- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-Portal commands
- 04-User profile commands
- 05-Password control commands
- 06-Keychain commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-Group domain VPN commands
- 11-SSH commands
- 12-SSL commands
- 13-SSL VPN commands
- 14-ASPF commands
- 15-APR commands
- 16-Session management commands
- 17-Connection limit commands
- 18-Object group commands
- 19-Object policy commands
- 20-Attack detection and prevention commands
- 21-IP source guard commands
- 22-ARP attack protection commands
- 23-ND attack defense commands
- 24-uRPF commands
- 25-Crypto engine commands
- 26-FIPS commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-AAA commands | 854.45 KB |
Contents
authorization-attribute (ISP domain view)
service-type (ISP domain view)
session-time include-idle-time
access-user email authentication
authorization-attribute (local user view/user group view)
display local-guest waiting-approval
local-guest auto-delete enable
local-user-export class network guest
local-user-import class network guest
password (device management user view)
password (network access user view)
reset local-guest waiting-approval
service-type (local user view)
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
data-flow-format (RADIUS scheme view)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
AAA commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
General AAA commands
aaa nas-id profile
Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Use undo aaa nas-id profile to delete a NAS-ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Default
No NAS-ID profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID in an ISP domain.
By default, the device uses the device name as the NAS-ID.
Examples
# Create a NAS-ID profile named aaa and enter its view.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Related commands
nas-id
nas-id bind vlan
port-security nas-id-profile
portal nas-id-profile
aaa session-id mode
Use aaa session-id mode to specify the format for attribute Acct-Session-Id.
Use undo aaa session-id mode to restore the default.
Syntax
aaa session-id mode { common | simplified }
undo aaa session-id mode
Default
The device uses the common mode for attribute Acct-Session-Id.
Views
System view
Predefined user roles
network-admin
Parameters
common: Specifies the common format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string with a minimum length of 38 characters. This string contains the prefix (indicating the access type), date and time, sequence number, LIP address of the access node, device ID, and job ID of the access process.
simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the access type), month, sequence number, device ID, and LIP address of the access node.
Usage guidelines
Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.
Examples
# Specify the simple format for attribute Acct-Session-Id.
<Sysname> system-view
[Sysname] aaa session-id mode simplified
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
In non-FIPS mode:
aaa session-limit { ftp | http | https | ssh | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh | telnet }
In FIPS mode:
aaa session-limit { https | ssh } max-sessions
undo aaa session-limit { https | ssh }
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32 for SSH and Telnet services, and is 1 to 64 for FTP, HTTP, and HTTPS services.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting advpn
Use accounting advpn to specify accounting methods for ADVPN users.
Use undo accounting advpn to restore the default.
Syntax
In non-FIPS mode:
accounting advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting advpn
In FIPS mode:
accounting advpn { local | radius-scheme radius-scheme-name } *
undo accounting advpn
Default
The default accounting methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting advpn local
# In ISP domain test, perform RADIUS accounting for ADVPN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting advpn radius-scheme rd local
Related commands
accounting default
local-user
radius scheme
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting methods of the ISP domain are used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.
· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.
· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
accounting default
command accounting (Fundamentals Command Reference)
hwtacacs scheme
accounting default
Use accounting default to specify default accounting methods for an ISP domain.
Use undo accounting default to restore the default.
Syntax
In non-FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
In FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users that support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
accounting lan-access
Use accounting lan-access to specify accounting methods for LAN users.
Use undo accounting lan-access to restore the default.
Syntax
In non-FIPS mode:
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting lan-access
In FIPS mode:
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local [ radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo accounting lan-access
Default
The default accounting methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access local
# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local
accounting default
local-user
radius scheme
timer realtime-accounting
accounting login
Use accounting login to specify accounting methods for login users.
Use undo accounting login to restore the default.
Syntax
In non-FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
In FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting login
Default
The default accounting methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
accounting portal
Use accounting portal to specify accounting methods for portal users.
Use undo accounting portal to restore the default.
Syntax
In non-FIPS mode:
accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting portal
In FIPS mode:
accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local [ radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
Default
The default accounting methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal local
# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal radius-scheme rd local
# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
local-user
radius scheme
timer realtime-accounting
accounting ppp
Use accounting ppp to specify accounting methods for PPP users.
Use undo accounting ppp to restore the default.
Syntax
In non-FIPS mode:
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting ppp
In FIPS mode:
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting ppp
Default
The default accounting methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable for a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp local
# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp radius-scheme rd local
# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
timer realtime-accounting
accounting quota-out
Use accounting quota-out to configure access control for users that have used up their data or time accounting quotas.
Use undo accounting quota-out to restore the default.
Syntax
accounting quota-out { offline | online }
undo accounting quota-out
Default
The device logs off users that have used up their accounting quotas.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that have used up their accounting quotas.
online: Allows users that have used up their accounting quotas to stay online.
Examples
# In ISP domain test, configure the device to allow users that have used up their accounting quotas to stay online.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting quota-out online
accounting sslvpn
Use accounting sslvpn to specify accounting methods for SSL VPN users.
Use undo accounting sslvpn to restore the default.
Syntax
In non-FIPS mode:
accounting sslvpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting sslvpn
In FIPS mode:
accounting sslvpn { local | radius-scheme radius-scheme-name } *
undo accounting sslvpn
Default
The default accounting methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the SSL VPN service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting sslvpn local
# In ISP domain test, perform RADIUS accounting for SSL VPN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting sslvpn radius-scheme rd local
Related commands
accounting default
local-user
radius scheme
accounting start-fail
Use accounting start-fail to configure access control for users that encounter accounting-start failures.
Use undo accounting start-fail to restore the default.
Syntax
accounting start-fail { offline | online }
undo accounting start-fail
Default
The device allows users that encounter accounting-start failures to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that encounter accounting-start failures.
online: Allows users that encounter accounting-start failures to stay online.
Examples
# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting start-fail online
accounting update-fail
Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.
Use undo accounting update-fail to restore the default.
Syntax
accounting update-fail { [ max-times max-times ] offline | online }
undo accounting update-fail
Default
The device allows users that have failed all their accounting-update attempts to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1.
offline: Logs off users that have failed all their accounting-update attempts.
online: Allows users that have failed all their accounting-update attempts to stay online.
Examples
# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting update-fail online
authentication advpn
Use authentication advpn to specify authentication methods for ADVPN users.
Use undo authentication advpn to restore the default.
Syntax
In non-FIPS mode:
authentication advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication advpn
In FIPS mode:
authentication advpn { local | radius-scheme radius-scheme-name } *
undo authentication advpn
Default
The default authentication methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication advpn local
# In ISP domain test, perform RADIUS authentication for ADVPN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication advpn radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication default
Use authentication default to specify default authentication methods for an ISP domain.
Use undo authentication default to restore the default.
Syntax
In non-FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
In FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | local [ ldap-scheme ldap-scheme-name ] | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users that support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication ike
Use authentication ike to specify extended authentication methods for IKE users.
Use undo authentication ike to restore the default.
Syntax
In non-FIPS mode:
authentication ike { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication ike
In FIPS mode:
authentication ike { local | radius-scheme radius-scheme-name } *
undo authentication ike
Default
The default authentication methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the IKE service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, configure the device to perform local authentication through IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ike local
# In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ike radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication lan-access
Use authentication lan-access to specify authentication methods for LAN users.
Use undo authentication lan-access to restore the default.
Syntax
In non-FIPS mode:
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication lan-access
In FIPS mode:
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo authentication lan-access
Default
The default authentication methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access local
# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication login
Use authentication login to specify authentication methods for login users.
Use undo authentication login to restore the default.
Syntax
In non-FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
In FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | local [ ldap-scheme ldap-scheme-name ] | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication login
Default
The default authentication methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication portal
Use authentication portal to specify authentication methods for portal users.
Use undo authentication portal to restore the default.
Syntax
In non-FIPS mode:
authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication portal
In FIPS mode:
authentication portal { ldap-scheme ldap-scheme-name [ local ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
Default
The default authentication methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal local
# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal radius-scheme rd local
Related commands
authentication default
ldap scheme
local-user
radius scheme
authentication ppp
Use authentication ppp to specify authentication methods for PPP users.
Use undo authentication ppp to restore the default.
Syntax
In non-FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication ppp
In FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication ppp
Default
The default authentication methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp local
# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
local-user
radius scheme
authentication sslvpn
Use authentication sslvpn to specify authentication methods for SSL VPN users.
Use undo authentication sslvpn to restore the default.
Syntax
In non-FIPS mode:
authentication sslvpn { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication sslvpn
In FIPS mode:
authentication sslvpn { ldap-scheme ldap-scheme-name [ local ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo authentication sslvpn
Default
The default authentication methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the SSL VPN service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication sslvpn local
# In ISP domain test, perform LDAP authentication for SSL VPN users based on scheme ldp and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication sslvpn ldap-scheme ldp local
Related commands
authentication default
ldap scheme
local-user
radius scheme
authentication super
Use authentication super to specify a method for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication methods of the ISP domain are used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
hwtacacs scheme
radius scheme
authorization advpn
Use authorization advpn to specify authorization methods for ADVPN users.
Use undo authorization advpn to restore the default.
Syntax
In non-FIPS mode:
authorization advpn { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization advpn
In FIPS mode:
authorization advpn { local | radius-scheme radius-scheme-name } *
undo authorization advpn
Default
The default authorization methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the ADVPN service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization advpn local
# In ISP domain test, perform RADIUS authorization for ADVPN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization advpn radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify default authorization methods for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
In FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the virtual console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
· Non-login users can access the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users that support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
authorization ike
Use authorization ike to specify authorization methods for IKE extended authentication.
Use undo authorization ike to restore the default.
Syntax
In non-FIPS mode:
authorization ike { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ike
In FIPS mode:
authorization ike { local | radius-scheme radius-scheme-name } *
undo authorization ike
Default
The default authorization methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization ike radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the IKE service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike local
Related commands
authorization default
local-user
authorization lan-access
Use authorization lan-access to specify authorization methods for LAN users.
Use undo authorization lan-access to restore the default.
Syntax
In non-FIPS mode:
authorization lan-access { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization lan-access
In FIPS mode:
authorization lan-access { local | radius-scheme radius-scheme-name } *
undo authorization lan-access
Default
The default authorization methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated LAN user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access local
# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization default
local-user
radius scheme
authorization login
Use authorization login to specify authorization methods for login users.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization login
Default
The default authorization methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the virtual console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization portal
Use authorization portal to specify authorization methods for portal users.
Use undo authorization portal to restore the default.
Syntax
In non-FIPS mode:
authorization portal { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization portal
In FIPS mode:
authorization portal { local | radius-scheme radius-scheme-name } *
undo authorization portal
Default
The default authorization methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated portal user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the portal service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal local
# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization ppp
Use authorization ppp to specify authorization methods for PPP users.
Use undo authorization ppp to restore the default.
Syntax
In non-FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization ppp
In FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization ppp
Default
The default authorization methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp local
# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization sslvpn
Use authorization sslvpn to specify authorization methods for SSL VPN users.
Use undo authorization sslvpn to restore the default.
Syntax
In non-FIPS mode:
authorization sslvpn { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization sslvpn
In FIPS mode:
authorization sslvpn { ldap-scheme ldap-scheme-name [ local ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] | radius-scheme radius-scheme-name [ local ] }
undo authorization sslvpn
Default
The default authorization methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. Authenticated SSL VPN users can access the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the SSL VPN service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization sslvpn local
# In ISP domain test, perform LDAP authorization for SSL VPN users based on scheme ldp and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization sslvpn ldap-scheme ldp local
Related commands
authorization default
ldap scheme
local-user
radius scheme
authorization-attribute (ISP domain view)
Use authorization-attribute to configure authorization attributes for users in an ISP domain.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number max-access-number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-group-profile session-group-profile-name | session-timeout minutes | url url-string | user-group user-group-name | user-profile profile-name | vpn-instance vpn-instance-name }
undo authorization-attribute { acl | car | idle-cut | igmp | ip-pool | ipv6-pool | ipv6-prefix | mld | primary-dns | secondary-dns | session-group-profile | session-timeout | url | user-group | user-profile | vpn-instance }
Default
The idle cut feature is disabled.
An IPv4 user can concurrently join a maximum of four IGMP multicast groups.
An IPv6 user can concurrently join a maximum of four MLD multicast groups.
No other authorization attributes exist.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999. This option is applicable only to portal and LAN users. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
car: Specifies a CAR action for users. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the CAR action applies before portal authentication. This keyword is applicable only to portal and PPP users.
inbound: Specifies the upload rate of users.
outbound: Specifies the download rate of users.
cir committed-information-rate: Specifies the committed information rate in kbps, in the range of 1 to 4194303.
pir peak-information-rate: Specifies the peak information rate in kbps, in the range of 1 to 4194303. The peak information rate cannot be smaller than the committed information rate. If you do not specify this option, the CAR action does not restrict users by peak information rate.
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to portal and PPP users.
flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.
igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal and PPP users.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP, IKE, and portal users.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal and PPP users.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the prefix-length argument is 1 to 128. The IPv6 prefix cannot be ::/128, ::1/128, FE80::/10, or an IPv6 multicast prefix. This option is applicable only to PPP users.
mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal and PPP users.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to PPP users.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to PPP users.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to PPP users.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to PPP users.
session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters. The session group profile name can contain only letters, digits, and underscores (_). It must begin with a letter or digit but it cannot be all digits. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the session group profile applies before portal authentication. This option is applicable only to portal and PPP users.
session-timeout minutes: Specifies the session timeout timer for users, in minutes. The value range for the minutes argument is 1 to 4294967295. The device logs off a user when the user's session timeout timer expires. This option is applicable only to PPP, portal, and LAN users.
url url-string: Specifies a redirect URL for users. Users are redirected to the URL the first time they access the network after they pass authentication. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPPoE and LAN users.
user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.
user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. The user profile name can contain only letters, digits, and underscores (_). It must begin with a letter or digit but it cannot be all digits. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to PPP, portal, and LAN users.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. When a user passes authentication, it has permission to access the network resources in the specified VPN. This option is applicable only to PPP and portal users.
Usage guidelines
When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.
If the server or NAS does not authorize a type of attribute to an authenticated user, the device authorizes the attribute in the ISP domain to the user.
You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.
For portal users to come online after passing authentication, make sure ACLs assigned to portal users do not have rules specified with a source IP or MAC address.
Examples
# Specify user group abc as the authorization user group for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization-attribute user-group abc
Related commands
display domain
basic-service-ip-type
Use basic-service-ip-type to specify the types of IP addresses that PPPoE and L2TP users must rely on to use the basic services.
Use undo basic-service-ip-type to restore the default.
Syntax
basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *
undo basic-service-ip-type
Default
PPPoE and L2TP users do not rely on any types of IP addresses to use the basic services.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS and only on PPPoE and L2TP users.
A user might request multiple services of different IP address types. By default, the device logs off the user if the user does not obtain an IP address. This command enables the device to allow the user to come online if the user has obtained IP addresses of all the specified types for the basic services.
The device does not allow a user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a user to come online if the user does not obtain an IPv6 address.
If you specify both the ipv6 and ipv6-pd keywords, the device does not allow a user that fails IPv6 address negotiation or PD negotiation to come online.
Examples
# In ISP domain test, specify PPPoE and L2TP users to rely on IPv4 addresses to use the basic services.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] basic-service-ip-type ipv4
dhcpv6-follow-ipv6cp
Use dhcpv6-follow-ipv6cp to set the IPv6 address wait timer for PPPoE and L2TP users.
Use undo dhcpv6-follow-ipv6cp to restore the default.
Syntax
dhcpv6-follow-ipv6cp timeout delay-time
undo dhcpv6-follow-ipv6cp
Default
The IPv6 address wait timer for PPPoE and L2TP users is 60 seconds.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
timeout delay-time: Sets the IPv6 address wait timer, in the range of 30 to 120 seconds.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS and only on PPPoE and L2TP users.
The IPv6 address wait timer defines the maximum amount of time that a user can wait before the device determines that the user fails to obtain an IPv6 address or PD prefix.
The device starts an IPv6 address wait timer for a user after it finishes IPv6CP negotiation with the user. If the user's basic service relies on an IPv6 address or PD prefix but it fails to obtain any IPv6 address or PD prefix when the timer expires, the user cannot come online.
As a best practice, increase the IPv6 address wait timer in the following situations:
· The network communication is unstable.
· The device uses DHCPv6 to assign IPv6 addresses to users.
· The ISP domain serves a large number of users.
Examples
# In ISP domain test, set the IPv6 address wait timer to 90 seconds for PPPoE and L2TP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90
Related commands
basic-service-ip-type
display domain
Use display domain to display ISP domain configuration.
Syntax
display domain [ isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domains
Domain: system
State: Active
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Exclude idle time
NAS-ID: N/A
DHCPv6-follow-IPv6CP timeout: 60 seconds
Authorization attributes:
Idle cut: Disabled
Session timeout: Disabled
IGMP access limit: 4
MLD access limit: 4
Domain: dm
State: Active
Login authentication scheme: RADIUS=rad
Login authorization scheme: HWTACACS=hw
Super authentication scheme: RADIUS=rad
Command authorization scheme: HWTACACS=hw
LAN access authentication scheme: RADIUS=r4
PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local
Portal authentication scheme: LDAP=ldp
SSL VPN authentication scheme: LDAP=ldp, Local, None
SSL VPN authorization scheme: LDAP=ldp, Local
SSL VPN accounting scheme: None
Default authentication scheme: RADIUS=rad, Local, None
Default authorization scheme: Local
Default accounting scheme: None
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Include idle time
User address type: ipv4
NAS-ID: test
User basic service IP type: IPv4
DHCPv6-follow-IPv6CP timeout: 44 seconds
Authorization attributes:
Idle cut : Enabled
Idle timeout: 2 minutes
Flow: 10240 bytes
Session timeout: 34 minutes
IP pool: appy
User profile: test
Session group profile: abc
Inbound CAR: CIR 64000 bps PIR 640000 bps
Outbound CAR: CIR 64000 bps PIR 640000 bps
ACL number: 3000
User group: ugg
IPv6 prefix: 1::1/34
IPv6 pool: ipv6pool
Primary DNS server: 6.6.6.6
Secondary DNS server: 3.6.2.3
URL: http://test
VPN instance: vpn1
IGMP access limit: 4
MLD access limit: 4
Default domain name: system
Table 1 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
State |
Status of the ISP domain. |
|
Default authentication scheme |
Default authentication methods. |
|
Default authorization scheme |
Default authorization methods. |
|
Default accounting scheme |
Default accounting methods. |
|
ADVPN authentication scheme |
Authentication methods for ADVPN users. |
|
ADVPN authorization scheme |
Authorization methods for ADVPN users. |
|
ADVPN accounting scheme |
Accounting methods for ADVPN users. |
|
Login authentication scheme |
Authentication methods for login users. |
|
Login authorization scheme |
Authorization methods for login users. |
|
Login accounting scheme |
Accounting methods for login users. |
|
Super authentication scheme |
Authentication methods for obtaining another user role without reconnecting to the device. |
|
PPP authentication scheme |
Authentication methods for PPP users. |
|
PPP authorization scheme |
Authorization methods for PPP users. |
|
PPP accounting scheme |
Accounting methods for PPP users. |
|
Command authorization scheme |
Command line authorization methods. |
|
Command accounting scheme |
Command line accounting method. |
|
LAN access authentication scheme |
Authentication methods for LAN users. |
|
LAN access authorization scheme |
Authorization methods for LAN users. |
|
LAN access accounting scheme |
Accounting methods for LAN users. |
|
Portal authentication scheme |
Authentication methods for portal users. |
|
Portal authorization scheme |
Authorization methods for portal users. |
|
Portal accounting scheme |
Accounting methods for portal users. |
|
IKE authentication scheme |
IKE extended authentication methods. |
|
IKE authorization scheme |
Authorization methods for IKE extended authentication. |
|
SSL VPN authentication scheme |
Authentication methods for SSL VPN users. |
|
SSL VPN authorization scheme |
Authorization methods for SSL VPN users. |
|
SSL VPN accounting scheme |
Accounting methods for SSL VPN users. |
|
RADIUS |
RADIUS scheme. |
|
HWTACACS |
HWTACACS scheme. |
|
LDAP |
LDAP scheme. |
|
Local |
Local scheme. |
|
None |
No authentication, no authorization, or no accounting. |
|
Accounting start failure action |
Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting update failure max-times |
Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain. |
|
Accounting update failure action |
Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting quota out action |
Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Service type |
Service type of the ISP domain, including HSI, STB, and VoIP. |
|
Session time |
Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period. |
|
User address type |
Type of IP addresses for users in the ISP domain. This field is not available if no user address type is specified in the ISP domain. |
|
NAS-ID |
NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain. |
|
User basic service IP type |
Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD. |
|
DHCPv6-follow-IPv6CP timeout |
IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users. |
|
Authorization attributes |
Authorization attributes for users in the ISP domain. |
|
Idle cut |
Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Flow |
Minimum traffic that a login user must generate in an idle timeout period, in bytes. |
|
Session timeout |
Session timeout time for users in the ISP domain, in minutes. |
|
IP pool |
Name of the authorization IPv4 address pool. |
|
User profile |
Name of the authorization user profile. |
|
Session group profile |
Name of the authorization session group profile. |
|
Inbound CAR |
Authorization inbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. |
|
Outbound CAR |
Authorization outbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. |
|
ACL number |
Authorization ACL for users. |
|
User group |
Authorization user group for users. |
|
IPv6 prefix |
Authorization IPv6 address prefix for users. |
|
IPv6 pool |
Name of the authorization IPv6 address pool for users. |
|
Primary DNS server |
IPv4 address of the authorization primary DNS server for users. |
|
Secondary DNS server |
IPv4 address of the authorization secondary DNS server for users. |
|
Primary DNSV6 server |
IPv6 address of the authorization primary DNS server for users. |
|
Secondary DNSV6 server |
IPv6 address of the authorization secondary DNS server for users. |
|
URL |
Authorization redirect URL for users. |
|
VPN instance |
Name of the authorization VPN instance for users. |
|
IGMP access limit |
Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently. |
|
MLD access limit |
Maximum number of MLD groups that an IPv6 user is authorized to join concurrently. |
domain
Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.
Use undo domain to delete an ISP domain.
Syntax
domain isp-name
undo domain isp-name
Default
A system-defined ISP domain exists. The domain name is system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
All ISP domains are in active state when they are created.
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.
Examples
# Create an ISP domain named test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
Related commands
display domain
domain default enable
domain if-unknown
state (ISP domain view)
domain default enable
Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.
Usage guidelines
The system has only one default ISP domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
display domain
domain
domain if-unknown
Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains.
Use undo domain if-unknown to restore the default.
Syntax
domain if-unknown isp-name
undo domain if-unknown
Default
No ISP domain is specified to accommodate users that are assigned to nonexistent domains.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
The device chooses an authentication domain for each user in the following order:
1. The authentication domain specified for the access module.
2. The ISP domain in the username.
3. The default ISP domain of the device.
If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.
|
|
NOTE: Support for the authentication domain configuration depends on the access module. |
Examples
# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.
<Sysname> system-view
[Sysname] domain if-unknown test
Related commands
display domain
nas-id
Use nas-id to set the NAS-ID in an ISP domain.
Use undo nas-id to restore the default.
Syntax
nas-id nas-identifier
undo nas-id
Default
No NAS-ID is set in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.
Usage guidelines
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
You can configure a NAS-ID in VSRP instance view, in NAS-ID profile view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID in a VSRP instance.
2. NAS-ID bound with VLANs in a NAS-ID profile.
3. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
Examples
# Set the NAS-ID to test for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] nas-id test
Related commands
aaa nas-id profile
nas-id bind vlan
Use nas-id bind vlan to bind a NAS-ID with a VLAN.
Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.
Syntax
nas-id nas-identifier bind vlan vlan-id
undo nas-id nas-identifier bind vlan vlan-id
Default
No NAS-ID and VLAN bindings exist.
Views
NAS-ID profile view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.
vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
Usage guidelines
You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.
A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.
Examples
# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
Related commands
aaa nas-id profile
service-type (ISP domain view)
Use service-type to specify the service type for users in an ISP domain.
Use undo service-type to restore the default.
Syntax
service-type { hsi | stb | voip }
undo service-type
Default
The service type is hsi for users in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through PPP.
stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.
voip: Specifies the Voice over IP (VoIP) service. This service is applicable to users that access the network through IP phones.
Usage guidelines
When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.
When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.
When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.
You can configure only one service type for an ISP domain.
Examples
# Specify the STB service for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] service-type stb
session-time include-idle-time
Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.
Use undo session-time include-idle-time to restore the default.
Syntax
session-time include-idle-time
undo session-time include-idle-time
Default
The device does not include the idle timeout period in the user online duration sent to the server.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned to users by the authorization server after the users pass authentication. For portal users, the device includes the idle timeout period set for the online portal user detection feature in the user online duration. For more information about online detection for portal users, see portal authentication configuration in Security Configuration Guide.
If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
· If the session-time include-idle-time command is used, the user's online duration sent to the server includes the idle timeout period. The online duration that is generated on the server is longer than the actual online duration of the user.
· If the undo session-time include-idle-time command is used, the user's online duration sent to the server excludes the idle timeout period. The online duration that is generated on the server is shorter than the actual online duration of the user.
Examples
# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] session-time include-idle-time
Related commands
display domain
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Usage guidelines
By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected.
Examples
# Place ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
Related commands
display domain
user-address-type
Use user-address-type to specify the user address type in the ISP domain.
Use undo user-address-type to restore the default.
Syntax
user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }
undo user-address-type
Default
No user address type is specified for the ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ds-lite: Specifies the DS-Lite address type.
ipv6: Specifies the IPv6 address type.
nat64: Specifies the NAT64 address type.
private-ds: Specifies the private-DS address type.
private-ipv4: Specifies the private IPv4 address type.
public-ds: Specifies the public-DS address type.
public-ipv4: Specifies the public IPv4 address type.
Usage guidelines
Any change to the user address type does not affect online users.
Examples
# Specify the private IPv4 address type for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] user-address-type private-ipv4
Related commands
display domain
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is configured for the local user.
The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.
Examples
# Set the maximum number of concurrent logins to 5 for users using the local user name abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
display local-user
access-user email authentication
Use access-user email authentication to specify the username and password used to log in to the SMTP server that sends email notifications to network access users.
Use undo access-user email authentication to restore the default.
Syntax
access-user email authentication username user-name password { cipher | simple } string
undo access-user email authentication
Default
No SMTP server username and password is specified.
Views
System view
Predefined user roles
network-admin
Parameters
username user-name: Specifies the username, a case-sensitive string of 1 to 63 characters.
password: Specifies the password.
cipher: Specifies the password in encrypted form.
simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
If the SMTP server requires a username and password for login, you must use this command to specify the username and password on the device.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the username to abc and the password to 123 for logging in to the SMTP server that sends email notifications to network access users.
<Sysname> system-view
[Sysname] access-user email authentication username abc password simple 123
Related commands
access-user email format
access-user email sender
access-user email smtp-server
access-user email format
Use access-user email format to configure the subject and body for the email notifications to send to network access users.
Use undo access-user email format to restore the default.
Syntax
access-user email format { body body-string | subject sub-string }
undo access-user email format { body | subject }
Default
The email subject is Password reset notification.
The email body is as follows:
A random password has been generated for your account.
Username: xxx
Password: yyy
Validity: YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss
The xxx string represents the username, the yyy string represents the password, and the YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss string represents the validity period.
Views
System view
Predefined user roles
network-admin
Parameters
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
You can configure the device to generate a random password for a network access user on the Web interface. The random password is sent to the user by email. Use this command to configure the email subject and body content.
The email body includes the string configured by using the body-string argument and the following information:
Username: xxx
Password: yyy
Validity: YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss
The xxx string represents the username, the yyy string represents the password, and the YYYY/MM/DD hh:mm:ss to YYYY/MM/DD hh:mm:ss string represents the validity period.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the subject and body for the email notifications to send to network access users.
<Sysname> system-view
[Sysname] access-user email format subject new password setting
[Sysname] access-user email format body The username, password, and validity period of the account are given below.
Related commands
access-user email authentication
access-user email sender
access-user email smtp-server
access-user email sender
Use access-user email sender to configure the email sender address in email notifications sent by the device to network access users.
Use undo access-user email sender to restore the default.
Syntax
access-user email sender email-address
undo access-user email sender
Default
No email sender address is configured for the email notifications sent by the device to network access users.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters. The string must contain an at sign (@), and it can contain only one at sign (@). In addition, the string cannot contain only the at sign (@).
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications to any network access users.
The device supports only one email sender address for network access users. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as abc@yyy.com for email notifications of network access users.
<Sysname> system-view
[Sysname] access-user email sender abc@yyy.com
Related commands
access-user email authentication
access-user email format
access-user email smtp-server
access-user email smtp-server
Use access-user email smtp-server to specify an SMTP server to send email notifications of network access users.
Use undo access-user email smtp-server to restore the default.
Syntax
access-user email smtp-server url-string
undo access-user email smtp-server
Default
No SMTP server is specified to send email notifications of network access users.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
You can specify only one SMTP server to send email notifications of network access users.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.test.com/smtp to send email notifications of network access users.
<Sysname> system-view
[Sysname] access-user email smtp-server smtp://www.test.com/smtp
Related commands
access-user email authentication
access-user email format
access-user email sender
authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minutes | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | sslvpn-policy-group group-name | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | primary-dns | secondary-dns| session-timeout | sslvpn-policy-group | url | user-profile | user-role role-name | vlan | vpn-instance | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user are assigned the network-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.
ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128. The IPv6 prefix cannot be ::/128, ::1/128, FE80::/10, or an IPv6 multicast prefix.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.
session-timeout minutes: Specifies the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.
sslvpn-policy-group group-name: Specifies an SSL VPN policy group for the user. The group-name argument is a case-insensitive string of 1 to 31 characters. For information about SSL VPN policy groups, see Security Configuration Guide.
url url-string: Specifies a PADM URL to which the user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPPoE users.
user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The user profile name can contain only letters, digits, and underscores (_). It must begin with a letter or digit but it cannot be all digits. The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the user belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. After passing authentication, the user has permission to access the network resources in the specified VPN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, user-profile, vpn-instance, and url.
For portal users, only the following authorization attributes take effect: idle-cut, acl, ip-pool, ipv6-pool, user-profile, vpn-instance, and session-timeout.
For LAN users, only the following authorization attributes take effect: acl, idle-cut, session-timeout, user-profile, and vlan.
For SSH, Telnet, and terminal users, only the user-role authorization attribute takes effect.
For HTTP and HTTPS users, only the user-role authorization attribute takes effect.
For FTP users, only the user-role and work-directory authorization attributes take effect.
For SSL VPN users, only the sslvpn-policy-group authorization attribute takes effect.
For IKE users, only the ip-pool authorization attribute takes effect.
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
For portal users to come online after passing authentication, make sure ACLs assigned to them do not have rules specified with a source IP or MAC address.
To make sure FTP, SFTP, and SCP users can access the directory after an IRF master/subordinate switchover, do not specify slot information for the working directory.
To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see information center configuration in Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only user that has the security-audit user role.
The security-audit user role is mutually exclusive with other user roles.
The users assigned with the system-admin, security-admin, or audit-admin user role have access to specific Web pages and the ping and tracert commands. For more information about the access permissions of these user roles, see RBAC in Fundamentals Configuration Guide.
The system-admin, security-admin, and audit-admin user roles are mutually exclusive in a user account. In addition, these user roles are mutually exclusive with other user roles in a user account.
When you assign user roles to a user, the system prompts you to confirm the deletion of the user roles that are mutually exclusive with the new user roles.
Examples
# Configure the authorized VLAN of network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
# Assign the security-audit user role to device management user xyz as the authorized user role.
<Sysname> system-view
[Sysname] local-user xyz class manage
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit
This operation will delete all other roles of the user. Are you sure? [Y/N]:y
Related commands
display local-user
display user-group
bind-attribute
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | ip | location | mac | vlan } *
Default
No binding attributes are configured for a local user.
Views
Local user view
Predefined user roles
network-admin
Parameters
call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to LAN, PPP, and portal users.
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to SSL VPN users that log in through iNode clients, LAN users, PPP users, and portal users.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN, PPP, and portal users.
Usage guidelines
To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.
Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet.
Examples
# Bind MAC address 11-11-11 with network access user abc.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] bind-attribute mac 11-11-11
Related commands
display local-user
company
Use company to specify the company of a local guest.
Use undo company to restore the default.
Syntax
company company-name
undo company
Default
No company is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify company yyy for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] company yyy
Related commands
display local-user
description
Use description to configure a description for a network access user.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a network access user.
Views
Network access user view
Predefined user roles
network-admin
Parameters
text: Configures a description, case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for network access user 123.
<Sysname> system-view
[Sysname] local-user 123 class network
[Sysname-luser-network-123] description Manager of MSC company
Related commands
display local-user
display local-guest waiting-approval
Use display local-guest waiting-approval to display pending registration requests for local guests.
Syntax
display local-guest waiting-approval [ user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name must meet the following requirements:
· Cannot contain a domain name.
· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
· Cannot be a, al, or all.
If you do not specify a guest, this command displays pending registration requests for all local guests.
Usage guidelines
On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.
Examples
# Display all pending registration requests for local guests.
<Sysname> display local-guest waiting-approval
Total 1 guest informations matched.
Guest user Smith:
Full name : Smith Li
Company : YYY
Email : Smith@yyy.com
Phone : 139189301033
Description: The employee of YYY company
Table 2 Command output
|
Field |
Description |
|
Total 1 guest informations matched. |
Number of local guests that have pending registration requests. |
|
Full name |
Full name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Description |
Description of the local guest. |
Related commands
reset local-guest waiting-approval
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | portal | ppp | ssh | sslvpn | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
class: Specifies the local user type.
manage: Device management user.
network: Network access user.
guest: Guest user account.
idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature.
service-type: Specifies the local users that use a specific type of service.
advpn: ADVPN tunnel users.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ike: IKE users that access the network through IKE extended authentication.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
portal: Portal users.
ppp: PPP users.
ssh: SSH users.
sslvpn: SSL VPN users.
telnet: Telnet users.
terminal: Terminal users that log in through virtual console ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:
· Cannot contain the domain name.
· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
· Cannot be a, al, or all.
vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.
Usage guidelines
If you do not specify any parameters, this command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Device management user root:
State: Active
Service type: SSH/Telnet/Terminal
Access limit: Enabled Max access number: 3
Current access number: 1
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-admin
Password control configurations:
Password aging: 3 days
Network access user jj:
State: Active
Service type: LAN access
User group: system
Bind attributes:
Location bound: GigabitEthernet1/0
MAC address: 0001-0001-0001
VLAN ID: 2
Authorization attributes:
Idle timeout: 33 minutes
Work directory: flash:
ACL number: 2000
User profile: pp
User role list: network-operator, level-0, level-3
SSL VPN policy group: spg
Description: A network access user
Validity period:
Start date and time: 2016/01/01-00:01:01
Expiration date and time:2019/12/01-01:01:01
Network access guest user user1:
State: Active
Service type: LAN access/Portal
User group: guest1
Full name: Jack
Company: cc
Email: Jack@cc.com
Phone: 131129237
Description: A guest from company cc
Sponsor full name: Sam
Sponsor department: security
Sponsor email: Sam@aa.com
Description: A guest from company cc
Validity period:
Start date and time: 2016/04/01-08:00:00
Expiration date and time:2019/12/03-18:00:00
Total 3 local users matched.
Table 3 Command output
|
Field |
Description |
|
State |
Status of the local user: active or blocked. |
|
Service type |
Service types that the local user can use. |
|
Access limit |
Whether the concurrent login limit is enabled. |
|
Max access number |
Maximum number of concurrent logins using the local user name. |
|
Current access number |
Current number of concurrent logins using the local user name. |
|
User group |
Group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. |
|
IP address |
IP address of the local user. |
|
Location bound |
Binding port of the local user. |
|
MAC address |
MAC address of the local user. |
|
VLAN ID |
Binding VLAN of the local user. |
|
Calling number |
Calling number of the ISDN user. |
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle timeout |
Idle timeout period of the user, in minutes. |
|
Session-timeout |
Session timeout timer for the user, in minutes. |
|
Callback number |
Authorized PPP callback number of the local user. |
|
Work directory |
Directory that the FTP, SFTP, or SCP user can access. |
|
ACL number |
Authorization ACL of the local user. |
|
VLAN ID |
Authorized VLAN of the local user. |
|
User profile |
Authorization user profile of the local user. |
|
User role list |
Authorized roles of the local user. |
|
IP pool |
IPv4 address pool authorized to the local user. |
|
SSL VPN policy group |
SSL VPN policy group authorized to the local user. |
|
IP address |
IPv4 address authorized to the local user. |
|
IPv6 address |
IPv6 address authorized to the local user. |
|
IPv6 prefix |
IPv6 address prefix authorized to the local user. |
|
IPv6 pool |
IPv6 address pool authorized to the local user. |
|
Primary DNS server |
IPv4 address of the primary DNS server for the local user. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server for the local user. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server for the local user. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server for the local user. |
|
URL |
Authorization PADM URL for the local user. |
|
VPN instance |
Authorization VPN instance for the local user. |
|
Password control configurations |
Password control attributes that are configured for the local user. |
|
Password aging |
Password expiration time. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
|
Password history was last reset |
The most recent time that the history password records were cleared. |
|
Full name |
Name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Sponsor full name |
Name of the guest sponsor. |
|
Sponsor department |
Department of the guest sponsor. |
|
Sponsor email |
Email address of the guest sponsor. |
|
Description |
Description of the network access user. |
|
Validity period |
Validity period of the network access user. |
|
Start date and time |
Date and time from which the network access user begins to take effect. |
|
Expiration date and time |
Date and time at which the network access user expires. |
display user-group
Use display user-group to display user group configuration.
Syntax
display user-group { all | name group-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all user groups.
name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group all
Total 2 user groups matched.
User group: system
Authorization attributes:
Work directory: flash:
User group: jj
Authorization attributes:
Idle timeout: 2 minutes
Callback number: 2:2
Work directory: flash:/
ACL number: 2000
VLAN ID: 2
User profile: pp
SSL VPN policy group: policygroup1
Password control configurations:
Password aging: 2 days
Table 4 Command output
|
Field |
Description |
|
User group |
User group name. |
|
Authorization attributes |
Authorization attributes of the user group. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Session-timeout |
Session timeout timer, in minutes. |
|
Callback number |
Authorized PPP callback number. |
|
Work directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
|
ACL number |
Authorization ACL. |
|
VLAN ID |
Authorized VLAN. |
|
User profile |
Authorization user profile. |
|
IP pool |
IPv4 address pool authorized to the user group. |
|
SSL VPN policy group |
SSL VPN policy group authorized to the user group. |
|
IPv6 prefix |
IPv6 address prefix authorized to the user group. |
|
IPv6 pool |
IPv6 address pool authorized to the user group. |
|
Primary DNS server |
IPv4 address of the primary DNS server authorized to the user group. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server authorized to the user group. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server authorized to the user group. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server authorized to the user group. |
|
URL |
Authorization PADM URL for the user group. |
|
VPN instance |
Authorization VPN instance for the user group. |
|
Password control configurations |
Password control attributes that are configured for the user group. |
|
Password aging |
Password expiration time. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
Use email to configure an email address for a local guest.
Use undo email to restore the default.
Syntax
email email-string
undo email
Default
No email address is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. The string must contain an at sign (@), and it can contain only one at sign (@). In addition, the string cannot contain only the at sign (@).
Usage guidelines
The local guest uses the email address to receive notifications from the device.
Examples
# Configure the email address as abc@yyy.com for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] email abc@yyy.com
Related commands
display local-user
full-name
Use full-name to configure the name of a local guest.
Use undo full-name to restore the default.
Syntax
full-name name-string
undo full-name
Default
No name is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the name as abc Snow for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] full-name abc Snow
Related commands
display local-user
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to user group system.
Views
Local user view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-guest auto-delete enable
Use local-guest auto-delete enable to enable the guest auto-delete feature.
Use undo local-guest auto-delete enable to restore the default.
Syntax
local-guest auto-delete enable
undo local-guest auto-delete enable
Default
The guest auto-delete feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to automatically delete the local guest accounts when they expire.
Examples
# Enable the guest auto-delete feature.
<Sysname> system-view
[Sysname] local-guest auto-delete enable
Related commands
validity-datetime
local-guest email format
Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
Syntax
local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }
undo local-guest email format to { guest | manager | sponsor } { body | subject }
Default
No subject or body is configured for the email notifications of local guest information.
Views
System view
Predefined user roles
network-admin
Parameters
to: Specifies the email recipient.
guest: Specifies the local guest.
manager: Specifies the guest manager.
sponsor: Specifies the guest sponsor.
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.
You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.
You must configure both the subject and body for each recipient.
Examples
# Configure the subject and body for the email notifications to send to the local guest.
<Sysname> system-view
[Sysname] local-guest email format to guest subject Guest account information
[Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.
Related commands
local-guest email sender
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email sender
Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.
Use undo local-guest email sender to restore the default.
Syntax
local-guest email sender email-address
undo local-guest email sender
Default
No email sender address is configured for the email notifications of local guests sent by the device.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters. The string must contain an at sign (@), and it can contain only one at sign (@). In addition, the string cannot contain only the at sign (@).
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications of local guests.
The device supports only one email sender address for local guests. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as abc@yyy.com for email notifications of local guests.
<Sysname> system-view
[Sysname] local-guest email sender abc@yyy.com
Related commands
local-guest email format
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email smtp-server
Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.
Use undo local-guest email smtp-server to restore the default.
Syntax
local-guest email smtp-server url-string
undo local-guest email smtp-server
Default
No SMTP server is specified to send email notifications of local guests.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.test.com/smtp to send local guest email notifications.
<Sysname> system-view
[Sysname] local-guest email smtp-server smtp://www.test.com/smtp
Related commands
local-guest email format
local-guest email sender
local-guest manager-email
local-guest send-email
local-guest generate
Use local-guest generate to create local guests in batch.
Syntax
local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time
Views
System view
Predefined user roles
network-admin
Parameters
username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.
suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.
group group-name: Specifies a user group by the name. The group-name argument is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group system.
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.
validity-datetime: Specifies the validity period of the local guests. The expiration date and time must be later than the start date and time.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.
The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.
Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.
If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.
Examples
# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2018/10/01 00:00:00 to 2019/10/02 12:00:00.
<Sysname> system-view
[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2018/10/01 00:00:00 to 2019/10/02 12:00:00
Related commands
local-user
display local-user
local-guest manager-email
Use local-guest manager-email to configure the email address of the guest manager.
Use undo local-guest manager-email to restore the default.
Syntax
local-guest manager-email email-address
undo local-guest manager-email
Default
No email address is configured for the guest manager.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.
Usage guidelines
Use this command to specify the email address to which the device sends the local guest registration requests for approval.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the email address of the guest manager as xyz@yyy.com.
<Sysname> system-view
[Sysname] local-guest manager-email xyz@yyy.com
Related commands
local-guest email format
local-guest email sender
local-guest email smtp-server
local-guest send-email
local-guest send-email
Use local-guest send-email to send emails to a local guest or guest sponsor.
Syntax
local-guest send-email user-name user-name to { guest | sponsor }
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:
· Cannot contain a domain name.
· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
· Cannot be a, al, or all.
to: Specifies the email recipient.
guest: Specifies the local guest.
sponsor: Specifies the guest sponsor.
Usage guidelines
Guest managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.
Examples
# Send an email to notify local guest abc of the guest password and validity period information.
<Sysname> local-guest send-email user-name abc to guest
sponsor-email
local-guest timer
Use local-guest timer to set the waiting-approval timeout timer for local guests.
Syntax
local-guest timer waiting-approval time-value
undo local-guest timer waiting-approval
Default
The setting is 24 hours.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the waiting-approval timeout timer in the range of 1 to 720, in hours.
Usage guidelines
The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.
Examples
# Set the waiting-approval timeout timer to 12 hours.
<Sysname> system-view
[Sysname] local-guest timer waiting-approval 12
local-user
Use local-user to add a local user and enter its view, or enter the view of an existing local user.
Use undo local-user to delete local users.
Syntax
local-user user-name [ class { manage | network [ guest ] } ]
undo local-user { user-name class { manage | network [ guest ] } | all [ service-type { advpn | ftp | http | https | ike | lan-access | portal | ppp | ssh | sslvpn | telnet | terminal } | class { manage | network [ guest ] } ] }
Default
No local users exist.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:
· Cannot contain a domain name.
· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
· Cannot be a, al, or all.
class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.
manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.
network: Network access user that accesses network resources through the device. Network access users can use ADVPN, IKE, LAN access, portal, PPP, and SSL VPN services.
guest: Guest that can access network resources through the device during a specific validity period. Guests can use LAN access and portal services.
all: Specifies all users.
service-type: Specifies the local users that use a specific type of service.
advpn: ADVPN tunnel users.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ike: IKE users that access the network through IKE extended authentication.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
portal: Portal users.
ppp: PPP users.
ssh: SSH users.
sslvpn: SSL VPN users.
telnet: Telnet users.
terminal: Terminal users that log in through virtual console ports.
Examples
# Add a device management user named user1 and enter local user view.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
# Add a network access user named user2 and enter local user view.
<Sysname> system-view
[Sysname] local-user user2 class network
[Sysname-luser-network-user2]
# Add a local guest named user3 and enter local guest view.
Sysname> system-view
[Sysname] local-user user3 class network guest
[Sysname-luser-network(guest)-user3]
Related commands
display local-user
service-type (local user view)
local-user-export class network guest
Use local-user-export class network guest to export local guest account information to a .csv file in the specified path.
Syntax
local-user-export class network guest url url-string
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can import the user account information back to the device or to other devices that support the local-user-import class network guest command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network guest."
The device supports TFTP and FTP file transfer modes. Table 5 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Export local guest account information to the guest.csv file in the ftp://1.1.1.1/user/ path.
<Sysname> system-view
[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv
Related commands
display local-user
local-user-import class network guest
local-user-import class network guest
Use local-user-import class network guest to import local guest account information from a .csv file in the specified path to the device to create local guests based on the imported information.
Syntax
local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.
validity-datetime: Specifies the guest validity period of the local guests. The expiration date and time must be later than the start date and time.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group named system.
override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.
start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.
Usage guidelines
The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:
· Username—User name of the guest account. The user name cannot be empty. The user name cannot be empty and cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name cannot be a, al, or all. Any invalid character results in account import failure and interruption.
· Password—Password of the guest account in plaintext form. If the password is empty, the device generates a random password in encrypted form for the guest.
· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group named system.
· Guest full name—Name of the guest.
· Guest company—Company of the guest.
· Guest email—Email address of the guest.
· Guest phone—Phone number of the guest.
· Guest description—Description of the guest.
· Sponsor full name—Name of the guest sponsor.
· Sponsor department—Department of the guest sponsor.
· Sponsor email—Email address of the guest sponsor.
The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted.
Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,
Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com
The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.
<Sysname> system-view
[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2018/10/01 00:00:00 to 2019/10/02 12:00:00
Related commands
display local-user
local-user-export class network guest
password (device management user view)
Use password to configure a password for a device management user.
Use undo password to restore the default.
Syntax
In non-FIPS mode:
password [ { hash | simple } string ]
undo password
In FIPS mode:
password
Default
In non-FIPS mode:
A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
In FIPS mode:
A device management user does not have a password and cannot pass authentication.
Views
Device management user view
Predefined user roles
network-admin
Parameters
hash: Specifies a password encrypted by the hash algorithm.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in hashed form.
string: Specifies the password string. This argument is case sensitive. In non-FIPS mode, the hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters. In FIPS mode, the password is in plaintext form and is a string of 15 to 63 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
If you do not specify any parameters, you enter the interactive mode to set a plaintext password.
In non-FIPS mode, a device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.
In FIPS mode, a password is required for a device management user to pass authentication. You must set the password in interactive mode.
When global password control is enabled, the device handles passwords of device management users as follows:
· All passwords in the history records are saved in hashed form.
· If a user changes its own password in plaintext form, the system requests the user to enter the current plaintext password. The new password must be different from all passwords in the history records and the current password. In addition, the new password must have a minimum of four characters different from the current password.
· If a user changes the password for another user in plaintext form, the new password must be different from the latter user's all passwords in the history records and current password.
· If a user deletes its own password, the system requests the user to enter the current plaintext password.
· Except the above listed situations, the system does not request a user to enter the current plaintext password or compare the new password with passwords in the history records and the current password.
Examples
# Set the password to 123456TESTplat&! in plaintext form for device management user user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Configure the password in interactive mode for device management user test.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
confirm :
Related commands
display local-user
password (network access user view)
Use password to configure a password for a network access user.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Network access user view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
As a best practice to enhance security, configure a password for each network access user.
Examples
# Set the password to 123456TESTuser&! in plaintext form for network access user user1.
<Sysname> system-view
[Sysname] local-user user1 class network
[Sysname-luser-network-user1] password simple 123456TESTuser&!
Related commands
display local-user
phone
Use phone to specify the phone number of a local guest.
Use undo phone to restore the default.
Syntax
phone phone-number
undo phone
Default
No phone number is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
phone-number: Specifies the phone number, a string of 1 to 32 characters.
Examples
# Specify the phone number as 13813723920 for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] phone 13813723920
display local-user
reset local-guest waiting-approval
Use reset local-guest waiting-approval to clear pending registration requests for local guests.
Syntax
reset local-guest waiting-approval [ user-name user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name must meet the following requirements:
· Cannot contain a domain name.
· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
· Cannot be a, al, or all.
If you do not specify a guest, this command clears information about all registration requests for local guests.
Examples
# Clear information about all registration requests for local guests.
<Sysname> reset local-guest waiting-approval
Related commands
display local-guest waiting-approval
service-type (local user view)
Use service-type to specify the service types that a local user can use.
Use undo service-type to remove service types configured for a local user.
Syntax
In non-FIPS mode:
service-type { advpn | ftp | ike | { http | https | ssh | telnet | terminal } * | portal | ppp | sslvpn }
undo service-type { advpn | ftp | ike | { http | https | ssh | telnet | terminal } * | portal | ppp | sslvpn }
In FIPS mode:
service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp | sslvpn }
undo service-type { advpn | ike | lan-access | { https | pad | ssh | terminal } * | portal | ppp | sslvpn }
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
Parameters
advpn: Authorizes the user to use the ADVPN service.
ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.
http: Authorizes the user to use the HTTP service.
https: Authorizes the user to use the HTTPS service.
ike: Authorizes the user to use the IKE extended authentication service.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a virtual console port.
portal: Authorizes the user to use the portal service.
ppp: Authorizes the user to use the PPP service.
sslvpn: Authorizes the user to use the SSL VPN service.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
sponsor-department
Use sponsor-department to specify the department of the guest sponsor for a local guest.
Use undo sponsor-department to restore the default.
Syntax
sponsor-department department-string
undo sponsor-department
Default
No department is specified for the guest sponsor of a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.
Examples
# Specify the department as test for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-department test
display local-user
sponsor-email
Use sponsor-email to specify the email address of the guest sponsor for a local guest.
Use undo sponsor-email to restore the default.
Syntax
sponsor-email email-string
undo sponsor-email
Default
No email address is specified for the guest sponsor.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The string must contain an at sign (@), and it can contain only one at sign (@). In addition, the string cannot contain only the at sign (@).
Examples
# Specify the email address as Sam@a.com for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com
display local-user
sponsor-full-name
Use sponsor-full-name to specify the guest sponsor name for a local guest.
Use undo sponsor-full-name to restore the default.
Syntax
sponsor-full-name name-string
undo sponsor-full-name
Default
No guest sponsor name is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the guest sponsor name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify the guest sponsor name as Sam Li for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Predefined user roles
network-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Examples
# Place device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group
Use user-group to create a user group and enter its view, or enter the view of an existing user group.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
A system-defined user group exists. The group name is system.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
You cannot use the undo user-group command to delete a user group that has local users.
You can modify settings for the system-defined user group named system, but you cannot delete the user group.
Examples
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
validity-datetime
Use validity-datetime to specify the validity period for a network access user.
Use undo validity-datetime to restore the default.
Syntax
Network access user view:
validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }
undo validity-datetime
Local guest view:
validity-datetime from start-date start-time to expiration-date expiration-time
undo validity-datetime
Default
The validity period for a network access user does not expire.
Views
Network access user view
Local guest view
Predefined user roles
network-admin
Parameters
from: Specifies the validity start date and time for the user. If you do not specify this option, the command defines only the expiration date and time of the user.
start-date: Specifies the date on which the user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the time on the day when the user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Expired network access user accounts cannot be used for authentication.
When both from and to options are specified, the expiration date and time must be later than the validity start date and time.
When only the from option is specified, the network access user is valid since the specified date and time.
When only the to option is specified, the network access user is valid until the specified date and time.
When the RADIUS server feature is enabled on the device, the RADIUS user data for authentication is automatically generated from the network access user configuration. The device ignores the validity start date and time of the RADIUS users.
Examples
# Specify the validity period for network access user 123.
<Sysname> system-view
[Sysname] local-user 123 class network
[Sysname-luser-network-123] validity-datetime from 2018/10/01 00:00:00 to 2019/10/02 12:00:00
Related commands
display local-user
RADIUS commands
aaa device-id
Use aaa device-id to configure the device ID.
Use undo aaa device-id to restore the default.
Syntax
aaa device-id device-id
undo aaa device-id
Default
The device ID is 0.
Views
System view
Predefined user roles
network-admin
Parameters
device-id: Specifies a device ID in the range of 1 to 255.
Usage guidelines
RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value that includes the device ID for each online user.
If you modify the device ID, the new device ID does not take effect on users that have been online during the change.
Examples
# Configure the device ID as 1.
<Sysname> system-view
[Sysname] aaa device-id 1
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to disable the accounting-on feature.
Syntax
accounting-on enable [ interval interval | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set by using the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
accounting-on extended
Use accounting-on extended to enable the extended accounting-on feature.
Use undo accounting-on extended to disable the extended accounting-on feature.
Syntax
accounting-on extended
undo accounting-on extended
Default
The extended accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
network-operator
Usage guidelines
The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.
The extended accounting-on feature is applicable to LAN and PPP (L2TP LAC-side) users. The user data is saved to the member devices through which the users access the IRF fabric.
When this feature is enabled, the IRF fabric automatically sends an accounting-on packet to the RADIUS server after a member device reboots (IRF fabric not reboot). The packet contains the member device identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the IRF fabric through the member device. If no users have come online through the member device, the IRF fabric does not send an accounting-on packet after the member device reboots.
The IRF fabric uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.
Execute the save command to ensure that the accounting-on extended command takes effect at the next member device reboot. For information about the save command, see Fundamentals Command Reference.
Examples
# Enable the extended accounting-on feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on extended
Related commands
accounting-on enable
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies for SSH, FTP, and terminal users.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Usage guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Examples
# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
attribute 17 old-password
Use attribute 17 old-password to enable online user password change by using RADIUS attribute 17.
Use undo attribute 17 old-password to restore the default.
Syntax
attribute 17 old-password
undo attribute 17 old-password
Default
Online user password change is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to cooperate with the RADIUS authentication server to allow users to change their passwords online. With online user password change enabled, the device sends a RADIUS authentication request to the RADIUS server upon receiving a password change request from an online user. In the authentication request, the device carries the new user password in RADIUS attribute 2 and the old user password in RADIUS attribute 17. If the device receives a response from the RADIUS server, the online user's password is changed successfully.
This feature is applicable only to SSL VPN users.
Do not enable this feature if the RADIUS server does not support online user password change.
Examples
# In RADIUS scheme radius1, enable online user password change by using RADIUS attribute 17.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 17 old-password
Related commands
display radius scheme
attribute 25 car
Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use undo attribute 25 car to restore the default.
Syntax
attribute 25 car
undo attribute 25 car
Default
The RADIUS class attribute is not interpreted as CAR parameters.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.
Examples
# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
Related commands
display radius scheme
attribute 31 mac-format
Use attribute 31 mac-format to configure the MAC address format for RADIUS attribute 31.
Use undo attribute 31 mac-format to restore the default.
Syntax
attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }
undo attribute 31 mac-format
Default
A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
section: Specifies the number of sections that a MAC address contains.
six: Specifies the six-section format HH-HH-HH-HH-HH-HH.
three: Specifies the three-section format HHHH-HHHH-HHHH.
separator separator-character: Specifies a case-sensitive character that separates the sections.
lowercase: Specifies the letters in a MAC address to be in lower case.
uppercase: Specifies the letters in a MAC address to be in upper case.
Usage guidelines
Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers.
Examples
# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase
Related commands
display radius scheme
attribute convert (RADIUS DAS view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the Connect-Info attribute.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute convert Hw-Server-String to Connect-Info received
Related commands
attribute translate
attribute convert (RADIUS scheme view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute of received RADIUS packets with the Connect-Info attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute convert Hw-Server-String to Connect-Info received
Related commands
attribute translate
attribute reject (RADIUS DAS view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute reject Connect-Info sent
Related commands
attribute translate
attribute reject (RADIUS scheme view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute reject Connect-Info sent
Related commands
attribute translate
attribute remanent-volume
Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.
Use undo attribute remanent-volume to restore the default.
Syntax
attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }
undo attribute remanent-volume unit
Default
The data measurement unit is kilobyte for the Remanent_Volume attribute.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
Usage guidelines
Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.
Examples
# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte
Related commands
display radius scheme
attribute translate
Use attribute translate to enable the RADIUS attribute translation feature.
Use undo attribute translate to disable the RADIUS attribute translation feature.
Syntax
attribute translate
undo attribute translate
Default
The RADIUS attribute translation feature is disabled.
Views
RADIUS DAS view
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
To cooperate with RADIUS servers of different vendors, enable the RADIUS attribute translation feature. Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides.
Examples
# Enable the RADIUS attribute translation feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute translate
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
Use attribute vendor-id 2011 version to specify the version of the RADIUS servers with a vendor ID of 2011.
Use undo attribute vendor-id 2011 version to restore the default.
Syntax
attribute vendor-id 2011 version { 1.0 | 1.1 }
undo attribute vendor-id 2011 version
Default
The version is 1.0.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
1.0: Specifies version 1.0.
1.1: Specifies version 1.1.
Usage guidelines
For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version the same as the actual version of the RADIUS servers.
The following table shows the differences in the way that the device interprets the vendor-specific RADIUS attributes assigned by different versions of RADIUS servers with vendor ID 2011.
|
RADIUS attribute |
RADIUS server with version 1.0 |
RADIUS server with version 1.1 |
|
HW_ARRT_26_1 |
Upstream peak rate |
Upstream burst size |
|
HW_ARRT_26_2 |
Upstream average rate |
Upstream average rate |
|
HW_ARRT_26_3 |
N/A |
Upstream peak rate |
|
HW_ARRT_26_4 |
Downstream peak rate |
Downstream burst size |
|
HW_ARRT_26_5 |
Downstream average rate |
Downstream average rate |
|
HW_ARRT_26_6 |
N/A |
Downstream peak rate |
Examples
# In RADIUS scheme radius1, specify the version of the RADIUS servers with a vendor ID of 2011 as version 1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute vendor-id 2011 version 1.1
Related commands
display radius scheme
client
Use client to specify a RADIUS DAC.
Use undo client to remove a RADIUS DAC.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vendor-id 2011 version { 1.0 | 1.1 } | vpn-instance vpn-instance-name ] *
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS DACs are specified.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a DAC by its IPv4 address.
ipv6 ipv6-address: Specifies a DAC by its IPv6 address.
key: Specifies the shared key for secure communication between the RADIUS DAC and server. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters. In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain characters from digits, uppercase letters, lowercase letters, and special characters.
vendor-id 2011: Specifies the vendor-ID of the DAC as 2011.
version: Specifies the version of the DAC.
1.0: Specifies the DAC version as version 1.0.
1.1: Specifies the DAC version as version 1.1.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.
The device discards any DAE packets sent from DACs that are not specified for the DAS.
You can execute the client command multiple times to specify multiple DACs for the DAS.
To work with a DAC with vendor-ID 2011 and version 1.0, you do not need to specify the vendor-ID or version attribute. To work with a DAC with vendor-ID 2011 and version 1.1, you must specify the vendor-id 2011 version 1.1 keywords.
Examples
# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456
Related commands
radius dynamic-author server
port
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
data: Specifies the unit for data flows.
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
packet: Specifies the unit for data packets.
giga-packet: Specifies the unit as giga-packet.
kilo-packet: Specifies the unit as kilo-packet.
mega-packet: Specifies the unit as mega-packet.
one-packet: Specifies the unit as one-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display RADIUS scheme configuration.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: radius1
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 1812
VPN : vpn1
State: Active
Test profile: 132
Probe username: test
Probe interval: 60 minutes
Primary accounting server:
IP : 1.1.1.1 Port: 1813
VPN : Not configured
State: Active
Second authentication server:
IP : 3.3.3.3 Port: 1812
VPN : Not configured
State: Block
Test profile: Not configured
Second accounting server:
Host name: Not configured
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Block (Mandatory)
Weight: 0
Accounting-On function : Enabled
extended function : Disabled
retransmission times : 5
retransmission interval(seconds) : 2
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 22
NAS IP Address : 1.1.1.1
VPN : Not configured
User Name Format : with-domain
Data flow unit : Megabyte
Packet unit : One
Attribute 15 check-mode : Strict
Attribute 25 : CAR
Attribute Remanent-Volume unit : Mega
RADIUS server version (vendor ID 2011) : 1.0
Attribute 31 MAC format : hh:hh:hh:hh:hh:hh
Attribute 17 carry old password : Disabled
Stop-accounting-packet send-force : Disabled
------------------------------------------------------------------
Table 7 Command output
|
Field |
Description |
|
Index |
Index number of the RADIUS scheme. |
|
Primary authentication server |
Information about the primary authentication server. |
|
Primary accounting server |
Information about the primary accounting server. |
|
Second authentication server |
Information about the secondary authentication server. |
|
Second accounting server |
Information about the secondary accounting server. |
|
IP |
IP address of the server. This field displays Not configured if the server is not configured. |
|
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN |
MPLS L3VPN instance to which the server or the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
State |
Status of the server: · Active—The server is in active state. · Block—The server is changed to blocked state automatically. · Block (Mandatory)—The server is set to blocked state manually. |
|
Test profile |
Test profile used for RADIUS server status detection. |
|
Probe username |
Username used for RADIUS server status detection. |
|
Probe interval |
Server status detection interval, in minutes. |
|
Accounting-On function |
Whether the accounting-on feature is enabled. |
|
extended function |
Whether the extended accounting-on feature is enabled. |
|
retransmission times |
Number of accounting-on packet transmission attempts. |
|
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
|
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
|
Retransmission times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
|
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
|
Realtime Accounting Interval(seconds) |
Interval for sending real-time accounting updates, in seconds. |
|
NAS IP Address |
Source IP addresses for outgoing RADIUS packets. This field displays Not configured if no source IP addresses are specified for outgoing RADIUS packets. |
|
User Name Format |
Format for the usernames sent to the RADIUS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flow. |
|
Packet unit |
Measurement unit for packets. |
|
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
|
Attribute 25 |
RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters. |
|
Attribute Remanent-Volume unit |
Data measurement unit for the RADIUS Remanent_Volume attribute. |
|
RADIUS server version (vendor ID 2011) |
Version of the RADIUS servers with a vendor ID of 2011: · 1.0. · 1.1. |
|
Attribute 31 MAC format |
MAC address format for RADIUS attribute 31. |
|
Attribute 17 carry old password |
Status of online user password change by using RADIUS attribute 17: · Enabled—Online user password change by using RADIUS attribute 17 is enabled. The device uses RADIUS attribute 17 to carry a user's old password. · Disabled—Online user password change by using RADIUS attribute 17 is disabled. |
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display RADIUS packet statistics.
<Sysname> display radius statistics
Auth. Acct. SessCtrl.
Request Packet: 0 0 0
Retry Packet: 0 0 -
Timeout Packet: 0 0 -
Access Challenge: 0 - -
Account Start: - 0 -
Account Update: - 0 -
Account Stop: - 0 -
Terminate Request: - - 0
Set Policy: - - 0
Packet With Response: 0 0 0
Packet Without Response: 0 0 -
Access Rejects: 0 - -
Dropped Packet: 0 0 0
Check Failures: 0 0 0
Table 8 Command output
|
Field |
Description |
|
Auth. |
Authentication packets. |
|
Acct. |
Accounting packets. |
|
SessCtrl. |
Session-control packets. |
|
Request Packet |
Number of request packets. |
|
Retry Packet |
Number of retransmitted request packets. |
|
Timeout Packet |
Number of request packets timed out. |
|
Access Challenge |
Number of access challenge packets. |
|
Account Start |
Number of start-accounting packets. |
|
Account Update |
Number of accounting update packets. |
|
Account Stop |
Number of stop-accounting packets. |
|
Terminate Request |
Number of packets for logging off users forcibly. |
|
Set Policy |
Number of packets for updating user authorization information. |
|
Packet With Response |
Number of packets for which responses were received. |
|
Packet Without Response |
Number of packets for which no responses were received. |
|
Access Rejects |
Number of Access-Reject packets. |
|
Dropped Packet |
Number of discarded packets. |
|
Check Failures |
Number of packets with checksum errors. |
Related commands
reset radius statistics
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS authentication or accounting communication.
Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured for secure RADIUS authentication