welcome.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter userip source-address

[Sysname-portal-websvr-wbs] url-parameter userurl value http://www.abc.com/welcome

# Configure URL parameter usermac for portal Web server wbs. Configure the value of the usermac parameter as source-mac (the MAC addresses of users) and specify DES to encrypt the MAC addresses.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter usermac source-mac encryption des key simple 12345678

# Configure URL parameter uservlan for portal Web server wbs. Configure the value of the uservlan parameter as the vlan (the VLAN IDs of users.)

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter uservlan vlan

Related commands

· display portal web-server

· url

user-sync

Use user-sync to enable portal user synchronization for a portal authentication server. After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.

Use undo user-sync to disable portal user synchronization for a portal authentication server.

Syntax

user-sync timeout timeout

undo user-sync

Default

Portal user synchronization is disabled for a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. The default is 1200 seconds.

Usage guidelines

Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.

Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.

If you configure portal user synchronization multiple times for a portal authentication server, the most recent configuration takes effect.

For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.

If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.

Examples

# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] user-sync timeout 600

Related commands

portal server

version

Use version to specify the version of the portal protocol.

Use undo version to restore the default.

Syntax

version version-number

undo version

Default

The version of the portal protocol is 1.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

version-number: Specifies the portal protocol version in the range of 1 to 3.

Usage guidelines

The specified portal protocol version must be the that required by the MAC binding server.

Examples

# Configure the device to use portal protocol version 2 to communicate with the MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] version 2

Related commands

· display portal mac-trigger-server

· portal mac-trigger-server

web-redirect url

Use web-redirect url to enable the Web redirect feature.

Use undo web-redirect url to disable the Web redirect feature.

Syntax

web-redirect [ ipv6 ] url url-string [ interval interval ]

undo web-redirect [ ipv6 ]

Default

Web redirect is disabled.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 Web redirect feature. Do not specify this keyword for the IPv4 Web redirect feature.

url url-string: Specifies the URL to which the user is redirected. The URL is required to be complete and begins with http:// or https://, a string of 1 to 256 characters.

interval interval: Specifies the time interval at which the user is redirected to the specified URL. It is in the range of 60 to 86400 seconds.

Usage guidelines

This feature redirects a user on a VLAN interface or a service template to the specified URL before the user can access an external network through a Web browser. After the specified interval, the user is redirected to the specified URL again.

On a service template, both Web redirect and portal authentication can be enabled and will take effect at the same time.

The Web redirect feature takes effect only on HTTP packets that use the default port number 80.

Examples

# Configure IPv4 Web redirect on VLAN-interface 100. Set the redirect URL to http://192.0.0.1 and the interval to 3600 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] web-redirect url http://192.0.0.1 interval 3600

# Configure IPv4 Web redirect on service template service1. Set the redirect URL to http://192.0.0.1 and the interval to 3600 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] web-redirect url http://192.0.0.1 interval 3600

Related commands

display web-redirect rule

User profile commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

display user-profile

Use display user-profile to display configuration and online user information for user profiles.

Syntax

display user-profile [ name profile-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include English letters, digits, and underscores (_). The name must start with an English letter and must be unique. If you do not specify this option, the command displays configuration and online user information for all user profiles.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays user profile configuration and online user information for all member devices.

Examples

# (IRF-incapable devices.) Display configuration and online user information for user profile aaa.

<Sysname> display user-profile name aaa

User-Profile: aaa

Inbound:

CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

Policy: p1

Outbound:

CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

User user_1:

Authentication type: 802.1X

Network attributes:

Interface : WLAN-BSS1/0/5

MAC address : 0000-1111-2222

Failed action list:

Inbound: Policy p1

Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

User user_2:

Authentication type: Portal

Network attributes:

Interface : WLAN-BSS1/0/5

IP address : 172.16.187.16

VPN : N/A

Service VLAN : 100

# Display configuration and online user information for all user profiles on IRF member device 1.

<Sysname> display user-profile slot 1

User-Profile: aaa

Inbound:

CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

Policy: p1

Outbound:

CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

User user_1:

Authentication type: 802.1X

Network attributes:

Interface : WLAN-BSS1/0/5

MAC address : 0000-1111-2222

Failed action list:

Inbound: Policy p1

Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes)

User user_2:

Authentication type: Portal

Network attributes:

Interface : WLAN-BSS1/0/5

IP address : 172.16.187.16

VPN : N/A

Service VLAN : 100

User-Profile: bbb

Inbound:

CIR 512 (kbps), CBS 1062 (Bytes), EBS 0 (Bytes)

Policy: p3

User user_4:

Authentication type: Portal

Network attributes:

Interface : WLAN-BSS1/0/5

IP address : 172.16.187.166

VPN : N/A

Service VLAN : 100

Table 43 Command output

Field	Description
User-Profile	User profile name.
Inbound	Policy applied to incoming traffic.
Outbound	Policy applied to outgoing traffic.
CIR	Committed information rate, in kbps.
CBS	Committed burst size, in bytes.
EBS	Excess burst size, in bytes.
Policy	Policy name.
User user_1	Username of a user account with which a user profile is associated. If no user is online, User - is displayed.
Authentication type	Authentication type: · 802.1X—802.1X authentication. · Portal—Portal authentication. · PPP—PPP authentication. · MACA—MAC authentication.
Network attributes	Online user information.
Failed action list	Actions that failed to be applied to the user.

user-profile

Use user-profile to create a user profile and enter user profile view.

Use undo user-profile to delete a user profile.

Syntax

user-profile profile-name

undo user-profile profile-name

Default

No user profile exists.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. A user profile name can only contain English letters, digits, and underscores (_), and it must start with an English letter. The name must be unique.

Usage guidelines

You can use the command to enter the view of an existing user profile.

Examples

# Create user profile a123 and enter the view of a123.

<Sysname> system-view

[Sysname] user-profile a123

[Sysname-user-profile-a123]

Password control commands

display password-control

Use display password-control to display password control configuration.

Syntax

display password-control [ super ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.

Examples

# Display the global password control configuration.

<Sysname> display password-control

Global password control configurations:

Password control: Disabled

Password aging: Enabled (90 days)

Password length: Enabled (10 characters)

Password composition: Enabled (1 types, 1 characters per type)

Password history: Enabled (max history records:4)

Early notice on password expiration: 7 days

Maximum login attempts: 3

Action for exceeding login attempts: Lock user for 1 minutes

Minimum interval between two updates: 24 hours

User account idle time: 90 days

Logins with aged password: 3 times in 30 days

Password complexity: Disabled (username checking)

Disabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super

Super password control configurations:

Password aging: Enabled (90 days)

Password length: Enabled (10 characters)

Password composition: Enabled (1 types, 1 characters per type)

Table 44 Command output

Field	Description
Password control	Whether the password control feature is enabled.
Password aging	Whether password expiration is enabled and, if enabled, the expiration time.
Password length	Whether the minimum password length restriction feature is enabled and, if enabled, the setting.
Password composition	Whether the password composition restriction feature is enabled and, if enabled, the settings.
Password history	Whether the password history feature is enabled and, if enabled, the setting.
Early notice on password expiration	Number of days during which the user is notified of the pending password expiration.
Maximum login attempts	Allowed maximum number of consecutive failed login attempts for FTP and VTY users.
Action for exceeding login attempts	Action to be taken after a user fails to log in after the specified number of attempts.
Minimum interval between two updates	Minimum password update interval.
Logins with aged password	Number of times and maximum number of days a user can log in using an expired password.
Password complexity	Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times.

display password-control blacklist

Use display password-control blacklist to display password control blacklist information.

Syntax

display password-control blacklist [ user-name user-name | ip ipv4-address | ipv6 ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-name user-name: Specifies a user by its username, a case-sensitive string of 1 to 55 characters.

ip ipv4-address: Specifies the IPv4 address of a user.

ipv6 ipv6-address: Specifies the IPv6 address of a user.

Usage guidelines

If you do not specify any parameters, this command displays information about all users in the password control blacklist.

The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication. You can use this command to view information about blacklisted FTP and virtual terminal line (VTY) users.

The password control blacklist will not blacklist Web users if they fail login authentication. Users accessing the system through the console interface are not blacklisted either, for the following reasons:

· The system is unable to obtain the IP addresses of these users.

· These users are privileged and, therefore, relatively secure to the system.

Examples

# Display password control blacklist information.

<Sysname> display password-control blacklist

Blacklist items matched: 2.

Username: test

IP: 192.168.44.1 Login failures: 1 Lock flag: unlock

Username: jj

IP: 192.168.44.3 Login failures: 3 Lock flag: lock

Table 45 Command output

Field	Description
Blacklist items matched	Number of blacklisted users.
IP	IP address of the user.
Login failures	Number of login failures.
Lock flag	Whether the user account is locked for the user: · unlock—Not limited. · lock—Disabled temporarily or permanently, depending on the password-control login-attempt command.

password-control { aging | composition | history | length } enable

Use password-control { aging | composition | history | length } enable to enable the password expiration, composition restriction, history, or minimum length restriction feature.

Use undo password-control { aging | composition | history | length } enable to disable a password control feature.

Syntax

password-control { aging | composition | history | length } enable

undo password-control { aging | composition | history | length } enable

Default

The password control features (aging, composition, history, and length) are all enabled.

Views

System view

Predefined user roles

network-admin

Parameters

aging: Enables the password expiration feature.

composition: Enables the password composition restriction feature.

history: Enables the password history feature.

length: Enables the minimum password length restriction feature.

Usage guidelines

For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled. For example, if the global password control and the minimum length restriction feature are not enabled, the password-control length command does not take effect.

The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.

If the global password control feature is enabled but the minimum password length restriction feature is disabled, the following rules apply:

· A password must contain a minimum of four characters.

· A minimum of four characters must be different.

Examples

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Enable the password composition restriction feature.

[Sysname] password-control composition enable

# Enable the password expiration feature.

[Sysname] password-control aging enable

# Enable the minimum password length restriction feature.

[Sysname] password-control length enable

# Enable the password history feature.

[Sysname] password-control history enable

Related commands

display password-control

password-control enable

password-control aging

Use password-control aging to set the password expiration time.

Use undo password-control aging to restore the default.

Syntax

password-control aging aging-time

undo password-control aging

Default

A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

Parameters

aging-time: Specifies the password expiration time in days, in the range of 1 to 365.

Usage guidelines

The expiration time depends on the view:

· The time in system view has global significance and applies to all user groups.

· The time in user group view applies to all local users in the user group.

· The time in local user view applies only to the local user.

A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user.

· If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs.

· If no password expiration time is configured for the user group, the system uses the global password expiration time.

Examples

# Globally set the passwords to expire after 80 days.

<Sysname> system-view

[Sysname] password-control aging 80

# Set the passwords for user group test to expire after 90 days.

[Sysname] user-group test

[Sysname-ugroup-test] password-control aging 90

[Sysname-ugroup-test] quit

# Set the password for device management user abc to expire after 100 days.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control aging 100

Related commands

display local-user

display password-control

display user-group

password-control aging enable

password-control alert-before-expire

Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.

Use undo password-control alert-before-expire to restore the default.

Syntax

password-control alert-before-expire alert-time

undo password-control alert-before-expire

Default

The default is 7 days.

Views

System view

Predefined user roles

network-admin

Parameters

alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.

Usage guidelines

This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.

Examples

# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.

<Sysname> system-view

[Sysname] password-control alert-before-expire 10

Related commands

display password-control

password-control complexity

Use password-control complexity to configure the password complexity checking policy.

Use undo password-control complexity to remove a password complexity checking item.

Syntax

password-control complexity { same-character | user-name } check

undo password-control complexity { same-character | user-name } check

Default

The global password complexity checking policy is that both username checking and repeated character checking are disabled. The password complexity checking policy for a user group equals the global setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

Parameters

same-character: Refuses a password that contains a minimum of three consecutive identical characters. For example, the password aaabc is not complex enough.

user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.

Usage guidelines

The password complexity checking policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the password complexity checking policy in local user view for a local user.

· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

· If no policy is configured for the user group, the system uses the global policy.

You can enable both username checking and repeated character checking.

After the password complexity checking is enabled, complexity-incompliant passwords will be refused.

Examples

# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.

<Sysname> system-view

[Sysname] password-control complexity user-name check

Related commands

display local-user

display password-control

display user-group

password-control composition

Use password-control composition to configure the password composition policy.

Use undo password-control composition to restore the default.

Syntax

password-control composition type-number type-number [ type-length type-length ]

undo password-control composition

Default

The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type.

The password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4. The following character types are available:

· Uppercase letters A to Z.

· Lowercase letters a to z.

· Digits 0 to 9.

· Special characters in Table 46.

Table 46 Special characters

Character name	Symbol	Character name	Symbol
Ampersand sign	&	Apostrophe	'
Asterisk	*	At sign	@
Back quote	`	Back slash	\
Blank space	N/A	Caret	^
Colon	:	Comma	,
Dollar sign	$	Dot	.
Equal sign	=	Exclamation point	!
Left angle bracket	<	Left brace	{
Left bracket	[	Left parenthesis	(
Minus sign	-	Percent sign	%
Plus sign	+	Pound sign	#
Quotation marks	"	Right angle bracket	>
Right brace	}	Right bracket	]
Right parenthesis	)	Semi-colon	;
Slash	/	Tilde	~
Underscore	_	Vertical bar	\|

type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63.

Usage guidelines

The password composition policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.

· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

· If no policy is configured for the user group, the system uses the global policy.

The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords.

Examples

# Specify that all passwords must each contain a minimum of four character types and a minimum of five characters for each type.

<Sysname> system-view

[Sysname] password-control composition type-number 4 type-length 5

# Specify that passwords in user group test must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname] user-group test

[Sysname-ugroup-test] password-control composition type-number 4 type-length 5

[Sysname-ugroup-test] quit

# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5

Related commands

display local-user

display password-control

display user-group

password-control composition enable

password-control enable

Use password-control enable to enable the password control feature globally.

Use undo password-control enable to disable the password control feature globally.

Syntax

password-control enable

undo password-control enable

Default

The password control feature is disabled globally.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A specific password control feature takes effect only after the global password control feature is enabled.

After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain a minimum of four different characters.

Examples

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

Related commands

display password-control

password-control { aging | composition | history | length } enable

password-control expired-user-login

Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.

Use undo password-control expired-user-login to restore the defaults.

Syntax

password-control expired-user-login delay delay times times

undo password-control expired-user-login

Default

A user can log in three times within 30 days after the password expires.

Views

System view

Predefined user roles

network-admin

Parameters

delay delay: Specifies the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.

times times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. To deny users to log in after the password expires, set the value to 0.

Usage guidelines

This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.

Examples

# Allow a user to log in five times within 60 days after the password expires.

<Sysname> system-view

[Sysname] password-control expired-user-login delay 60 times 5

Related commands

display password-control

password-control history

Use password-control history to set the maximum number of history password records for each user.

Use undo password-control history to restore the default.

Syntax

password-control history max-record-number

undo password-control history

Default

The maximum number of history password records for each user is 4.

Views

System view

Predefined user roles

network-admin

Parameters

max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15.

Usage guidelines

When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.

The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.

To delete the existing records, use one of the following methods:

· Use the undo password-control enable command to disable the password control feature globally.

· Use the reset password-control history-record command to clear the passwords manually.

Examples

# Set the maximum number of history password records for each user to 10.

<Sysname> system-view

[Sysname] password-control history 10

Related commands

display password-control

password-control history enable

reset password-control blacklist

password-control length

Use password-control length to set the minimum password length.

Use undo password-control length to restore the default.

Syntax

password-control length length

undo password-control length

Default

The global minimum password length is 10 characters.

The minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

Parameters

length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32.

Usage guidelines

The minimum length setting depends on the view:

· The setting in system view has global significance and applies to all user groups.

· The setting in user group view applies to all local users in the user group.

· The setting in local user view applies only to the local user.

A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user.

· If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.

· If no minimum password length is configured for the user group, the system uses the global minimum password length.

Examples

# Set the global minimum password length to 16 characters.

<Sysname> system-view

[Sysname] password-control length 16

# Set the minimum password length to 16 characters for the user group test.

[Sysname] user-group test

[Sysname-ugroup-test] password-control length 16

[Sysname-ugroup-test] quit

# Set the minimum password length to 16 characters for the device management user abc.

[Sysname] local-user abc class manage

[Sysname-luser-manage-abc] password-control length 16

Related commands

display local-user

display password-control

display user-group

password-control length enable

password-control login idle-time

Use password-control login idle-time to set the maximum account idle time.

Use undo password-control login idle-time to restore the default.

Syntax

password-control login idle-time idle-time

undo password-control login idle-time

Default

The maximum account idle time is 90 days.

Views

System view

Predefined user roles

network-admin

Parameters

idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time.

Usage guidelines

If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.

Examples

# Set the maximum account idle time to 30 days.

<Sysname> system-view

[Sysname] password-control login idle-time 30

Related commands

display password-control

password-control login-attempt

Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.

Use undo password-control login-attempt to restore the default.

Syntax

password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

undo password-control login-attempt

Default

The global login-attempt settings:

· The maximum number of consecutive login failures is 3.

· The locking period is 1 minute.

The login-attempt settings for a user group equal the global settings.

The login-attempt settings for a local user equal those for the user group to which the local user belongs.

Views

System view

User group view

Local user view

Predefined user roles

network-admin

Parameters

exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.

· lock: Disables the user account permanently.

· lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.

· unlock: Allows the user account to continue using this account to perform login attempts.

Usage guidelines

The login-attempt policy depends on the view:

· The policy in system view has global significance and applies to all user groups.

· The policy in user group view applies to all local users in the user group.

· The policy in local user view applies only to the local user.

A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.

· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.

· If no policy is configured for the user group, the system uses the global policy.

If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.

Whether a blacklisted user and user account are locked depends on the locking setting:

· If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.

· To use a temporarily locked user account, the user can perform either of the following tasks:

? Wait until the locking timer expires.

? Remove the user account from the password control blacklist.

· If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.

NOTE:

This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts.

The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.

Examples

# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 4 exceed lock

# Use the user account test to log in to the device, and enter incorrect password for four times.

# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.

[Sysname] display password-control blacklist

Username: test

IP: 192.168.44.1 Login failures: 4 Lock flag: lock

Blacklist items matched: 1.

# Verify that the user at 192.168.44.1 cannot use this user account to log in.

# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.

<Sysname> system-view

[Sysname] password-control login-attempt 2 exceed lock-time 3

# Use the user account test to log in to the device, and enter incorrect password for two attempts.

# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.

[Sysname] display password-control blacklist

Username: test

IP: 192.168.44.1 Login failures: 2 Lock flag: lock

Blacklist items matched: 1.

# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.

Related commands

display local-user

display password-control

display password-control blacklist

display user-group

reset password-control blacklist

password-control super aging

Use password-control super aging to set the expiration time for super passwords.

Use undo password-control super aging to restore the default.

Syntax

password-control super aging aging-time

undo password-control super aging

Default

A super password expires after 90 days.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time: Specifies the super password expiration time in days, in the range of 1 to 365.

Examples

# Set the super passwords to expire after 10 days.

<Sysname> system-view

[Sysname] password-control super aging 10

Related commands

display password-control

password-control aging

password-control super composition

Use password-control super composition to configure the composition policy for super passwords.

Use undo password-control super composition to restore the default.

Syntax

password-control super composition type-number type-number [ type-length type-length ]

undo password-control super composition

Default

A super password must contain a minimum of one character type and a minimum of one character for each type.

Views

System view

Predefined user roles

network-admin

Parameters

type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4.

type-length type-length: Specifies the minimum number of characters that are from each character type. The value range for the type-length argument is 1 to 63.

Usage guidelines

The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password.

Examples

# Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type.

<Sysname> system-view

[Sysname] password-control super composition type-number 4 type-length 5

Related commands

display password-control

password-control composition

password-control super length

Use password-control super length to set the minimum length for super passwords.

Use undo password-control super length to restore the default.

Syntax

password-control super length length

undo password-control super length

Default

The minimum super password length is 10 characters.

Views

System view

Predefined user roles

network-admin

Parameters

length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63.

Examples

# Set the minimum length of super passwords to 16 characters.

<Sysname> system-view

[Sysname] password-control super length 16

Related commands

display password-control

password-control length

password-control update-interval

Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.

Use undo password-control update-interval to restore the default.

Syntax

password-control update-interval interval

undo password-control update-interval

Default

The minimum password update interval is 24 hours.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.

Usage guidelines

The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.

Examples

# Set the minimum password update interval to 36 hours.

<Sysname> system-view

[Sysname] password-control update-interval 36

Related commands

display password-control

reset password-control blacklist

Use reset password-control blacklist to remove blacklisted users.

Syntax

reset password-control blacklist [ user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies the username of a user account to be removed from the password control blacklist. The username is a case-sensitive string of 1 to 55 characters.

Usage guidelines

You can use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in.

Examples

# Remove the user account named test from the password control blacklist.

<Sysname> reset password-control blacklist user-name test

Are you sure to delete the specified user in blacklist? [Y/N]:

Related commands

display password-control blacklist

reset password-control history-record

Use reset password-control history-record to delete history password records.

Syntax

reset password-control history-record [ super [ role role name ] | user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

super: Deletes the history records of the specified super password or all super passwords.

role role name: Specifies a user role name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command deletes the history records of all super passwords.

user-name user-name: Specifies the username of the user whose password records are to be deleted. The user-name argument is a case-sensitive string of 1 to 55 characters.

Usage guidelines

If you do not specify any parameters, this command deletes the history password records of all local users.

Examples

# Clear the history password records of all local users.

<Sysname> reset password-control history-record

Are you sure to delete all local user's history records? [Y/N]:y

Related commands

password-control history

Public key management commands

display public-key local public

Use display public-key local public to display local public keys.

Syntax

display public-key local { dsa | ecdsa | rsa } public [ name key-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dsa: Specifies the DSA key pair type.

ecdsa: Specifies the ECDSA key pair type.

rsa: Specifies the RSA key pair type.

name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command displays the public keys of all local key pairs of the specified type.

Usage guidelines

You can copy and distribute the public key of a local key pair to peer devices.

Examples

# Display all local RSA public keys.

<Sysname> display public-key local rsa public

=============================================

Key name: hostkey (default)

Key type: RSA

Time when key pair created: 15:40:48 2011/05/12

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9

667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE

C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB

FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1

2DA4C04EF5AE0835090203010001

=============================================

Key name: serverkey (default)

Key type: RSA

Time when key pair created: 15:40:48 2011/05/12

Key code:

307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442

762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64

DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E

9D85C13413996ECD093B0203010001

=============================================

Key name: rsa1

Key type: RSA

Time when key pair created: 15:42:26 2011/05/12

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D

426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA

1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7

9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03

92D8C6D940890BF4290203010001

# Display all local DSA public keys.

<Sysname> display public-key local dsa public

=============================================

Key name: dsakey (default)

Key type: DSA

Time when key pair created: 15:41:37 2011/05/12

Key code:

308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD

96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C2F03B3EF395

100F3DB4A9E2FDFE860C1BD663D676438F7DA40A9406D61CA9079AF13E330489F1C76785DE

52DA649AC8BC04B6D39CD7C52CD0A14F75F7491A91D31D6AC22340B5981B27A915CDEC4F09

887E541EC1E5302D500F68E7AC29A084463C60F9EE266985A502FC92193E1CF4D265C4BA

=============================================

Key name: dsa1

Key type: DSA

Time when key pair created: 15:35:42 2011/05/12

Key code:

308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD

96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8

3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74

0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7

15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A

# Display all local ECDSA public keys.

<Sysname> display public-key local ecdsa public

=============================================

Key name: ecdsakey (default)

Key type: ECDSA

Time when key pair created: 15:42:04 2011/05/12

Key code:

3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF

68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B

=============================================

Key name: ecdsa1

Key type: ECDSA

Time when key pair created: 15:43:33 2011/05/12

Key code:

3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1

AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58

# Display the public key of the local RSA key pair rsa1.

<Sysname> display public-key local rsa public name rsa1

=============================================

Key name: rsa1

Key type: RSA

Time when key pair created: 15:42:26 2011/05/12

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D

426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA

1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7

9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03

92D8C6D940890BF4290203010001

# Display the public key of the local DSA key pair dsa1.

<Sysname> display public-key local dsa public name dsa1