This feature enables the system to record information about users that go offline abnormally. These records help the administrator analyze the causes and resolve the issues for abnormal user offline events. To display user abnormal offline records, use the display aaa abnormal-offline-record command.

This feature takes effect only when user offline recording is enabled.

The device can record a maximum of 32768 user abnormal offline records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user abnormal offline recording.

<Sysname> system-view

[Sysname] aaa abnormal-offline-record enable

Related commands

aaa offline-record enable

display aaa abnormal-offline-record

aaa default-domain

Use aaa default-domain to configure default ISP domains on an interface.

Use undo aaa default-domain to remove default ISP domain configuration from an interface.

Syntax

aaa default-domain { authentication [ force | replace ] isp-name | pre-authentication isp-name } *

undo aaa default-domain [ authentication | pre-authentication ]

Default

No default ISP domains are configured on an interface.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

authentication: Specifies a default authentication domain. If you do not specify the force or replace keyword, this command specifies a common default authentication domain that applies only to users with usernames that do not include a domain name.

authentication force: Specifies a force default authentication domain. The device forcibly uses this domain to authenticate users but remains the ISP domain names in the users' usernames unchanged.

authentication replace: Specifies a replacement default authentication domain. The device forcibly uses this domain to authenticate users and changes the ISP domain names in the users' usernames to the name of this domain.

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). You must specify an existing ISP domain.

pre-authentication: Specifies a default preauthentication domain. The device assigns unauthenticated users to this domain so that the users can obtain an IP address.

Usage guidelines

If the access module does not specify an authentication domain for a user, the device uses one of the default authentication domains to accommodate the user.

This command is applicable only to PPP users.

On an interface, you can configure only one default authentication domain (common default authentication domain, force default authentication domain, or replacement default authentication domain). If you configure the default authentication domain multiple times, the most recent configuration takes effect.

Examples

# Specify ISP domain my-domain as the force default authentication domain on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa default-domain authentication force my-domain

Related commands

domain

aaa deny-domain

Use aaa deny-domain to specify a denied domain on an interface.

Use undo aaa deny-domain to remove denied domains from an interface.

Syntax

aaa deny-domain isp-name

undo aaa deny-domain [ isp-name ]

Default

No denied domains are specified on an interface.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

Usage guidelines

Use this command to deny users in the specified ISP domain from accessing an interface.

This command is applicable only to PPP users.

You can specify a maximum of 16 denied domains on an interface.

If you do not specify an ISP domain, the undo form of this command removes all denied domains from an interface.

On an interface, this command is mutually exclusive with the aaa permit-domain command.

Examples

# Specify ISP domain my-domain2 as a denied domain on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa deny-domain my-domain2

Related commands

aaa permit-domain

domain

aaa nas-id

Use aaa nas-id to set the NAS-ID on an interface.

Use undo aaa nas-id to restore the default.

Syntax

aaa nas-id nas-identifier

undo aaa nas-id

Default

No NAS-ID is set on an interface.

Views

Layer 3 interface view

Predefined user roles

network-admin

mdc-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-insensitive string of 1 to 253 characters.

Usage guidelines

During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.

You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:

1. NAS-ID bound with VLANs in a NAS-ID profile.

2. NAS-ID on an interface.

3. NAS-ID in an ISP domain.

If no NAS-ID is selected, the device uses the device name as the NAS-ID.

The NAS-ID on an interface is applicable only to PPP users.

Examples

# Set the NAS-ID to test on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa nas-id test

Related commands

aaa nas-id profile

nas-id

aaa nas-id profile

Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.

Use undo aaa nas-id profile to delete a NAS-ID profile.

Syntax

aaa nas-id profile profile-name

undo aaa nas-id profile profile-name

Default

No NAS-ID profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name : Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.

By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.

A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.

For example, map the NAS-ID companyA to all VLANs of company A. The device will send companyA in the NAS-Identifier attribute for the RADIUS server to identify requests from any Company A users.

You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:

4. NAS-ID bound with VLANs in a NAS-ID profile.

5. NAS-ID on an interface.

6. NAS-ID in an ISP domain.

Examples

# Create a NAS-ID profile named aaa and enter its view.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

Related commands

aaa nas-id

aaa nas-id-profile

nas-id bind

aaa nas-id-profile

Use aaa nas-id-profile to specify a NAS-ID profile for an interface.

Use undo aaa nas-id-profile to restore the default.

Syntax

aaa nas-id-profile profile-name

undo aaa nas-id-profile

Default

No NAS-ID profile is specified for an interface.

Views

Layer 3 interface view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies a NAS-ID profile by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command takes effect only on PPP users.

Examples

# Specify NAS-ID profile bbb for GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname–GigabitEthernet1/2/0/1] aaa nas-id-profile bbb

Related commands

aaa nas-id profile

nas-id bind

aaa nas-ip

Use aaa nas-ip to set the NAS IP address on an interface.

Use undo aaa nas-ip to remove the NAS IP address from the interface.

Syntax

aaa nas-ip { ipv4-address | ipv6 ipv6-address }

undo aaa nas-ip [ ipv6 ]

Default

No NAS IP address is set on an interface.

Views

Layer 3 interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.

Usage guidelines

Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.

The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.

You can specify the NAS IP address in interface view, RADIUS scheme view, and system view.

· The NAS IP address specified by using this command in interface view applies only to users that access the network through the interface.

· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.

· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.

The priority order is as follows:

7. The NAS IP address specified in interface view.

8. The NAS IP address specified in RADIUS scheme view.

9. The NAS IP address specified in system view.

An interface can have only one NAS IPv4 address and one NAS IPv6 address for RADIUS packets.

If you do not specify the ipv6 keyword for the undo aaa nas-ip command, the command removes the configured NAS IPv4 address for RADIUS packets.

Examples

# Specify IP address 1.1.1.1 as the NAS IPv4 address of RADIUS packets on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa nas-ip 1.1.1.1

Related commands

nas-ip (RADIUS scheme view)

radius nas-ip

aaa normal-offline-record enable

Use aaa normal-offline-record enable to enable user normal offline recording.

Use undo aaa normal-offline-record enable to disable user normal offline recording.

Syntax

aaa normal-offline-record enable

undo aaa normal-offline-record enable

Default

User normal offline recording is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This feature enables the system to record information about users that go offline normally. These records help the administrator analyze causes of user offline events. To display user normal offline records, use the display aaa normal-offline-record command.

This feature takes effect only when user offline recording is enabled.

The device can record a maximum of 32768 user normal offline records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user normal offline recording.

<Sysname> system-view

[Sysname] aaa normal-offline-record enable

Related commands

aaa offline-record enable

display aaa normal-offline-record

aaa offline-record enable

Use aaa offline-record enable to enable user offline recording.

Use undo aaa offline-record enable to disable user offline recording.

Syntax

aaa offline-record enable

undo aaa offline-record enable

Default

User offline recording is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

You must enable this feature so that user abnormal offline recording and user normal offline recording can take effect. Then, the system can record information about users that go offline normally and abnormally. To display user offline records, use the display aaa offline-record command.

The device can record a maximum of 65536 user offline records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user offline recording.

<Sysname> system-view

[Sysname] aaa offline-record enable

Related commands

aaa abnormal-offline-record enable

aaa normal-offline-record enable

display aaa offline-record

aaa online-fail-record enable

Use aaa online-fail-record enable to enable user online failure recording.

Use undo aaa online-fail-record enable to disable user online failure recording.

Syntax

aaa online-fail-record enable

undo aaa online-fail-record enable

Default

User online failure recording is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This feature enables the system to record information about users that fail to come online. These records help the administrator identify causes of user online failures and check for malicious users. To display user online failure records, use the display aaa online-fail-record command.

The device can record a maximum of 32768 user online failure records. When the maximum number is reached, a new record overwrites the oldest record.

To reduce the memory usage, you can disable this feature.

Examples

# Enable user online failure recording.

<Sysname> system-view

[Sysname] aaa online-fail-record enable

Related commands

display aaa online-fail-record

aaa permit-domain

Use aaa permit-domain to specify a permitted domain on an interface.

Use undo aaa permit-domain to remove permitted domains from an interface.

Syntax

aaa permit-domain isp-name

undo aaa permit-domain [ isp-name ]

Default

No permitted domains are specified on an interface. All ISP domains are permitted.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

Usage guidelines

Use this command to allow only users in the specified ISP domain to access an interface.

This command is applicable only to PPP users.

You can specify a maximum of 16 permitted domains on an interface.

If you do not specify an ISP domain, the undo form of this command removes all permitted domains from an interface. The interface allows users in any ISP domains to access.

On an interface, this command is mutually exclusive with the aaa deny-domain command.

Examples

# Specify ISP domain my-domain as a permitted domain on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa permit-domain my-domain

Related commands

aaa deny-domain

domain

aaa roam-domain

Use aaa roam-domain to specify a roaming domain on an interface.

Use undo aaa roam-domain to remove the roaming domain from an interface.

Syntax

aaa roam-domain isp-name

undo aaa roam-domain

Default

No roaming domain is specified on an interface.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

Usage guidelines

The device uses the roaming domain to authenticate a user if the user is assigned to the ISP domain carried in the username but the assigned domain does not exist.

This command is applicable only to PPP users.

Examples

# Specify ISP domain domain1 as the roaming domain on GigabitEthernet 1/2/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa roam-domain domain1

Related commands

domain

aaa server-online-user reset enable

Use aaa server-online-user reset enable to enable the device to notify an AAA server to remove the online users it maintains for a NAS after that NAS reboots.

Use undo aaa server-online-user reset enable to disable the device from notifying an AAA server to remove the online users it maintains for a NAS after that NAS reboots.

Syntax

aaa server-online-user reset enable server-ip ipv4-address [ port port-number ] [ vpn-instance vpn-instance-name ] nas-ip ipv4-address [ key { cipher | simple } string ]

undo aaa server-online-user reset enable server-ip ipv4-address [ port port-number ] [ vpn-instance vpn-instance-name ] nas-ip ipv4-address

Default

The device does not notify an AAA server to remove the online users it maintains for a NAS after that NAS reboots.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

server-ip ipv4-address: Specifies a server by its IPv4 address.

port port-number: Specifies the service port that the server uses to receive offline request messages. The value range for the TCP port number is 1 to 65535. The default setting is 10022.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

nas-ip ipv4-address: Specifies a NAS managed by the server.

key: Specifies the shared key for securing offline request messages. If you do not specify a shared key, the device does not use a shared key to secure the offline request messages. The specified shared key must be the same as that configured on the server.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. This argument is case sensitive. Its plaintext form is a string of 1 to 24 characters in hexadecimal notation. Its encrypted form is a string of 1 to 65 characters.

Usage guidelines

Use this command to notify a server to stop accounting for the online users it maintains for a NAS after that NAS reboots. In addition, the online user entries are removed on the server.

You can use this command for servers from specific vendors. The servers do not support the RADIUS accounting-on feature.

If the authentication server and accounting server are separated for online users, you must specify the IP address of the accounting server.

Examples

# Configure the device to notify server 2.2.2.2 with a port number of 8888 to remove the online users it maintains for the NAS at 2.2.2.1 after that NAS reboots. Set the shared key to a7b8c2d1a3b7c5d3a8b8c8d8 in plain text for securing the offline request messages.

<Sysname> system-view

[Sysname] aaa server-online-user reset enable server-ip 2.2.2.2 port 8888 nas-ip 2.2.2.1 key simple a7b8c2d1a3b7c5d3a8b8c8d8

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range for FTP, SSH, and Telnet services is 1 to 32, and the value range for HTTP and HTTPS services is 1 to 64.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

aaa ssid

Use aaa ssid to set the SSID on an interface

Use undo aaa ssid to restore the default.

Syntax

aaa ssid ssid-name

undo aaa ssid

Default

No SSID is set on an interface.

Views

Layer 3 interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ssid-name: Specifies an SSID name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In a wireless network, the SSID on a user access interface identifies the SSID of the wireless network to which users on the interface access. The SSID is used as follows:

· Carried in the Web server URL to which the device redirects users.

To carry an SSID in the Web server URL, you must specify the ssid keyword when you execute the web-server url-parameter command.

· Populated in the standard attribute 30 (Called-Station-Id attribute) of outgoing RADIUS authentication requests. The format of the SSID information is 00-00-00-00-00-00:ssid-name.

Do not execute the aaa ssid command if no wireless users exist on the interface.

Examples

# Set the SSID on GigabitEthernet 1/2/0/1 to test11.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/1

[Sysname-GigabitEthernet1/2/0/1] aaa ssid test11

Related commands

web-server url-parameter

access-limit

Use access-limit to set the maximum number of users allowed to access an ISP domain.

Use undo access-limit to restore the default.

Syntax

access-limit limit-number

undo access-limit

Default

No limit is placed on the number of users allowed to access an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

limit-number: Specifies the maximum number of users allowed to access the ISP domain. The value range is 1 to 2147483647.

Usage guidelines

This command does not distinguish the service types of users. When the number of concurrent users in an ISP domain reaches the maximum number, the system denies access of subsequent users to the domain.

The maximum number of concurrent login users is also restricted by the aaa session-limit command in system view.

This limit does not affect reauthenticated users, ITA users, or EDSG users.

Examples

# Allow a maximum of 100 users to access ISP domain my-domain.

<Sysname> system-view

[Sysname] domain name my-domain

[Sysname-isp-my-domain] access-limit 100

Related commands

display domain

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.

· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.

· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

accounting default

command accounting (Fundamentals Command Reference)

hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

When the primary accounting method is local, the following rules apply to the accounting of a user:

· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡ An exception occurs in the local accounting process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

accounting dual-stack

Use accounting dual-stack to specify the accounting method for dual-stack users.

Use undo accounting dual-stack to restore the default.

Syntax

accounting dual-stack { merge | separate }

undo accounting dual-stack

Default

The merge method applies.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

merge: Merges IPv4 data with IPv6 data for accounting.

separate: Separates IPv4 data from IPv6 data for accounting.

Usage guidelines

If the charging rates are different for IPv4 and IPv6 data, use the separate method for the accounting of dual-stack users.

Examples

# In ISP domain test, configure the device to merge IPv4 data with IPv6 data for the accounting of dual-stack users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting dual-stack merge

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

When the primary accounting method is local, the following rules apply to the accounting of a user:

· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡ An exception occurs in the local accounting process.

¡ The user account is not configured on the device.

· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

accounting ppp

Use accounting ppp to specify accounting methods for PPP users.

Use undo accounting ppp to restore the default.

Syntax

accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting ppp

Default

The default accounting methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

When the primary accounting method is local, the following rules apply to the accounting of a user:

· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:

¡ An exception occurs in the local accounting process.

¡ The user account is not configured on the device or the user is not allowed to use the PPP service.

· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.

The following guidelines apply to broadcast accounting:

· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable for a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.

· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for PPP users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting ppp local

# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting ppp radius-scheme rd local

# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

timer realtime-accounting (RADIUS scheme view)

accounting quota-out

Use accounting quota-out to configure access control for users that have used up their data or time accounting quotas.

Use undo accounting quota-out to restore the default.

Syntax

accounting quota-out { offline | online } [ no-accounting-update ]

undo accounting quota-out

Default

The device sends accounting-update packets to the server to request new quotas for the users that have used up their accounting quotas. A user is logged off if the device does not receive any new quota for the user.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

offline: Logs off users that have used up their accounting quotas.

online: Allows users that have used up their accounting quotas to stay online.

Usage guidelines

The server might divide the accounting quota of a user into multiple portions and assign a portion to the user each time. If the server does not support dividing user accounting quota, specify the no-accounting-update keyword to decrease the burden of the server as a best practice.

Examples

# In ISP domain test, configure the device to allow users that have used up their accounting quotas to stay online.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting quota-out online

accounting start-delay

Use accounting start-delay to set the start-accounting delay (the period of time that the device waits before sending a start-accounting request).

Use undo accounting start-delay to restore the default.

Syntax

accounting start-delay delay-time

undo accounting start-delay

Default

The start-accounting delay is 0 seconds.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

delay-time: Specifies the start-accounting delay, in the range of 1 to 300 seconds.

Usage guidelines

This command applies only to PPPoE dual-stack users.

By default, the device sends a start-accounting request for a dual-stack user immediately after the user obtains the first IP address. Then, the device sends a real-time accounting request each time the dual-stack user obtains another IP address. If the server requires the device not to send an accounting request each time the user obtains an IP address, you can set the start-accounting delay to meet the requirement.

After you set the start-accounting delay, the device sends accounting requests for a dual-stack user as follows:

· If a dual-stack user obtains all IP addresses within the start-accounting delay, the device sends a start-accounting request immediately after the user obtains all IP addresses.

· If the dual-stack user does not obtain all IP addresses within the start-accounting delay, the device sends a start-accounting request when the delay ends. Then, the device sends an update-accounting request each time the user obtains an IP address.

Whether the user obtains all IP addresses is determined by the access module.

A long delay affects the accounting accuracy and a short delay causes frequent sending of accounting requests. Set an appropriate start-accounting delay based on the time required by IP address allocation for dual-stack users.

Examples

# In ISP domain test, set the start-accounting delay to 10 seconds.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting start-delay 10

Related commands

display domain

accounting start-fail

Use accounting start-fail to configure access control for users that encounter accounting-start failures.

Use undo accounting start-fail to restore the default.

Syntax

accounting start-fail { offline | online }

undo accounting start-fail

Default

The device allows users that encounter accounting-start failures to stay online.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

offline: Logs off users that encounter accounting-start failures.

online: Allows users that encounter accounting-start failures to stay online.

Examples

# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting start-fail online

accounting update-fail

Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.

Use undo accounting update-fail to restore the default.

Syntax

accounting update-fail { [ max-times max-times ] offline | online }

undo accounting update-fail

Default

The device allows users that have failed all their accounting-update attempts to stay online.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1.

offline: Logs off users that have failed all their accounting-update attempts.

online: Allows users that have failed all their accounting-update attempts to stay online.

Examples

# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] accounting update-fail online

authen-fail

Use authen-fail to configure the authentication failure policy for users in an ISP domain.

Use undo authen-fail to restore the default.

Syntax

authen-fail { offline | online domain new-isp-name }

undo authen-fail

Default

The device logs out users in an ISP domain if the users fail authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

offline: Logs out users that fail authentication.

online: Allows users that fail authentication to stay online.

domain new-isp-name: Specifies a reauthentication domain to accommodate users that fail authentication. The new-isp-name argument represents the name of the reauthentication domain, a case-insensitive string of 1 to 255 characters. The specified domain must already exist. The domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

Use this command to flexibly process users that fail authentication in an ISP domain according to the network requirements. You can configure the device to take one of the following actions on the users:

· Log out the users.

· Allow the users to stay online, and then assign the users to the reauthentication domain of the ISP domain for reauthentication.

You cannot delete an ISP domain if that ISP domain has been specified as a reauthentication domain. To delete such an ISP domain, first use the undo authen-fail command to cancel the reauthentication domain configuration.

The reauthentication domain of an ISP domain does not take effect on any of the following users:

· Device management users that fail authentication in the ISP domain.

· Users that fail authentication in the ISP domain because of authentication timeout, for example, no response from the authentication server or no local user account.

· Users that fail authentication in the ISP domain because the ISP domain is in blocked state or is a denied domain.

· Users that fail authentication in the ISP domain because the maximum number of access users in the ISP domain has been reached.

· Users that have been assigned to the reauthentication domain fails authentication again.

· Users that fail reauthentication in the ISP domain.

Examples

# In ISP domain test, specify ISP domain dm1 as a reauthentication domain to accommodate users that fail authentication.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authen-fail online domain dm1

Related commands

display domain

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

When the primary authentication method is local, the following rules apply to the authentication of a user:

· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡ An exception occurs in the local authentication process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

When the primary authentication method is local, the following rules apply to the authentication of a user:

· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡ An exception occurs in the local authentication process.

¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication ppp

Use authentication ppp to specify authentication methods for PPP users.

Use undo authentication ppp to restore the default.

Syntax

authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication ppp

Default

The default authentication methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

When the primary authentication method is local, the following rules apply to the authentication of a user:

· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:

¡ An exception occurs in the local authentication process.

¡ The user account is not configured on the device or the user is not allowed to use the PPP service.

· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.

Examples

# In ISP domain test, perform local authentication for PPP users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication ppp local

# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authentication ppp radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

local-user

radius scheme

authentication super

Use authentication super to specify methods for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain name test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

authentication default

hwtacacs scheme

radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

command authorization (Fundamentals Command Reference)

hwtacacs scheme

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Non-login users can access the network.

· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

When the primary authorization method is local, the following rules apply to the authorization of a user:

· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡ An exception occurs in the local authorization process.

¡ The user account is not configured on the device or the user is not allowed to use the access service.

· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console, AUX, or asyn port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

When the primary authorization method is local, the following rules apply to the authorization of a user:

· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡ An exception occurs in the local authorization process.

¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.

· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

authorization default

hwtacacs scheme

local-user

radius scheme

authorization ppp

Use authorization ppp to specify authorization methods for PPP users.

Use undo authorization ppp to restore the default.

Syntax

authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization ppp

Default

The default authorization methods of the ISP domain are used for PPP users.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

When the primary authorization method is local, the following rules apply to the authorization of a user:

· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:

¡ An exception occurs in the local authorization process.

¡ The user account is not configured on the device or the user is not allowed to use the PPP service.

· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.

Examples

# In ISP domain test, perform local authorization for PPP users.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization ppp local

# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization ppp radius-scheme rd local

Related commands

authorization default

hwtacacs scheme

local-user

radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] [ traffic { both | inbound | outbound } ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ip-pool-group ipv4-pool-group-name | ipv6-nd-prefix-pool ipv6-prefix-pool-name | ipv6-pool ipv6-pool-name | ipv6-pool-group ipv6-pool-group-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number max-access-number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | redirect-times times | session-group-profile session-group-profile-name | session-timeout timeout | user-group user-group-name | user-priority { inbound | outbound } priority | user-profile profile-name | vpn-instance vpn-instance-name }

undo authorization-attribute { car | idle-cut | igmp | ip-pool | ip-pool-group | ipv6-nd-prefix-pool | ipv6-pool | ipv6-pool-group | ipv6-prefix | mld | primary-dns | redirect-times | secondary-dns | session-group-profile | session-timeout | user-group | user-priority { inbound | outbound } | user-profile | vpn-instance }

Default

The idle cut feature is disabled.

An IPv4 user can concurrently join a maximum of four IGMP multicast groups.

An IPv6 user can concurrently join a maximum of four MLD multicast groups.

The device redirects a maximum of two times a user's Web visit requests to the redirect URL.

No other authorization attributes exist.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

car: Specifies a CAR action for users. This keyword is applicable only to PPP users.

inbound: Specifies the upload rate of users.

outbound: Specifies the download rate of users.

cir committed-information-rate: Specifies the committed information rate in kbps, in the range of 1 to 4194303.

pir peak-information-rate: Specifies the peak information rate in kbps, in the range of 1 to 4194303. The peak information rate must be equal to or greater than the committed information rate. If you do not specify this option, the CAR action does not restrict users by peak information rate.

idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to PPP users.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.

traffic: Specifies the traffic direction for the idle cut feature. If you do not specify this keyword, the idle cut feature applies to both traffic directions.

both: Specifies both traffic directions.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to PPP users.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP users.

ip-pool-group ipv4-pool-group-name: Specifies an IPv4 address pool group for users. The ipv4-pool-group-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP users.

ipv6-nd-prefix-pool ipv6-prefix-pool-name: Specifies an ND prefix pool for users. The ipv6-prefix-pool-name argument represents an IPv6 address pool to assign ND prefixes to users, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP users.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument represents an IPv6 address pool to assign IPv6 addresses to users, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP users.

ipv6-pool-group ipv6-pool-group-name: Specifies an IPv6 address pool group for users. The ipv6-pool-group-name argument represents an IPv6 address pool group, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP users.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the prefix-length argument is 1 to 128. This option is applicable only to PPP users.

mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to PPP users.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to PPP users.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to PPP users.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to PPP users.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to PPP users.

redirect-times times: Sets the maximum number of times allowed by the device to redirect a user to the redirect URL. If the maximum number is reached and the device does not receive any Web request destined for the redirect URL from the user, the device stops redirecting that user to the redirect URL. The value range for the times argument is 1 to 10. This option is applicable only to PPP users.

session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters and can contain only letters, digits, underscores (_), and dots (.). The string can begin with a letter or a digit, but it cannot be all digits. The session-group-profile session-group-profile-name option is applicable only to PPP users.

session-timeout timeout: Specifies the session timeout time for users, in seconds. The value range for the timeout argument is 1 to 4294967294. The device logs out a user when the session timeout timer for the user expires. If the RADIUS server assigns a user the Session-Timeout attribute, the value in the assigned attribute takes precedence. This attribute is applicable only to PPP users.

user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.

user-priority: Specifies a user priority for users. The device uses the specified user priority to perform QoS priority mapping on user packets, and then assigns the user packets to a queue based on the target priority. Packets in a high-priority queue are preferentially scheduled when congestion occurs. In addition, the device replaces the value of the IP Precedence field in upstream packets of users with the specified user priority. You can set the upstream user priority in conjunction with the downstream user priority. By default, no user priority is assigned to users. This keyword is applicable to PPP users.

inbound: Applies the user priority to upstream packets of users.

outbound: Applies the user priority to downstream packets of users.

priority: Specifies a user priority in the range of 0 to 7. The greater the value, the higher the priority.

user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. The user profile restricts the behavior of authenticated users. The user-profile profile-name option is applicable only to PPP users.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. When a user passes authentication, it has permission to access the network resources in the specified VPN. This option is applicable only to PPP users.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user. However, if the server authorizes the CAR action attribute only for one direction, the device does not authorize the CAR action attribute of the ISP domain for the other direction.

You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.

If both the address pool group and address pool attributes are assigned to a user, the address pool attribute has higher priority.

The authorization-attribute redirect-times command has lower priority than the active period for the redirect URL configured by using the redirect active-time command.

Examples

# Configure the idle cut feature for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] authorization-attribute idle-cut 30 10240

Related commands

display domain

redirect active-time

display aaa abnormal-offline-record

Use display aaa abnormal-offline-record to display user abnormal offline records.

Syntax

display aaa abnormal-offline-record { access-type { login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa abnormal-offline-record offline-reason { idle-cut | quota-out | realtime-acct-fail | session-timeout | user-detect-fail } [ brief ]

display aaa abnormal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa abnormal-offline-record

display aaa abnormal-offline-record { access-type { login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa abnormal-offline-record offline-reason { idle-cut | quota-out | realtime-acct-fail | session-timeout | user-detect-fail } [ brief ]

display aaa abnormal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa abnormal-offline-record

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

access-type: Specifies users by the access type.

ppp: Specifies PPP users.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number.

chassis chassis-number slot slot-number: Specifies a card on a cluster member device. The chassis-number argument represents the member ID of the cluster member device. The slot-number argument represents the slot number of the card.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.

offline-reason: Specifies a user offline reason.

idle-cut: Specifies the reason as session idle timeout.

quota-out: Specifies the reason as data quota out.

realtime-acct-fail: Specifies the reason as realtime accounting failure.

session-timeout: Specifies the reason as session timeout.

user-detect-fail: Specifies the reason as user online detection failure.

time: Specifies user abnormal offline records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

brief: Displays brief information about user abnormal offline records. If you do not specify this keyword, the command displays detailed information about user abnormal offline records.

count count: Specifies the number of user abnormal offline records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user abnormal offline records. This command displays the most recent user abnormal offline records that match the specified criteria in reverse chronological order.

If user abnormal offline records exist in the system, you can use this command to display the records regardless of whether user abnormal offline recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user abnormal offline records for all users.

The usernames that the server sends to the device might include invisible characters. For the device to display the records for users with such usernames, you must specify the fuzzy-match keyword in this command.

Examples

# Display detailed information about abnormal offline records for all users.

<Sysname> display aaa abnormal-offline-record

Total count: 1

Username: jay

Domain: dm1

MAC address: -

Access type: SSH

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2019-01-02 15:20:33

Offline time: 2019-2-28 15:20:56

Offline reason: User disconnected from the server.

# Display brief information about abnormal offline records for login users.

<Sysname> display aaa abnormal-offline-record access-type login brief

Username: jay

MAC address: -

IP address: 11.2.2.41

IPv6 address: -

Offline reason: User disconnected from the server.

Table 1 Command output

Field	Description
Total count	Total number of matching user abnormal offline records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · Web. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Offline time	Time when the user went offline.
Offline reason	Reason that the user went offline. For more information about the reasons, see Table 2.

Table 2 shows user online failure reasons and user offline reasons. Support for the reasons depends on the device model.

Table 2 User online failure reasons and user offline reasons

Reason	Description
Lost carrier.	The physical link went down.
Lost service.	The service that the user requested is not supported.
NAS error.	An error occurred on the device.
NAS reboot.	The device rebooted.
Admin reboot.	The administrator rebooted the device.
Process exit.	The access process exited.
NAS request.	The device requested to log out the user.
Cut command.	The administrator manually logged out the user at the CLI.
Logged off by the RADIUS server.	The RADIUS server logged out the user.
User request.	The user requested to go offline.
Authentication failed	Authentication failed.
Authorization failed.	Authorization failed.
Start accounting failed.	The device failed to start accounting for the user.
No AAA response during authentication.	The device did not receive a response from the remote authentication server within the authentication timeout time.
RADIUS authentication rejected.	The user failed RADIUS authentication because the username or password was inconsistent with that on the RADIUS server.
AAA authorization information invalid.	The authorization information was invalid or the device did not have configuration of the authorized items.
No AAA response for accounting start.	The device did not receive a response for the start-accounting request sent to the remote server within the start-accounting timeout time.
Authentication request to AAA failed.	The device failed to send the authentication request to the RADIUS server because the route between the device and the RADIUS server is unreachable.
Accounting request to AAA failed.	The device failed to send the accounting request to the RADIUS server because the route between the device and the RADIUS server is unreachable.
TACACS authentication rejected.	The user failed HWTACACS authentication because the username or password was inconsistent with that on the HWTACACS server.
Authentication method error.	The authentication method of the user was inconsistent with the authentication method configured on the access interface.
No AAA response for accounting stop.	The device did not receive a response for the stop-accounting request sent to the server.
The local user doesn't exist.	The local user does not exist on the device.
Local authentication request was rejected.	The user failed local authentication because of incorrect password.
IP assignment failed.	IP address assignment for the user failed.
Concurrent user login limit reached.	Maximum number of concurrent local users that use the username already reached.
NAS interface access limit reached.	Maximum number of online users on the interface already reached.
Maximum number of concurrent users that use this account already reached.	Maximum number of concurrent users that use the username already reached.
PPP negotiation terminated.	PPP negotiation for the user failed.
Insufficient hardware resources.	Hardware resources were insufficient.
Failed to obtain IPv6 prefix.	No IPv6 prefix was available to be assigned to the user.
No response from DHCP server.	The device did not receive a response for the request sent to the DHCP server to apply an IP address for the user.
DHCP IP address allocation failure.	DHCPv6 address assignment for the user failed. Possible reasons include: · No authorization IPv6 pool is configured in the ISP domain. · The IPv6 pool is being locked.
DHCP session conflict.	The DHCP session to be created conflicted with an existing DHCP session.
DHCP user request.	The DHCP user requested to go offline.
DHCP lease timeout.	The allocated IP address lease of the DHCP user expired.
DHCP declined.	The device received a DHCP-decline packet from the DHCP user because the allocated IP address was being used by another DHCP user.
DHCP configuration changed.	The DHCP configuration changed.
NAK from the DHCP server or tenant duration is 0.	The IP address that the DHCP user requested was not on the network segment specified for IP assignment on the device or the lease duration of the address was not extended.
IP conflict on DHCP server.	The device detected an IP address conflict.
DHCP server notified.	The DHCP server instructed the device to log out the user.
DHCP server notified, and the device deleted the user.	The DHCP server instructed the device to log out the user and the device deleted the user.
The ND RS session is updated.	The device received a new ND RS session request for the user when the user was online.
L2TP tunnel terminated by the peer.	The peer device terminated the L2TP tunnel. It might because the peer device determined that the user had gone offline.
The peer did not respond to control packets.	The peer device did not respond to the PPP control packet from the device.
Failed to set up an L2TP session.	An L2TP session was failed to be created.
Repeated LCP negotiation packets.	The device received a duplicated LCP negotiation packet. It might because the user terminated the connection and then initiated a connection again.
Failed to assign a user rule.	The device failed to issue a portal user rule to the user.
COA failure.	The device failed to process a CoA message for the user.
Failed to update authorization information.	The device failed to update the authorization information for the user.
Realtime accounting request to AAA failed.	The real-time accounting request for the user failed.
Session timeout.	The session of the user timed out.
Data quota limit reached.	The data quotas of the user were used up.
Session idle cut.	The device logged out of the user because the user's traffic in the idle timeout period at the specified direction is less than the specified minimum traffic.
User online detection failure.	The user failed online detection.
Port was removed from VLAN.	The access interface of the user was removed from the VLAN.
Port error.	A port error occurred.
Interface down or deactive.	The protocol of the interface went down, the link on the interface went down, or the interface was deactivated.
VSRP status changed.	VSRP status changed.
Backup device deleted user data that is inconsistent with data on the master device.	The backup device in the VSRP group deleted user data inconsistent with data on the master device.
MAC address change.	The MAC address of the user changed.
Failed to recover AAA resources.	The device failed to recover AAA resources for the user.
Deleted users because of inter-card session conflict.	The device deleted the user because sessions on different cards conflict.
User aged out before coming online.	The online wait timer for the user expired.
MPU-LPU data synchronization failure.	Inter-card data smoothing failed.
Failed to synchronize data with DHCP server.	The device failed to synchronize data with the DHCP server.
Failed to synchronize data with portal server.	The device failed to synchronize data with the portal server.
Failed to synchronize user information with the server.	The device failed to synchronize user data with the DHCP server.
User recovery failure.	User data recovery failed.
Failed to obtain physical information.	The device failed to obtain physical information of the user.
Authorization ACL for the online user changed.	The authorization ACL for the user changed.
Authorization user profile for the online user changed.	The authorization user profile for the user changed.
Magic number check failed.	Magic number check failed.
Reauthentication failed.	Reauthentication for the user failed.
No AAA response during realtime accounting.	The device did not receive a response for the real-time accounting request sent to the server.
Portal notified.	Portal instructed the device to log out the user.
Invalid username or password.	Invalid username or password.
No VTY line available.	No available VTY line because the maximum number of users that use VTY lines already reached.
SSH server received a packet with an incorrect message authentication code.	The message authentication code in the packet from the SSH client was incorrect.
User disconnected from the server.	The SSH or FTP user disconnected from the server.
No working directory available.	No working directory is available.
PTY allocation failed.	PTY allocation failed.
FTP server error.	The user failed to log in to the FTP server because an error existed on the FTP server.
Server is disabled.	The service was disabled.
Service type not supported.	The type of the service that the user requested was not supported.
RBAC denied file management operations in the login command.	RBAC denied file management operations in the login command.
Failed to issue RBAC access permissions to the login user.	The device failed to issue RBAC access permissions to the login user.
NETCONF inner error.	An internal NETCONF error occurred.
NETCONF session was terminated by another NETCONF session.	The NETCONF session of the user was terminated by another NETCONF session.
Failed to allocate public network ports in a CGN network.	Public network port allocation failed on the CGN network.
Failed to obtain an IP address of the type specified for basic services of users.	The user failed to obtain an IP address of the type specified for the basic services of the user.
UserGroup configuration changed.	The configuration of the user group changed.
MAC conflict.	MAC address conflict occurred.
RedisDBM clear.	A RedisDBM session clear operation was executed on the migration source device.
RedisDBM conflict.	Data conflict occurred on the migration destination device during RedisDBM data recovery.
RedisDBM block.	A RedisDBM session block operation was executed on the migration source device.

Related commands

reset aaa abnormal-offline-record

display aaa normal-offline-record

Use display aaa normal-offline-record to display user normal offline records.

Syntax

display aaa normal-offline-record { access-type { login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa normal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa normal-offline-record

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

access-type: Specifies users by the access type.

ppp: Specifies PPP users.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

time: Specifies user normal offline records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

brief: Displays brief information about user normal offline records. If you do not specify this keyword, the command displays detailed information about user normal offline records.

count count: Specifies the number of user normal offline records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user normal offline records. This command displays the most recent user normal offline records that match the specified criteria in reverse chronological order.

If user normal offline records exist in the system, you can use this command to display the records regardless of whether user normal offline recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user normal offline records for all users.

Examples

# Display detailed information about normal offline records for all users.

<Sysname> display aaa normal-offline-record

Total count: 1

Username: jay

Domain: dm1

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2019-01-02 15:20:33

Offline time: 2019-2-28 15:20:56

Offline reason: User request.

# Display brief information about normal offline records for login users.

<Sysname> display aaa normal-offline-record access-type login brief

Username: jay

MAC address: -

IP address: 11.2.2.41

IPv6 address: -

Offline reason: User request.

Table 3 Command output

Field	Description
Total count	Total number of matching user normal offline records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · Web. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Offline time	Time when the user went offline.
Offline reason	Reason that the user went offline. For more information about the reasons, see Table 2.

Related commands

reset aaa normal-offline-record

display aaa offline-record

Use display aaa offline-record to display user offline records.

Syntax

display aaa offline-record { access-type { login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa offline-record

display aaa offline-record { access-type { login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa offline-record

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

access-type: Specifies users by the access type.

ppp: Specifies PPP users.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

time: Specifies user offline records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

brief: Displays brief information about user offline records. If you do not specify this keyword, the command displays detailed information about user offline records.

count count: Specifies the number of user offline records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user offline records. This command displays the most recent user offline records that match the specified criteria in reverse chronological order.

If user offline records exist in the system, you can use this command to display the records regardless of whether user offline recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user offline records for all users.

Examples

# Display detailed information about offline records for all users.

<Sysname> display aaa offline-record

Total count: 1

Username: jay

Domain: dm1

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2019-01-02 15:20:33

Offline time: 2019-2-28 15:20:56

Offline reason: User request

# Display brief information about offline records for login users

<Sysname> display aaa offline-record access-type login brief

Username: jay

MAC address: -

IP address: 20.20.20.1

IPv6 address: -

Offline reason: User request.

Username: test

MAC address: -

IP address: 20.20.20.3

IPv6 address: -

Offline reason: User request.

Table 4 Command output

Field	Description
Total count	Total number of matching user offline records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · Web. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Offline time	Time when the user went offline.
Offline reason	Reason that the user went offline. For more information about the reasons, see Table 2.

Related commands

reset aaa offline-record

display aaa online-fail-record

Use display aaa online-fail-record to display user online failure records.

Syntax

display aaa online-fail-record { access-type { login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa online-fail-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa online-fail-record

display aaa online-fail-record { access-type { login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]

display aaa online-fail-record time begin-time end-time [ date begin-date end-date ] [ brief ]

display aaa online-fail-record

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

access-type: Specifies users by the access type.

ppp: Specifies PPP users.

domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

interface interface-type interface-number: Specifies an interface by its interface type and interface number.

ip ipv4-address: Specifies a user by its IPv4 address.

ipv6 ipv6-address: Specifies a user by its IPv6 address.

mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.

slot slot-number: Specifies a card by its slot number.

s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.

c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.

username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.

time: Specifies user online failure records generated in a time range.

begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.

date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.

brief: Displays brief information about user online failure records. If you do not specify this keyword, the command displays detailed information about user online failure records.

count count: Specifies the number of user online failure records to be displayed. The value range for the count argument is 1 to 32768.

Usage guidelines

You can specify multiple query criteria to filter user online failure records. This command displays the most recent user online failure records that match the specified criteria in reverse chronological order.

If user online failure records exist in the system, you can use this command to display the records regardless of whether user online failure recording is enabled or not.

If you do not specify any parameters, this command displays detailed information about user online failure records for all users.

Examples

# Display detailed information about the most recent two online failure records for login users that use the username aaa.

<Sysname> display aaa online-fail-record username aaa access-type login count 2

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: 100/-

IP address: 19.19.0.1

IPv6 address: -

Online request time: 2019-01-02 15:20:37

Online failure reason: Authentication failed.

Server reply message: no user exists.

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2019-01-02 15:20:33

Online failure reason: Authentication failed.

Server reply message: no user exists.

# Display brief information about user online failure records generated from 2019-03-01 13:20:50 to 2019-03-02 17:20:30.

<Sysname> display aaa online-fail-record time 13:20:50 10:20:30 date 2019/3/1 2019/3/2 brief

Username: aaa

MAC address: -

IP address: 19.19.0.2

IPv6 address: -

Online failure reason: Authentication failed.

Server reply message: no user exists.

# Display detailed information about user online failure records generated from 2019-03-01 13:20:50 to 2019-03-02 17:20:30.

<Sysname> display aaa online-fail-record time 13:20:50 17:20:30 date 2019/3/1 2019/3/2

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.1

IPv6 address: -

Online request time: 2019-03-02 16:20:33

Online failure reason: Authentication failed

Server reply message: no user exists.

Username: aaa

Domain: test

MAC address: -

Access type: Telnet

Access interface: GigabitEthernet1/2/0/1

SVLAN/CVLAN: -/-

IP address: 19.19.0.2

IPv6 address: -

Online request time: 2019-03-01 15:20:51

Online failure reason: Authentication failed.

Server reply message: no user exists.

Table 5 Command output

Field	Description
Total count	Total number of matching user online failure records.
Username	Name of the user. This field does not display anything if the system failed to obtain the username.
Domain	Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain.
MAC address	MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the user's MAC address.
Access type	Access type of the user: · Telnet. · FTP. · SSH. · Web. · Terminal—Terminal login such as console login.
Access interface	Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface.
SVLAN/CVLAN	SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user.
IP address	IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address.
IPv6 address	IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address.
Online request time	Time when the user requested to come online.
Online failure reason	Reason that the user failed to come online. For more information about the reasons, see Table 2.
Server reply message	Message sent from the server. This field is not displayed if the server does not send a message.

Related commands

reset aaa online-fail-record

display aaa online-offline-reason

Use display aaa online-offline-reason to display descriptions of online-offline reason codes.

Syntax

display aaa online-offline-reason [ code code-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

code code-id: Specifies an online-offline reason code by its ID. The minimum value is 1. To view the value range of the code-id argument, press a question mark (?) in the place of this argument when you enter this command in the CLI. If you do not specify an online-offline reason code, this command displays descriptions for all online-offline reason codes (excpet reserved reason codes).

Usage guidelines

The device uses online-offline reason codes to identify the reasons that users fail to come online and that users go offline normally or abnormally. When a user goes offline, the device carries an online-offline reason code in the stop-accounting request sent to the server. Use this command to identify the meaning of these codes.

There are a large number of online-offline reason codes. For easy identification, specify a reason code when you execute this command.

Examples

# Display the description of online-offline reason code 1.

<Sysname> display aaa online-offline-reason code 1

Code Description

1 user logoff

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ name isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

name isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Usage guidelines

To display load-sharing user groups in an ISP domain and the number of users in each group, you must specify the ISP domain when executing this command.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

Domain: system

Current state: Active

State configuration: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Send accounting update:Yes

Service type: HSI

Session time: Exclude idle time

DHCPv6-follow-IPv6CP timeout: 60 seconds

IPv6CP interface ID assignment: Enable

Dual-stack accounting method: Merge

NAS-ID: N/A

Service rate-limit mode: Separate

Web server URL : Not configured

Web server URL parameters : Not configured

Web server IPv4 address : Not configured

Web server IPv6 address : Not configured

Redirect active time : Not configured

Redirect server IPv4 address: Not configured

Temporary redirect : Disabled

Redirect server IPv6 address: Not configured

DHCP access user auto-save : Disabled

Authorization attributes:

Idle cut: Disabled

IGMP access limit: 4

MLD access limit: 4

Access limit: Not configured

IP resource usage warning thresholds:

High threshold: Not configured

Low threshold: Not configured

IPv6 resource usage warning thresholds:

High threshold: Not configured

Low threshold: Not configured

Authen-fail action: Offline

Domain: dm

Current state: Active

State configuration: Blocked during specific time ranges

Time ranges:

Online-user logoff: Enabled

Super authentication scheme: RADIUS=rad

Command authorization scheme: HWTACACS=hw

LAN access authentication scheme: RADIUS=r4

Default authentication scheme: RADIUS=rad, Local, None

Default authorization scheme: Local

Default accounting scheme: None

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Redirect

Redirect URL : http://3.3.3.3/web

Stop accounting: Yes

User profile : abc

Send accounting update:Yes

ITA service policy: ita1

Service type: HSI

Session time: Include idle time

User basic service IP type: IPv4 IPv6 IPv6-PD

DHCPv6-follow-IPv6CP timeout: 33 seconds

IPv6CP interface ID assignment: Enable

Accounting start delay: 60 seconds

Dual-stack accounting method: Merge

NAS-ID: test

Service rate-limit mode: Separate

Web server URL : http://1.2.3.4

Web server URL parameters : userurl=http://www.test.com/welcome

userip=source-address

usermac=source-mac (format: XXXX-XXXX-XXXX)

userlct=user-location (format: port:vlan1.vlan2)

Web server IPv4 address : 1.2.3.4

Web server secondary IPv4 address: Not configured

Temporary redirect : Enabled

Web server IPv6 address : Not configured

Web server secondary IPv6 address: Not configured

Redirect active time : 60 seconds

Redirect server IPv4 address : 1.1.1.2

Redirect server IPv6 address : 1:2::3:2

DHCP access user auto-save : Enabled

Authorization attributes:

IP pool: appy

User profile: test

Session group profile: abc

Inbound CAR: CIR 64000 bps PIR 640000 bps

Outbound CAR: CIR 64000 bps PIR 640000 bps

ACL number: 3000

User group: ugg

IPv6 prefix: 1::1/34

IPv6 pool: ipv6pool

IPv6 ND prefix pool: rnd

Primary DNS server: 6.6.6.6

Secondary DNS server: 3.6.2.3

URL: http://abc

Redirect limit: 5

VPN instance: vpn1

IGMP access limit: 12

MLD access limit: 35

User session timeout: 28 seconds

Access limit: 400

IP resource usage warning thresholds:

High threshold: 70%

Low threshold: 10%

IPv6 resource usage warning thresholds:

High threshold: 70%

Low threshold: 10%

Authen-fail action: Online on domain dm1

Default domain name: system

# Display the configuration of ISP domain bbb and load-sharing user group information in the domain.

<Sysname> display domain name bbb

Domain: bbb

Current state: Active

State configuration: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Send accounting update:Yes

Service type: HSI

Session time: Exclude idle time

DHCPv6-follow-IPv6CP timeout: 60 seconds

IPv6CP interface ID assignment: Enable

Dual-stack accounting method: Merge

NAS-ID: N/A

Service rate-limit mode: Separate

Web server URL : Not configured

Web server URL parameters : Not configured

Web server IPv4 address : Not configured

Web server secondary IPv4 address: 1.2.3.5

Web server IPv6 address : Not configured

Web server secondary IPv6 address: Not configured

Redirect active time : Not configured

Redirect server IPv4 address : Not configured

Temporary redirect : Disabled

Redirect server IPv6 address : Not configured

DHCP access user auto-save : Enabled

Authorization attributes:

Idle cut: Disabled

IGMP access limit: 4

MLD access limit: 4

Access limit: Not configured

IP resource usage warning thresholds:

High threshold: Not configured

Low threshold: Not configured

IPv6 resource usage warning thresholds:

High threshold: Not configured

Low threshold: Not configured

Load-sharing user groups:

g1: 323 user(s)

g2: 324 user(s)

Authen-fail action: Offline

Table 6 Command output

Field	Description
Domain	ISP domain name.
Current state	Current state of the ISP domain: · Blocked. · Active.
State configuration	State settings of the ISP domain: · Active—The ISP domain is set to the active state. · Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. · Blocked—The ISP domain is set to the blocked state.
Time ranges	Time ranges during which the ISP domain is in blocked state.
Online-user logoff	Status for the feature of logging off online users when the state of the ISP domain changes to blocked: · Enabled. · Disabled.
Default authentication scheme	Default authentication methods.
Default authorization scheme	Default authorization methods.
Default accounting scheme	Default accounting methods.
Login authentication scheme	Authentication methods for login users.
Login authorization scheme	Authorization methods for login users.
Login accounting scheme	Accounting methods for login users.
Super authentication scheme	Authentication methods for obtaining another user role without reconnecting to the device.
PPP authentication scheme	Authentication methods for PPP users.
PPP authorization scheme	Authorization methods for PPP users.
PPP accounting scheme	Accounting methods for PPP users.
Command authorization scheme	Command line authorization methods.
Command accounting scheme	Command line accounting method.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
LDAP	LDAP scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Accounting start failure action	Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting update failure max-times	Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.
Accounting update failure action	Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting quota out policy	Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users. · Redirect—Redirects the users to the specified URL.
Redirect URL	URL to which users are redirected when the users have used up their data quotas.
Stop accounting	Whether to send stop-accounting packets for users that have used up their data quotas.
User profile	Name of the user profile assigned to users that have used up their data quotas.
Send accounting update	Whether to send accounting-update packets to refresh users' data quotas: · Yes. · No.
ITA service policy	ITA policy applied to the ISP domain.
Service type	Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period.
User address type	Type of IP addresses for users in the ISP domain. This field is not displayed if no user address type is specified for the ISP domain.
User basic service IP type	Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD.
DHCPv6-follow-IPv6CP timeout	This field is not supported in the current software version. IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for users.
IPv6CP interface ID assignment	Whether the device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation: · Enable—The device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It ignores the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users. · Disable—The device is configured not to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It accepts the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users.
Dual-stack accounting method	Accounting method for dual-stack users: · Merge—Merges IPv4 data with IPv6 data for accounting. · Separate—Separates IPv4 data from IPv6 data for accounting.
Accounting start delay	Start-accounting delay. This field is not available if no start-accounting delay has been set.
NAS-ID	NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain.
Web server URL	URL of the Web server.
Web server URL parameters	Parameters added to the URL of the Web server.
format	Format of the MAC address added to the URL of the Web server: · XXXXXXXXXXXX (or xxxxxxxxxxxx)—The MAC address is in the one-section format. · XXXX-XXXX-XXXX (or xxxx-xxxx-xxxx)—The MAC address is in the three-section format. · XX-XX-XX-XX-XX-XX (or xx-xx-xx-xx-xx-xx)—The MAC address is in the six-section format. The delimiter in the three-section format and the six-section format is configurable.
Web server IPv4 address	IPv4 address of the Web server.
Web server secondary IPv4 address	IPv4 address of the Web server. If the Web server has two IPv4 addresses and you use the web-server command with the secondary keyword to specify one of the IPv4 addresses, the specified IPv4 address is displayed in this field.
Web server IPv6 address	IPv6 address of the Web server.
Web server secondary IPv6 address	IPv6 address of the Web server. If the Web server has two IPv6 addresses and you use the web-server command with the secondary keyword to specify one of the IPv6 addresses, the specified IPv6 address is displayed in this field.
Redirect active time	Active period (in seconds) during which all Web visit requests of a user are redirected to the redirect URL.
Redirect server IPv4 address	IPv4 address of the redirect server.
Temporary redirect	Status of the temporary redirect feature.
Redirect server IPv6 address	IPv6 address of the redirect server.
DHCP access user auto-save	Status of the automatic DHCP user backup feature.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle cut	Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state.
Idle timeout	Idle timeout period, in minutes.
Flow	Minimum traffic that a login user must generate in an idle timeout period, in bytes.
Traffic direction	Traffic direction for the idle cut feature: · Both. · Inbound. · Outbound.
IP pool	Name of the authorization IPv4 address pool.
IP pool group	Name of the authorization IPv4 address pool group.
User profile	Name of the authorization user profile.
Session group profile	Name of the authorization session group profile.
Inbound CAR	Authorization inbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A.
Outbound CAR	Authorization outbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no outbound CAR is authorized, this field displays N/A.
ACL number	Authorization ACL for users.
User group	Authorization user group for users.
IPv6 prefix	Authorization IPv6 address prefix for users.
IPv6 pool	Name of the authorization IPv6 address pool for users.
IPv6 pool group	Name of the authorization IPv6 address pool group for users.
IPv6 ND prefix pool	Name of the authorization prefix pool for users.
Primary DNS server	IPv4 address of the authorization primary DNS server for users.
Secondary DNS server	IPv4 address of the authorization secondary DNS server for users.
Primary DNSV6 server	IPv6 address of the authorization primary DNS server for users.
Secondary DNSV6 server	IPv6 address of the authorization secondary DNS server for users.
URL	Authorization redirect URL for users.
Redirect limit	Maximum number of times the device redirects a user to the redirect URL. If no limit is set, this field displays Unlimited.
VPN instance	Name of the authorization VPN instance for users.
IGMP access limit	Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently.
MLD access limit	Maximum number of MLD groups that an IPv6 user is authorized to join concurrently.
Inbound user priority	Authorization user priority for users' upstream packets.
Outbound user priority	Authorization user priority for users' downstream packets.
User session timeout	Authorization session timeout time for users, in seconds.
Access limit	Maximum number of users allowed to access the domain.
IP resource usage warning thresholds	Alarm thresholds for authorization IPv4 address usage.
IPv6 resource usage warning thresholds	Alarm thresholds for authorization IPv6 address or prefix usage.
High threshold	High alarm threshold for authorization IPv4 address usage or authorization IPv6 address or prefix usage. This field displays Not configured if the high alarm threshold is not set.
Low threshold	Low alarm threshold for authorization IPv4 address usage or authorization IPv6 address or prefix usage. This field displays Not configured if the low alarm threshold is not set.
Load-sharing user groups	Load-sharing user groups and the number of users in each group.
Authen-fail action	Authentication failure policy for users that fail authentication in the ISP domain: · Offline—Logs out the users. · Online on domain isp-name—Allows the users to stay online and assigns the users to the reauthentication domain represented by the isp-domain argument for reauthentication.

display domain access-user statistics

Use display domain access-user statistics to display statistics for online access users in ISP domains.

Syntax

display domain [ name isp-name ] access-user statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

name isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays online access user statistics for all ISP domains.

Usage guidelines

This command displays detailed statistics only for online PPP users in the current software version.

For this command to display statistics for PPP users, you must enable PPP accounting by using the ppp account-statistics enable command.

Examples

# Display online access user statistics for all ISP domains.

<Sysname> display domain access-user statistics

Total online access users: 12

PPP users: 8

Others: 4

Total domains: 3

Domain State Online user count

system Active 12

isp1 Active 0

isp2 Active 0

Domain: system

PPP users: 8 (PPPoE 4, PPPoA 2, PPPoFR 0, LAC 0, LNS 2)

Others: 4

Table 7 Command output

Field	Description
Total online access users	Total number of online access users and total number of users for each access user type.
Domain	Name of the ISP domain.
State	Current state of the ISP domain: · Blocked. · Active.
Online user count	Total number of online access users.
PPP users	Total number of PPP users..
Others	Total number of online access users other than PPP users.

‌

Related commands

ppp account-statistics enable (Layer 2—WAN Access Command Reference)

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

domain name isp-name

undo domain name isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

name isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

An ISP domain cannot be deleted when it is the default system ISP domain. Before you use the undo domain command, change the domain to a non-default system ISP domain by using the undo domain default enable command.

Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.

To delete an ISP domain that has been specified by using the aaa default-domain, aaa permit-domain, aaa deny-domain, or aaa roam-domain command in interface view, you must first remove the command configuration.

If an ISP domain has online users in it, you cannot delete the domain by using the undo domain name command.

Examples

# Create an ISP domain named test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test]

Related commands

aaa default-domain

aaa deny-domain

aaa permit-domain

aaa roam-domain

display domain

domain default enable

domain if-unknown

state (ISP domain view)

domain default enable

Use domain default enable to specify the default system ISP domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default system ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.

Usage guidelines

The system has only one default system ISP domain.

Examples

# Create an ISP domain named test, and configure the domain as the default system ISP domain.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

display domain

domain

domain if-unknown

Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

The device chooses an authentication domain for each user in the following order:

1. The authentication domain specified for the access module.

2. The ISP domain in the username.

3. The default system ISP domain.

If the chosen domain does not exist on the device, the device searches for the ISP domain to accommodate users that are assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

NOTE:

Support for the authentication domain configuration depends on the access module.

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

ip-usage-warning

Use ip-usage-warning to set the alarm thresholds for authorization IPv4 address usage.

Use undo ip-usage-warning to cancel an alarm threshold setting for authorization IPv4 address usage.

Syntax

ip-usage-warning { high-threshold high-value | low-threshold low-value }

undo ip-usage-warning { high-threshold | low-threshold }

Default

No alarm thresholds are set for authorization IPv4 address usage. The system does not generate alarm notifications about authorization IPv4 address usage.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

high-threshold high-value: Specifies the high alarm threshold for authorization IPv4 address usage, in percentage. The value range for the high-value argument is 1 to 100. The default is 100. The high alarm threshold must be greater than the low alarm threshold.

low-threshold low-value: Specifies the low alarm threshold for authorization IPv4 address usage, in percentage. The value range for the low-value argument is 0 to 99. The default is 0.

Usage guidelines

Authorization IPv4 address usage refers to the usage of IPv4 addresses in the authorization IPv4 address pool or pool group. The IPv4 addresses are allocated by DHCP.

You can monitor authorization IPv4 address usage on an ISP domain basis if you have configured one of the following IPv4 address-related authorization attributes for ISP domains:

· Authorization IPv4 address pool configured by using the authorization-attribute ip-pool command.

· Authorization IPv4 address pool group configured by using the authorization-attribute ip-pool-group command.

To implement ISP domain-based authorization IPv4 address usage monitoring, you must perform the following tasks:

· Enable SNMP notifications for authorization IPv4 address usage in ISP domains by using the snmp-agent trap enable domain ip-pool-warning command.

· Set the alarm thresholds for authorization IPv4 address usage in the ISP domains by using the ip-usage-warning command.

Based on the IPv4 address usage periodically provided by the DHCP module, the device generates notifications as shown in Table 8. In addition, the device generates logs about authorization IPv4 address usage. For more information about the logs, see the system log message reference.

Table 8 Authorization IPv4 address usage alarm notifications and alarm-removed notifications

Notification	Triggering condition	Remarks
Low alarm notification	Authorization IPv4 address usage reaches or drops below the low alarm threshold for the first time.	After generating and sending a low alarm notification, the system typically does not generate or send any additional low alarm notifications until the first low alarm is removed.
Low alarm-removed notification	Authorization IPv4 address usage reaches or exceeds the value calculated by using the following formula: Low alarm threshold + (high alarm threshold – low alarm threshold)*10%.	If you cancel the low alarm threshold setting when the system is still in low alarm state, the system will automatically generate and send a notification to remove the low alarm.
High alarm notification	Authorization IPv4 address usage reaches or exceeds the high alarm threshold for the first time.	After generating and sending a high alarm notification, the system typically does not generate or send any additional high alarm notifications until the first high alarm is removed.
High alarm-removed notification	Authorization IPv4 address usage drops below or reaches the value calculated by using the following formula: High alarm threshold – (high alarm threshold – low alarm threshold)*10%.	If you cancel the high alarm threshold setting when the system is still in high alarm state, the system will automatically generate and send a notification to remove the high alarm.

If you change one of the following settings, the system determines whether to generate one notification only based on the new settings regardless of whether another notification of the same type has been generated:

· An alarm threshold setting for authorization IPv4 address usage in the ISP domain.

· The authorization IPv4 address pool or pool group specified for the ISP domain.

· The configuration in the authorization IPv4 address pool or IPv4 address pool group of the ISP domain.

Examples

# In ISP domain test, set the high alarm threshold and low alarm threshold for authorization IPv4 address usage to 70% and 20%, respectively.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] ip-usage-warning high-threshold 70

[Sysname-isp-test] ip-usage-warning low-threshold 20

Related commands

authorization-attribute (ISP domain view)

display domain

snmp-agent trap enable domain

ipv6-usage-warning

Use ipv6-usage-warning to set the alarm thresholds for authorization IPv6 address or prefix usage.

Use undo ipv6-usage-warning to cancel an alarm threshold setting for authorization IPv6 address or prefix usage.

Syntax

ipv6-usage-warning { high-threshold high-value | low-threshold low-value }

undo ipv6-usage-warning { high-threshold | low-threshold }

Default

No alarm thresholds are set for authorization IPv6 address or prefix usage. The system does not generate alarm notifications about authorization IPv6 address or prefix usage.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

high-threshold high-value: Specifies the high alarm threshold for authorization IPv6 address or prefix usage, in percentage. The value range for the high-value argument is 1 to 100. The default value is 100. The high alarm threshold must be greater than the low alarm threshold.

low-threshold low-value: Specifies the low alarm threshold for authorization IPv6 address or prefix usage, in percentage. The value range for the low-value argument is 0 to 99. The default value is 0.

Usage guidelines

Authorization IPv6 address or prefix usage refers to the usage of IPv6 addresses or prefixes in the authorization IPv6 address pool or pool group or in the authorization ND prefix pool or pool group.

You can monitor authorization IPv6 address or prefix usage on an ISP domain basis if you have configured one of the following IPv6 address or prefix-related authorization attributes for ISP domains:

· Authorization IPv6 address pool configured by using the authorization-attribute ipv6-pool command.

· Authorization ND prefix pool configured by using the authorization-attribute ipv6-nd-prefix-pool command.

· Authorization IPv6 address pool group configured by using the authorization-attribute ipv6-pool-group command.

· Authorization ND prefix pool group configured by using the authorization-attribute ipv6-nd-prefix-pool-group command.

To implement ISP domain-based authorization IPv6 address or prefix usage monitoring, you must perform the following tasks:

· Enable SNMP notifications for authorization IPv6 address or prefix usage in ISP domains by using the snmp-agent trap enable domain ipv6-pool-warning command.

· Set the alarm thresholds for authorization IPv6 address or prefix usage in the ISP domains by using the ipv6-usage-warning command.

Based on the IPv6 address or prefix usage periodically provided by the DHCPv6 module, the device generates notifications as shown in Table 9. In addition, the device generates logs about authorization IPv6 address or prefix usage. For more information about the logs, see the system log message reference.

Table 9 Authorization IPv6 address or prefix usage alarm notifications and alarm-removed notifications

Notification	Triggering condition	Remarks
Low alarm notification	Authorization IPv6 address or prefix usage reaches or drops below the low alarm threshold for the first time.	After generating and sending a low alarm notification, the system typically does not generate or send any additional low alarm notifications until the first low alarm is removed.
Low alarm-removed notification	Authorization IPv6 address or prefix usage reaches or exceeds the value calculated by using the following formula: Low alarm threshold + (high alarm threshold – low alarm threshold)*10%.	If you cancel the low alarm threshold setting when the system is still in low alarm state, the system will automatically generate and send a notification to remove the low alarm.
High alarm notification	Authorization IPv6 address or prefix usage reaches or exceeds the high alarm threshold for the first time.	After generating and sending a high alarm notification, the system typically does not generate or send any additional high alarm notifications until the first high alarm is removed.
High alarm-removed notification	Authorization IPv6 address or prefix usage drops below or reaches the value calculated by using the following formula: High alarm threshold – (high alarm threshold – low alarm threshold)*10%.	If you cancel the high alarm threshold setting when the system is still in high alarm state, the system will automatically generate and send a notification to remove the high alarm.

· An alarm threshold setting for authorization IPv6 address or prefix usage in the ISP domain.

· The authorization IPv6 address pool, IPv6 address pool group, ND prefix pool, or ND prefix pool group specified for the ISP domain.

· The configuration in the authorization IPv6 address pool, authorization IPv6 address pool group, authorization ND prefix pool, or authorization ND prefix pool group of the ISP domain.

Examples

# In ISP domain test, set the high alarm threshold and low alarm threshold for authorization IPv6 address or prefix usage to 70% and 20%, respectively.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] ipv6-usage-warning high-threshold 70

[Sysname-isp-test] ipv6-usage-warning low-threshold 20

Related commands

authorization-attribute (ISP domain view)

display domain

snmp-agent trap enable domain

ipv6cp assign-interface-id

Use ipv6cp assign-interface-id to configure the device to forcibly assign interface IDs to PPP users in an ISP domain during IPv6CP negotiation.

Use undo ipv6cp assign-interface-id to restore the default.

Syntax

ipv6cp assign-interface-id

undo ipv6cp assign-interface-id

Default

The device accepts the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users in IPv6CP negotiation.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Use this command for centralized management of PPP users' interface IDs. This command enables the device to ignore the interface IDs carried in Configure-Request packets from PPP users and forcibly assign interface IDs to PPP users during IPv6CP negotiation. The device preferentially uses the interface IDs that the RADIUS server assigns to PPP users through the Framed-Interface-Id attribute. If the server does not assign interface IDs to PPP users, the device generates interface IDs and then assigns the IDs to the users.

Examples

# In ISP domain test, configure the device to forcibly assign interface IDs to PPP users during IPv6CP negotiation.

<Sysname> system-view

[System] domain name test

[System-isp-test] ipv6cp assign-interface-id

Related commands

display domain

ita-policy

Use ita-policy to apply an ITA policy to users in an ISP domain.

Use undo ita-policy to restore the default.

Syntax

ita-policy policy-name

undo ita-policy

Default

No ITA policy is applied in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies an ITA policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The ITA policy assigned from a RADIUS server takes precedence over the ITA policy in an ISP domain. If an ISP domain user has been assigned an ITA policy from the RADIUS server, the ITA policy of the ISP domain does not take effect. The server-assigned ITA policy might not even exist on the device.

Examples

# Apply ITA policy ita1 to users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] ita-policy ita1

Related commands

ita policy

load-sharing user-group

Use load-sharing user-group to configure a load-sharing user group.

Use undo load-sharing user-group to delete a load-sharing user group.

Syntax

load-sharing user-group group-name

undo load-sharing user-group [ group-name ]

Default

No load-sharing user groups are configured and the load sharing feature for users is disabled in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. You must specify an existing user group. If you do not specify a user group in the undo form of this command, all load-sharing user groups are deleted.

Usage guidelines

Use load-sharing user groups with service features to implement load sharing for user service traffic. For example, define traffic classes to classify user traffic by user groups and associate the traffic classes with traffic behaviors that redirect matching traffic to NAT service modules. In this way, user traffic can be shared among multiple NAT service modules.

If load-sharing user groups are used in conjunction with NAT, they are applicable only to interface-based NAT.

If you configure a load-sharing user group in an ISP domain, the load sharing feature for users is enabled for the ISP domain. You can configure a maximum of 32 load-sharing user groups in an ISP domain. After a user in the ISP domain comes online, the device assigns the user to the load-sharing user group that has the smallest number of users. If multiple load-sharing user groups have the same smallest number of users, the user is assigned to the earliest configured group.

The user group to which the device finally assigns a user depends on the configuration. The device selects the user group to accommodate a user in an ISP domain in the following order:

4. The user group authorized by the server.

5. The load-sharing user group configured in the ISP domain.

6. The authorization user group specified in the ISP domain.

The load-sharing user-group and user-group bind nat-instance commands are mutually exclusive in an ISP domain. Before you use the load-sharing user-group command, remove the configuration of the user-group bind nat-instance command. In addition, make sure the ISP domain does not have users that came online before the user-group bind nat-instance command configuration is removed.

Examples

# In ISP domain test, configure load-sharing user groups g1 and g2.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] load-sharing user-group g1

[Sysname-isp-test] load-sharing user-group g2

Related commands

display domain

user-group

user-group bind nat-instance

local-server log change-password-prompt

Use local-server log change-password-prompt to enable password change prompt logging.

Use undo local-server log change-password-prompt to disable password change prompt logging.

Syntax

local-server log change-password-prompt

undo local-server log change-password-prompt

Default

Password change prompt logging is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Use this feature to enhance the protection of passwords for Telnet, SSH, HTTP, HTTPS, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.

This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.

A password is a weak password if it does not meet the following requirements:

· Password composition restriction configured by using the password-control composition command.

· Minimum password length restriction set by using the password-control length command.

· It cannot contain the username or the reverse letters of the username.

For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:

· The current password of the user is the default password or has expired.

· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.

The device will no longer generate password change prompt logs for a user when one of the following conditions exists:

· The password change prompt logging feature is disabled.

· The user has changed the password and the new password meets the password control requirements.

· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.

· The password composition policy or the minimum password length has changed.

You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."

Examples

# Enable password change prompt logging.

<Sysname> system-view

[Sysname] local-server log change-password-prompt

Related commands

display password-control

password-control composition

password-control length

nas-id

Use nas-id to set the NAS-ID in an ISP domain.

Use undo nas-id to delete the NAS-ID from an ISP domain.

Syntax

nas-id nas-identifier

undo nas-id

Default

No NAS-ID is set in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.

Usage guidelines

During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.

You can configure a NAS-ID in NAS-ID profile view or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:

1. NAS-ID bound with VLANs in a NAS-ID profile.

2. NAS-ID in an ISP domain.

If no NAS-ID is selected, the device uses the device name as the NAS-ID.

Examples

# Set the NAS-ID to test for ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] nas-id test

Related commands

aaa nas-id

aaa nas-id profile

nas-id bind

Use nas-id bind to configure a NAS-ID and VLAN binding.

Use undo nas-id bind to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }

undo nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }

Default

No NAS-ID and VLAN bindings exist.

Views

NAS-ID profile view

Predefined user roles

network-admin

mdc-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

c-vid vlan-id : Specifies an inner VLAN ID in the range of 1 to 4094.

s-vid vlan-id: Specifies an outer VLAN ID in the range of 1 to 4094.

vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

In a QinQ network, specify an inner VLAN ID, outer VLAN ID, or both in a binding as a best practice. In a non-QinQ network, you can specify only a VLAN ID in a binding by specifying the vlan vlan-id option.

If you specify an inner VLAN ID or outer VLAN ID in a binding of a NAS-ID profile, you can specify this profile only for an interface by using the aaa nas-id-profile command.

A NAS-ID can be bound with more than one VLAN or one combination of inner VLAN and outer VLAN. A VLAN or a combination of inner VLAN and outer VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

The device selects a NAS-ID and VLAN binding for double-tagged packets in the following order:

3. NAS-ID with both matching outer VLAN ID and inner VLAN ID.

4. NAS-ID with a matching outer VLAN ID.

5. NAS-ID with a matching inner VLAN ID.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

redirect active-time

Use redirect active-time to set the redirect URL active period during which all Web visit requests of a user are redirected to the redirect URL.

Use undo redirect active-time to restore the default.

Syntax

redirect active-time time

undo redirect active-time

Default

The redirect URL active period is not set.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

time: Sets the active period, in the range of 1 to 900 seconds.

Usage guidelines

If the server assigns a redirect URL to a user after it passes authentication, the device redirects the user to the redirect URL when the user accesses the network for the first time. The redirect URL might provide important information for the user (for example, advertisements, notices, and charge overdue notifications).

Some applications (for example, input software) initiate background Web visit requests to visit the network before the user actively accesses the network. As a result, the device might not redirect the active Web visit requests of the user to the redirect URL because the number of times that the device redirects the background requests has reached the maximum number of redirect times. In this case, the user does not obtain the information provided by the redirect URL.

To resolve this issue, use this command to set the redirect URL active period. In this period, all Web visit requests of a user are redirected to the redirect URL. The period starts for a user when the server or the device assigns a redirect URL to the user because the user comes online or the server performs a COA authorization.

This command takes effect only on PPP users.

This command takes effect on a user in either of the following conditions:

· The server assigns the user a redirect URL and the attribute that sets the number of redirect times.

· The server does not assign the user a redirect URL. However, an authorization redirect URL has been configured for the ISP domain and the number of times that the device redirects the user to the redirect URL is not limited.

This command has higher priority than the maximum number of redirect times configured by using the authorization-attribute redirect-times command in ISP domain view. If limiting the maximum number of redirect times is required, do not use this command to set the active period.

Examples

# In ISP domain test, set the active period of the redirect URL to 60 seconds.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] redirect active-time 60

Related commands

authorization-attribute (ISP domain view)

display domain

redirect server

redirect move-temporarily enable

Use redirect move-temporarily enable to enable the temporary redirect feature.

Use undo redirect move-temporarily enable to disable the temporary redirect feature.

Syntax

redirect move-temporarily enable

undo redirect move-temporarily enable

Default

The temporary redirect feature is disabled.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Typically, the device carries the redirect URL coded in JavaScript in HTTP or HTTPS responses sent to users. The users obtain the redirect URL by parsing the JavaScript codes. If the endpoint of a user (application, for example) does not support JavaScript, the user will fail to be redirected.

To resolve this issue, enable the temporary redirect feature. This feature enables the device to send HTTP or HTTPS responses with status code 302 to users so that the users can obtain the redirect URL.

This feature is applicable only to PPP users.

On a forwarding-control separated network, this feature does not take effect.

Examples

# In ISP domain test, enable the temporary redirect feature.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] redirect move-temporarily enable

Related commands

display domain

redirect server

Use redirect server to specify an IP address of the Web server that owns the redirect URL.

Use undo redirect server to remove an IP address of the Web server that owns the redirect URL.

Syntax

redirect server { ip ipv4-address | ipv6 ipv6-address }

undo redirect server { ip | ipv6 }

Default

No redirect server IP address is specified.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ip ipv4-address: Specifies the IPv4 address of the redirect server.

ipv6 ipv6-address: Specifies the IPv6 address of the redirect server.

Usage guidelines

To improve the efficiency and accuracy of Web redirections, use this command to specify an IP address of the Web server that owns the redirect URL. When the device redirects a Web visit request of a user, it first identifies whether the destination IP address of the request is the specified IP address of the Web server. If the IP addresses are the same one, the device allows the request to pass through. If the IP addresses are different, the device pushes the redirect URL assigned by the server to the user.

· If the redirect URL does not contain a redirect server IP address, the device uses the IP address specified by using this command as the redirect destination IP address. Make sure the specified IP address is the same as the IP address resolved from the URL.

· If the redirect URL contains a redirect server IP address but the IP address is different from the IP address specified by using this command, the device uses the IP address specified by using this command as the redirect destination IP address.

· If the redirect URL does not contain a redirect server IP address and no redirect server IP address is specified, redirection might fail due to lack of redirect server IP address.

This command takes effect only on PPP users.

In an ISP domain, you can specify only one IPv4 address and one IPv6 address of the Web redirect server.

Examples

# In ISP domain test, specify the server at 5.1.1.1 as the redirect server.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] redirect server ip 5.1.1.1

Related commands

display domain

redirect aging-time

reset aaa abnormal-offline-record

Use reset aaa abnormal-offline-record to clear all user abnormal offline records.

Syntax

reset aaa abnormal-offline-record

Views

User view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The device saves user abnormal offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user abnormal offline records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user abnormal offline records.

<Sysname> reset aaa abnormal-offline-record

Related commands

display aaa abnormal-offline-record

reset aaa normal-offline-record

Use reset aaa normal-offline-record to clear all user normal offline records.

Syntax

reset aaa normal-offline-record

Views

User view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The device saves user normal offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user normal offline records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user normal offline records.

<Sysname> reset aaa normal-offline-record

Related commands

display aaa normal-offline-record

reset aaa offline-record

Use reset aaa offline-record to clear all user offline records.

Syntax

reset aaa offline-record

Views

User view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The device saves user offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user offline records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user offline records.

<Sysname> reset aaa offline-record

Related commands

display aaa offline-record

reset aaa online-fail-record

Use reset aaa online-fail-record to clear all user online failure records.

Syntax

reset aaa online-fail-record

Views

User view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The device saves user online failure records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user online failure records.

Use this command with caution. Cleared records cannot be recovered.

Examples

# Clear all user online failure records.

<Sysname> reset aaa online-fail-record

Related commands

display aaa online-fail-record

service-type (ISP domain view)

Use service-type to specify the service type for users in an ISP domain.

Use undo service-type to restore the default.

Syntax

service-type { hsi | stb | voip }

undo service-type

Default

The service type is hsi for users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through PPP.

stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.

voip: Specifies the Voice over IP (VoIP) service. This service is applicable to users that access the network through IP phones.

Usage guidelines

When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.

When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.

When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.

For PPP users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.

You can configure only one service type for an ISP domain.

Examples

# Specify the STB service for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] service-type stb

session-time include-idle-time

Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The device excludes the idle timeout period from the user online duration sent to the server.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned by the authorization server after users pass authentication.

If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.

· If the session-time include-idle-time command is used, the device adds the idle timeout period. The online duration sent to the server is longer than the actual online duration of the user.

· If the undo session-time include-idle-time command is used, the device excludes the idle timeout period from the actual online duration. The online duration sent to the server is shorter than the actual online duration of the user.

Examples

# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] session-time include-idle-time

Related commands

display domain

snmp-agent trap enable domain

Use snmp-agent trap enable domain to enable SNMP notifications for ISP domains.

Use undo snmp-agent trap enable domain to disable SNMP notifications for ISP domains.

Syntax

snmp-agent trap enable domain { ip-usage-warning | ipv6-usage-warning }

undo snmp-agent trap enable domain { ip-usage-warning | ipv6-usage-warning }

Default

SNMP notifications are disabled for ISP domains.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-usage-warning: Enables SNMP notifications for authorization IPv4 address usage. The device generates a notification when the IPv4 address usage reaches or exceeds the high alarm threshold, drops below or reaches the low alarm threshold, or restores to the normal range.

ipv6-usage-warning: Enables SNMP notifications for authorization IPv6 address or prefix usage. The device generates a notification when the IPv6 address or prefix usage reaches or exceeds the high alarm threshold, drops below or reaches the low alarm threshold, or restores to the normal range.

Usage guidelines

After you enable SNMP notifications for ISP domains, the device generates a notification if a specific event occurs in an ISP domain. For ISP domain event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

For the device to correctly generate notifications about authorization IPv4 address usage in ISP domains, set the alarm thresholds for authorization IPv4 address usage in the ISP domains.

For the device to correctly generate notifications about authorization IPv6 address or prefix usage in ISP domains, set the alarm thresholds for authorization IPv6 address or prefix usage in the ISP domains.

For this feature to take effect when the device acts as a DHCP or DHCPv6 relay agent, you must execute the network command in the relay address pool on the DHCP relay agent. Make sure the subnet specified in the network command is the same as the subnet specified for the DHCP address pool of the DHCP server.

Examples

# Enable SNMP notifications for authorization IPv4 address usage in ISP domains.

<Sysname> system-view

[Sysname] snmp-agent trap enable domain ip-usage-warning

Related commands

ip-usage-warning

ipv6-usage-warning

network (Layer 3—IP Services Command Reference)

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block [ time-range ][ offline ]}

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. This keyword takes effect on all types of users except the SSH users that perform publickey authentication.

time-range: Places the ISP domain in blocked state based on time ranges. If you specify the block keyword but do not specify the time-range keyword, the ISP domain is always placed in blocked state.

offline: Logs off online users (including PPP users) in the ISP domain when the state of the ISP domain changes to blocked. If you specify the block keyword but do not specify the offline keyword, the users in the ISP domain stay online when the state of the ISP domain changes to blocked.

Usage guidelines

To block an ISP domain based on time ranges, specify the time-range keyword in this command, and specify time ranges by using the state block time-range name command.

Examples

# Place ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] state block

Related commands

display domain

state block time-range name

Use state block time-range name to specify time ranges during which an ISP domain is placed in blocked state.

Use undo state block time-range name to delete time ranges for placing an ISP domain in blocked state.

Syntax

state block time-range name time-range-name

undo state block time-range { all | name time-range-name }

Default

No time ranges are specified for placing an ISP domain in blocked state.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. The string must begin with a letter and cannot be all.

all: Specifies all time ranges.

Usage guidelines

The specified time ranges take effect only when the device is configured to block an ISP domain based on time ranges. To configure the device to block the ISP domain based on time ranges, use the state block time-range command.

You can repeat this command to specify multiple time ranges.

Examples

# Specify time ranges t1 and t2 for placing ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] state block time-range name t1

[Sysname-isp-test] state block time-range name t2

Related commands

state

time-range (ACL and QoS Command Reference)

user-address-type

Use user-address-type to specify the user address type in the ISP domain.

Use undo user-address-type to restore the default.

Syntax

user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }

undo user-address-type

Default

No user address type is specified for the ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ds-lite: Specifies the DS-Lite address type.

ipv6: Specifies the IPv6 address type.

nat64: Specifies the NAT64 address type.

private-ds: Specifies the private-DS address type.

private-ipv4: Specifies the private IPv4 address type.

public-ds: Specifies the public-DS address type.

public-ipv4: Specifies the public IPv4 address type.

Usage guidelines

Specify the address type for users in an ISP domain according to the actual customer network environment and address assignment policies for the users.

On a CGN network, make sure the correct address type is specified on the device and users obtain private IP addresses of the specified type. Then, the device can cooperate with NAT444 to implement public IP address assignment, port block assignment, and user tracking after the users pass authentication. For more information about NAT444, see NAT in Layer 3—IP Services Configuration Guide.

Any change to the user address type does not affect online users.

Examples

# Specify the private IPv4 address type for users in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] user-address-type private-ipv4

Related commands

display domain

web-server { ip | ipv6 }

Use web-server { ip | ipv6 } to specify an IP address of the Web server.

Use undo web-server { ip | ipv6 } to remove an IP address of the Web server.

Syntax

web-server { ip ipv4-address | ipv6 ipv6-address } [ secondary ]

undo web-server { ip | ipv6 } [ secondary ]

Default

No IP addresses are specified for the Web server.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv4-address: Specifies an IPv4 address of the Web server.

ipv6-address: Specifies an IPv6 address of the Web server.

secondary: Specifies the IP address as a backup IP address of the Web server. If the Web server has two IP addresses, you can specify one IP address without this keyword and specify the other IP address with this keyword.

Usage guidelines

If the URL of a Web request carries one of the specified IP addresses, the Web request is directly forwarded to the Web server without redirection. This configuration avoids unnecessary redirection if the destination of user Web requests is one IP address of the Web server.

You can specify two IPv4 addresses and two IPv6 addresses for the Web server.

Examples

# Specify 192.168.1.1 as an IP address of the Web server in ISP domain test.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] web-server ip 192.168.1.1

Related commands

display domain

web-server url-parameter

Use web-server url-parameter to add a parameter to the Web server URL.

Use undo web-server url-parameter to remove a parameter from the Web server URL.

Syntax

web-server url-parameter param-name { nas-id | nas-port-id | original-url | remote-id | source-address | source-mac [ encryption { aes | des } key { cipher | simple } string ] [ section { 1 | { 3 | 6 } [ separator separator-character ] } { lowercase | uppercase } ] | ssid | user-location | value expression }

undo web-server url-parameter param-name

Default

No parameters are added to the URL of the Web server.

Views

ISP domain view

Predefined user roles

network-admin

mdc-admin

Parameters

param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Contents of the parameter are determined by the keywords or options following the param-name argument.

nas-id: Specifies the NAS-ID.

nas-port-id: Specifies the NAS-Port-Id attribute value.

original-url: Specifies the URL of the webpage that a user requests.

remote-id: Specifies the Remote ID obtained from user DHCP packets.

source-address: Specifies the user IP address.

source-mac: Specifies the user MAC address.

encryption: Specifies an encryption algorithm to encrypt the user MAC address. If you do not specify this keyword, the device adds the user MAC address in plaintext form to the Web server URL.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies a case-sensitive key string. The string length varies by the selected encryption algorithm:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

section: Specifies the number of sections that a MAC address contains. If you do not specify this keyword, the MAC address is in the three-section format with uppercase letters, for example, XXXX-XXXX-XXXX.

· 1: Specifies the one-section format XXXXXXXXXXXX.

· 3: Specifies the three-section format XXXX-XXXX-XXXX.

· 6: Specifies the six-section format XX-XX-XX-XX-XX-XX.

· separator separator-character: Specifies the delimiter to separate the MAC address into multiple sections, a case-sensitive character. If you do not specify a delimiter, the system uses hyphen (-) as the delimiter.

· lowercase: Specifies the letters in a MAC address to be in lower case.

· uppercase: Specifies the letters in a MAC address to be in upper case.

ssid: Specifies the SSID.

user-location: Specifies the user access location, in the format of port:vlan1.vlan2.

· The port argument represents the interface type and number (for example, eth/6/0/4). If the access interface is an aggregate interface, the interface type is ethtrunk. For example, ethtrunk/44 represents an aggregate interface.

· The vlan1 and vlan2 arguments represent the outer VLAN ID and inner VLAN ID, respectively. If only information of a single VLAN is available, 0 is used as the value for the vlan2 argument (for example, eth/6/0/4:10.0). If no VLAN information is available, 0 is used as the value for both the arguments (for example, eth/6/0/4:0.0).

value expression: Specifies a custom case-sensitive string of 1 to 256 characters.

Usage guidelines

You can repeat this command to add multiple parameters to the Web server URL. For example, to attach the user IP address and a custom string of http://www.abc.com/welcome to the Web server URL http://1.2.3.4/, perform the following tasks:

· Execute this command with the userip source-address parameter.

· Execute this command with the userurl value http://www.abc.com/welcome parameter.

The device will redirect Web requests from IP address 1.1.1.1 to the URL at http://1.2.3.4/?userip=1.1.1.1&userurl=http://www.abc.com/welcome.

For the Web server URL that carries parameters to take effect, make sure the URL ends with a forward slash (/).

Make sure names of the specified parameters are the same as those supported by the Web server. Names of supported parameters vary by Web server type. For example, the IMC server supports parameters original-url, source-address, and source-mac, and names of the parameters are userurl, userip, and usermac, respectively. To add the user IP address to the Web server URL, you must configure the param-name argument as userip and specify the source-address keyword.

To carry a user SSID in the Web server URL, you must set the SSID on the user access interface by using the aaa ssid command.

If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.

Examples

# In ISP domain test, add the user IP address and a custom string of http://www.abc.com/welcome to the Web server URL.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] web-server url-parameter userip source-address

[Sysname-isp-test] web-server url-parameter userurl value http://www.abc.com/welcome

# In ISP domain test, add the user MAC address encrypted by using the DES algorithm to the Web server URL.

<Sysname> system-view

[Sysname] domain name test

[Sysname-isp-test] web-server url-parameter usermac source-mac encryption des key simple 12345678

Related commands

aaa ssid

display domain

web-server url

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. The users do not support accounting.

For this command to take effect on a network access user, you also need to configure the accounting start-fail offline command in the ISP domain view.

Examples

# Set the maximum number of concurrent logins to 5 for the local user account named abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

accounting start-fail offline

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minutes | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | inbound | outbound ] | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-group-profile session-group-profile-name | session-timeout minutes | subscriber-id subscriber-id | url url-string | user-profile user-profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *

undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | { primary-dns | secondary-dns } { ip | ipv6 } | session-group-profile | session-timeout | url | subscriber-id | user-profile | user-role role-name | vlan | vpn-instance | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user on the default MDC are assigned the network-operator user role. The local users created by an mdc-admin or level-15 user on a non-default MDC are assigned the mdc-operator user role.

Views

Local user view

User group view

Predefined user roles

network-admin

mdc-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.

callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.

idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if the user's idle period exceeds the specified idle timeout period.

ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128.

primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.

primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.

secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.

secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.

session-group-profile session-group-profile-name: Specifies a session group profile for the user. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters. For more information about session group profiles, see Security Configuration Guide.

session-timeout minutes: Sets the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.

url url-string: Specifies the PADM URL to which the user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters and must begin with http:// or https://. This option is applicable only to PPPoE users. You must specify a URL that uses port number 80 or 8080.

user-profile user-profile-name: Specifies an authorization user profile by its name. The user-profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. The user profile restricts the behavior of authenticated users. For more information, see Security Configuration Guide.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the user belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. After passing authentication, the user has permission to access the network resources in the specified VPN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

For SSH, Telnet, and terminal users, only the following authorization attributes take effect: idle-cut and user-role.

For HTTP and HTTPS users, only the user-role authorization attribute takes effect.

For FTP users, only the following authorization attributes take effect: user-role and work-directory.

For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify slot information for the working directory.

To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

display local-user

display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { call-number call-number [ : subcall-number ] | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { call-number | ip | location | mac | vlan } *

Default

No binding attributes are configured for a local user.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.

subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to PPP users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to PPP users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to PPP users.

Usage guidelines

To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.

Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet.

Examples

# Bind MAC address 0001-0002-0003 with network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute mac 0001-0002-0003

Related commands

display local-user

description

Use description to configure a description for a local guest.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

mdc-admin

Parameters

text: Configures a description, case-sensitive string of 1 to 255 characters.

Examples

# Configure a description for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] description Manager of MSC company

Related commands

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

class: Specifies the local user type.

manage: Device management user.

network: Network access user.

guest: Guest user account.

idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

· The pure username is a case-sensitive string and must meet the following requirements:

¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

¡ Cannot be a, al, or all.

· The domain name is a case-insensitive string and cannot contain an at sign (@).

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 3 local users matched.

Device management user root:

State: Active

Service type: SSH/Telnet/Terminal

Access limit: Enabled Max access number: 3

Current access number: 1

User group: system

Bind attributes:

Authorization attributes:

Work directory: flash:

User role list: network-admin

Password control configurations:

Password aging: 3 days

Password remaining lifetime: 2 days 12 hours 30 minutes 30 seconds

Password history was last reset: 0 days ago

Network access user jj:

State: Active

Service type: PPP

User group: system

Bind attributes:

Location bound: GigabitEthernet1/2/0/1

MAC address: 0001-0001-0001

VLAN ID: 2

Authorization attributes:

Idle timeout: 33 minutes

Work directory: flash:

ACL number: 2000

User profile: pp

User role list: network-operator, level-0, level-3

Table 10 Command output

Field	Description
State	Status of the local user: active or blocked.
Service type	Service types that the local user can use.
Access limit	Whether the concurrent login limit is enabled.
Max access number	Maximum number of concurrent logins using the local user name.
Current access number	Current number of concurrent logins using the local user name.
User group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
IP address	IP address of the local user.
Location bound	Binding port of the local user.
MAC address	MAC address of the local user.
VLAN ID	Binding VLAN of the local user.
Calling number	Calling number of the ISDN user.
Authorization attributes	Authorization attributes of the local user.
Idle timeout	Idle timeout period of the user, in minutes.
Session-timeout	Session timeout timer of the user, in minutes.
Callback number	Authorized PPP callback number of the local user.
Work directory	Directory that the FTP, SFTP, or SCP user can access.
ACL number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User profile	Authorization user profile of the local user.
User role list	Authorized roles of the local user.
IP pool	IPv4 address pool authorized to the local user.
IP address	IPv4 address authorized to the local user.
IPv6 address	IPv6 address authorized to the local user.
IPv6 prefix	IPv6 address prefix authorized to the local user.
IPv6 pool	IPv6 address pool authorized to the local user.
Primary DNS server	IPv4 address of the primary DNS server for the local user.
Secondary DNS server	IPv4 address of the secondary DNS server for the local user.
Primary DNSV6 server	IPv6 address of the primary DNS server for the local user.
Secondary DNSV6 server	IPv6 address of the secondary DNS server for the local user.
URL	PADM URL of the local user.
VPN instance	Authorization VPN instance of the local user.
Subscriber ID	Subscriber ID of the local user.
Session group profile	Session group profile of the local user.
Password control configurations	Password control attributes that are configured for the local user.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Password remaining lifetime	Remaining lifetime of the user's password.
Password history was last reset	The most recent time that the password records were cleared.
Full name	Name of the local guest.
Company	Company name of the local guest.
Email	Email address of the local guest.
Phone	Phone number of the local guest.
Description	Description of the local guest.
Sponsor full name	Name of the guest sponsor.
Sponsor department	Department of the guest sponsor.
Sponsor email	Email address of the guest sponsor.
Period of validity	Validity period of the local guest.
Start date and time	Date and time from which the local guest begins to take effect.
Expiration date and time	Date and time at which the local guest expires.

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | identity-member | name group-name }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

all: Specifies all user groups.

identity-member: Specifies identity members in all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

User group: system

Authorization attributes:

Work directory: flash:

User group: jj

Authorization attributes:

Idle timeout: 2 minutes

Callback number: 2:2

Work directory: flash:/

ACL number: 2000

VLAN ID: 2

User profile: pp

Password control configurations:

Password aging: 2 days

# Display information about identity members for all user groups.

<Sysname> display user-group identity-member

Total 2 user groups matched.

User group: system

Identity groups: 0

User group: jj

Identity groups: 2

Group ID Group name

0xffffffff group1

0x567 group2

Identity users: 2

User ID Username

0x234 user1

0xffffffff user2

Table 11 Command output

Field	Description
Authorization attributes	Authorization attributes of the user group.
Idle timeout	Idle timeout period, in minutes.
Session-timeout	Session timeout timer, in minutes.
Callback number	Authorized PPP callback number.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL number	Authorization ACL.
VLAN ID	Authorized VLAN.
User profile	Authorization user profile.
IP pool	IPv4 address pool authorized to the user group.
IPv6 prefix	IPv6 address prefix authorized to the user group.
IPv6 pool	IPv6 address pool authorized to the user group.
Primary DNS server	IPv4 address of the primary DNS server authorized to the user group.
Secondary DNS server	IPv4 address of the secondary DNS server authorized to the user group.
Primary DNSV6 server	IPv6 address of the primary DNS server authorized to the user group.
Secondary DNSV6 server	IPv6 address of the secondary DNS server authorized to the user group.
URL	PADM URL for the user group.
Subscriber ID	Subscriber ID for the user group.
Session group profile	Session group profile for the user group.
VPN instance	Authorization VPN instance for the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Identity users	Number of identity users.
Identity groups	Number of identity groups.
User ID	Identity user ID.
Group ID	Identity group ID.
Username	Identity user name.
Group name	Identity group name.

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class { manage | network } ]

undo local-user { user-name class { manage | network } | all [ service-type { ftp | http | https | ppp | ssh | telnet | terminal } | class { manage | network [ guest ] } ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

user-name: Specifies the username of a local user, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).

· The pure username is a case-sensitive string and must meet the following requirements:

¡ Cannot be a, al, or all.

· The domain name is a case-insensitive string and cannot contain an at sign (@).

class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, terminal, and PAD services.

network: Network access user that accesses network resources through the device. Network access users can use the PPP service.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ppp: PPP users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2 and enter local user view.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

# Add a local guest named user3 and enter local guest view.

<Sysname> system-view

[Sysname] local-user user3 class network guest

[Sysname-luser-network(guest)-user3]

Related commands

display local-user

service-type

local-user-import

Use local-user-import to import local guest account information from a .csv file in the specified path to the device to create local guests based on the imported information.

Syntax

local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

class: Specifies the local user type.

network: Specifies the network access user.

guest: Specifies the local guest.

url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.

validity-datetime: Specifies the guest validity period of the local guests.

start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the end date and time of the validity period.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group system.

override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.

start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.

Usage guidelines

The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:

· Username—User name of the guest account. The user name cannot be empty.

· Password—Password of the guest account in plaintext form. If the password is empty, the device generates a random password in encrypted form for the guest.

· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group system.

· Guest full name—Name of the guest.

· Guest company—Company of the guest.

· Guest email—Email address of the guest.

· Guest phone—Phone number of the guest.

· Guest description—Description of the guest.

· Sponsor full name—Name of the guest sponsor.

· Sponsor department—Department of the guest sponsor.

· Sponsor email—Email address of the guest sponsor.

The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted.

Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,

Jack,abc,visit,Jack Chen,ETP,[email protected],1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,[email protected]

The device supports TFTP and FTP file transfer modes. Table 12 describes the valid URL formats of the .csv file.

Table 12 URL formats

Protocol	URL format	Description
TFTP	tftp://server/path/filename	Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
FTP	· With FTP user name and password: ftp://username:password@server/path/filename · Without FTP user name and password: ftp://server/path/filename	Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

· With FTP user name and password:
ftp://username:password@server/path/filename

· Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Examples

# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.

<Sysname> system-view

[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2019/05/01 00:00:00 to 2019/05/02 12:00:00

Related commands

display local-user

local-user-export

password (device management user view)

Use password to configure a password for a device management user.

Use undo password to restore the default.

Syntax

password [ { hash | simple } string ]

undo password

Default

A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Device management user view

Predefined user roles

network-admin

mdc-admin

Parameters

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password.

A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.

Examples

# Set the password to 123456TESTplat&! in plaintext form for device management user user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Configure the password in interactive mode for device management user test.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

Confirm :

Related commands

display local-user

password (network access user view)

Use password to configure a password for a network access user.

Use undo password to restore the default.

Syntax

password [ { cipher | simple } string ]

undo password

Default

A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Network access user view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies a password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

As a best practice to enhance security, configure a password for each network access user.

Examples

# Set the password to 123456TESTuser&! in plaintext form for network access user user1.

<Sysname> system-view

[Sysname] local-user user1 class network

[Sysname-luser-network-user1] password simple 123456TESTuser&!

Related commands

display local-user

service-type (local user view)

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | { http | https | ssh | telnet | terminal } * ppp }

undo service-type { ftp | { http | https | ssh | telnet | terminal } * ppp }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

ppp: Authorizes the user to use the PPP service.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local guest view

Local user view

Predefined user roles

network-admin

mdc-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

RADIUS commands

aaa device-id

Use aaa device-id to configure the device ID.

Use undo aaa device-id to restore the default.

Syntax

aaa device-id device-id

undo aaa device-id

Default

The device ID is 0.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

device-id: Specifies a device ID in the range of 1 to 255.

Usage guidelines

RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID. On a VSRP network where multiple devices use the same accounting server, accounting ID conflicts might occur. To avoid duplicate accounting IDs, use this command to assign a unique device ID to each device.

If you modify the device ID, the new device ID does not take effect on users that have been online during the change.

Examples

# Configure the device ID as 1.

<Sysname> system-view

[Sysname] aaa device-id 1

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to disable the accounting-on feature.

Syntax

accounting-on enable [ interval interval | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set by using the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

attribute 25 car

Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to restore the default.

Syntax

attribute 25 car

undo attribute 25 car

Default

The RADIUS class attribute is not interpreted as CAR parameters.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.

The device can interpret the RADIUS class attribute only in the format of string1string2string3string4 as CAR parameters. Each string contains eight characters and each character must be a digit from 0 to 9.

After the device interprets the RADIUS class attribute sent by a RADIUS server as CAR parameters, it carries the interpreted CAR parameters in the subsequent accounting packets sent to that server besides carrying the original class attribute.

Examples

# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

display radius scheme

attribute 31 mac-format

Use attribute 31 mac-format to configure the MAC address format of RADIUS attribute 31.

Use undo attribute 31 mac-format to restore the default.

Syntax

attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }

undo attribute 31 mac-format

Default

A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the MAC address format of RADIUS attribute 31 to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase

Related commands

display radius scheme

attribute 87 format

Use attribute 87 format to configure the format of RADIUS attribute 87.

Use undo attribute 87 format to restore the default.

Syntax

attribute 87 format { custom { c-vid [ delimiter ] | interface-type [ delimiter ] | port [ delimiter ] | s-vid [ delimiter ] | slot [ delimiter ] | string string [ delimiter ] | subslot [ delimiter ] | vxlan-id [ delimiter ] } * | vendor vendor-id }

undo attribute 87 format

Default

No format is configured for RADIUS attribute 87, and the attribute uses the format defined by each access module.

· For PPP authentication, the format is slot=xx;subslot=xx;port=xx;vlanid=xx;vlanid2=xx.

· For login authentication, this attribute is empty.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

custom: Specifies a custom format.

c-vid: Includes the inner VLAN ID of user packets.

interface-type: Includes the interface type of the access node.

port: Includes the port number of the access node.

s-vid: Includes the outer VLAN ID of user packets.

slot: Includes the slot number of the access node.

string string: Includes a custom string, a case-sensitive string of 1 to 63 characters.

subslot: Includes the subslot number of the access node.

vxlan-id: Includes the ID of the VXLAN to which a user belongs.

delimiter: Specifies a delimiter to separate attribute fields. The delimiter can be any character except a question mark (?). If you do not specify a delimiter, attribute fields are not separated.

vendor vendor-id: Specifies the format of RADIUS attribute 87 defined by a vendor. The vendor-id argument represents the ID of a vendor. The value can be 9 (Cisco) or 2636 (Juniper).

Usage guidelines

RADIUS attribute 87 is the NAS-Port-Id attribute. RADIUS servers of different types might have different requirements for the NAS-Port-Id attribute format. Configure the format of RADIUS attribute 87 to meet the requirements of the RADIUS servers.

If you specify the format of a vendor, the device constructs the NAS-Port-Id attribute as required by the vendor.

Table 13 Formats of the NAS-Port-Id attribute defined by different vendors

Vendor	Interface type	Format	Field description
2636 (Juniper)	Ethernet Aggregate	For double-VLAN tagging: interface-type slot/port.vpivci:vpi-vci (for example, gigabitEthernet 1/5.40940001:4094-1)	· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number. · vpi—Outer VLAN ID. · vci—Inner VLAN ID. The vci field preceding the colon (:) must be padded with 0s to be a string of four bits.
		For single-VLAN tagging: interface-type slot/port.subinterface:vlan (for example, gigabitEthernet 1/5.4:4)	· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number. · subinterface—Subinterface number. This field is invalid in RADIUS packets on an L2TP network. · vlan—VLAN ID.
		For no-VLAN tagging: interface-type slot/port.0 (for example, gigabitEthernet 1/5.0)	· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number.
9 (Cisco)	Ethernet Aggregate	interface-type slot/subslot/port (for example, ethernet 1/0/5)	· interface-type—Interface type, ethernet or trunk (aggregate). · slot—Slot number. · subslot—Subslot number. · port—Interface number.

‌

If you specify a custom format, the device includes the specified attribute fields in the NAS-Port-Id attribute in the sequence that the fields are specified. If you specify a delimiter in the custom format, the device uses the delimiter to separate the attribute fields.

When you configure a custom format, consider the network environment and the type of the device to avoid specifying an invalid attribute field. For example, do not specify the outer VLAN ID field in a non-QinQ network.

The format of the NAS-Port-Id attribute configured by using this command takes precedence over the format defined by the access module.

Examples

# In RADIUS scheme rad, configure the RADIUS attribute 87 format as the format defined by Cisco.

<Sysname> system-view

[Sysname] radius scheme rad

[Sysname-radius-rad] attribute 87 format vendor 9

# In RADIUS scheme rad2, configure a custom format for RADIUS attribute 87. The attribute contains the inner VLAN ID and interface type fields in sequence and uses a semicolon (;) as the delimiter.

<Sysname> system-view

[Sysname] radius scheme rad2

[Sysname-radius-rad2] attribute 87 format custom c-vid ; interface-type ;

Related commands

display radius scheme

attribute convert (RADIUS DAS view)

Use attribute convert to configure a RADIUS attribute conversion rule.

Use undo attribute convert to delete RADIUS attribute conversion rules.

Syntax

attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }

undo attribute convert [ src-attr-name ]

Default

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.

Views

RADIUS DAS view

Predefined user roles

network-admin

mdc-admin

Parameters

src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

coa-ack: Specifies the CoA acknowledgment packets.

coa-request: Specifies the CoA request packets.

received: Specifies the received DAE packets.

sent: Specifies the sent DAE packets.

Usage guidelines

The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.

The conversion rules take effect only when the RADIUS attribute translation feature is enabled.

When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:

· The source and destination RADIUS attributes in a rule must use the same data type.

· The source and destination RADIUS attributes in a rule cannot use the same name.

· A source RADIUS attribute can be converted only by one criterion, packet type or direction.

· One source RADIUS attribute cannot be converted to multiple destination attributes.

If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.

Examples

# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the Connect-Info attribute.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] attribute convert Hw-Server-String to Connect-Info received

Related commands

attribute translate

attribute convert (RADIUS scheme view)

Use attribute convert to configure a RADIUS attribute conversion rule.

Use undo attribute convert to delete RADIUS attribute conversion rules.

Syntax

attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }

undo attribute convert [ src-attr-name ]

Default

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.

Views

RADIUS scheme view

Predefined user roles

network-admin

mdc-admin

Parameters

src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

access-accept: Specifies the RADIUS Access-Accept packets.

access-request: Specifies the RADIUS Access-Request packets.

accounting: Specifies the RADIUS accounting packets.

received: Specifies the received RADIUS packets.

sent: Specifies the sent RADIUS packets.