13-User Access and Authentication Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10413-User Access and Authentication Command Reference
09-User identification commands
Title Size Download
09-User identification commands 176.17 KB

User identification commands

The following compatibility matrixes show the support of hardware platforms for user identification:

 

Hardware series

Model

User identification compatibility

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2540H

WX2560H

Yes

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

·     WX3010H, WX3010H-X, WX3024H: Yes

·     WX3010H-L, WX3024H-L: No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

Yes

WX5500E series

WX5510E

WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

Yes

Access controller modules

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

Yes

Hardware series

Model

User identification compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

No

WX3800H series

WX3820H

WX3840H

No

WX5800H series

WX5860H

No

account-update-interval

Use account-update-interval to set the interval for automatic identity user account import.

Use undo account-update-interval to restore the default.

Syntax

account-update-interval interval

undo account-update-interval

Default

The interval is 24 hours for automatic identity user account import.

Views

Identity user import policy view

Predefined user roles

network-admin

Parameters

interval: Specifies an interval in the range of 1 to 65536 hours.

Usage guidelines

After you enable automatic import for an identity user import policy, the device automatically imports identity user accounts from the servers specified in the policy at the specified interval. Periodic auto-import ensures account consistency between the device and the servers.

Examples

# Set the interval for automatic identity user account import to 12 hours for identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity user-import-policy policy1

[Sysname-identity-user-impt-policy-policy1] account-update-interval 12

Related commands

user-identity user-account auto-import policy

connection-detect

Use connection-detect to configure parameters for RESTful server reachability detection.

Use undo connection-detect to restore the default.

Syntax

connection-detect { interval interval | maximum max-times }

undo connection-detect { interval | maximum }

Default

The reachability detection interval is 5 minutes and the maximum number of probes per detection is 3.

Views

RESTful server view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the reachability detection interval, in minutes. The value range for the interval argument is 1 to 10.

maximum max-times: Specifies the maximum number of probes per detection, in the range of 1 to 5.

Usage guidelines

A smaller reachability detection interval and a larger number of probes provide more accurate detection results but increase the burden of the RESTful server. Considering the network connectivity requirement and the performance of the RESTful server, set reasonable values for the parameters.

Examples

# Configure reachability detection parameters for RESTful server rest1. Set the reachability detection interval to 2 minutes and the maximum number of probes per detection to 3.

<Sysname> system-view

[Sysname] user-identity restful-server rest1

[Sysname-restfulserver-rest1] connection-detect interval 2

[Sysname-restfulserver-rest1] connection-detect maximum 3

Related commands

connection-detect enable

display user-identity restful-server

login-name

uri

user-identity restful-server

connection-detect enable

Use connection-detect enable to enable RESTful server reachability detection.

Use undo connection-detect enable to disable RESTful server reachability detection.

Syntax

connection-detect enable

undo connection-detect enable

Default

RESTful server reachability detection is disabled.

Views

RESTful server view

Predefined user roles

network-admin

Usage guidelines

Use this command to detect the reachability of a RESTful server. The detection results can be used as references to define user access control policies for other security modules.

Before you use this command, you must complete the following tasks:

·     Specify the username and password used for logging in to the RESTful server by using the login-name command.

·     Specify a URI for the RESTful server by using the uri command.

When RESTful server reachability detection is enabled, the device periodically starts a reachability detection and initiates probes within the detection interval.

·     If the device receives a response from the RESTful server, it determines that the server is reachable and stops probe.

·     If the device does not receive a response from the RESTful server after the maximum number of probes is reached, it determines that the server is unreachable.

The interval at which the device starts a detection and the maximum number of probes that the device can initiate per detection are set by using the connection-detect { interval interval | maximum max-times } command.

When RESTful server reachability detection is disabled, the device immediately stops detecting the reachability of the RESTful server.

Examples

# Enable reachability detection for RESTful server rest1.

<Sysname> system-view

[Sysname] user-identity restful-server rest1

[Sysname-restfulserver-rest1] connection-detect enable

Related commands

connection-detect

display user-identity restful-server

login-name

uri

user-identity restful-server

display user-identity

Use display user-identity to display information about the specified identity users or identity groups.

Syntax

display user-identity { domain domain-name | null-domain } { user [ user-name [ group ] ] | user-group [ group-name [ member { group | user } ] ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies identity users or identity groups that do not belong to any identity domain.

user: Displays identity user information.

user-name: Specifies an identity user by its name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user, this command displays information about all identity users.

group: Displays information about the identity groups to which the identity user belongs. If you do not specify this keyword, the command does not display identity group information.

user-group: Display identity group information.

group-name: Specifies an identity group by its group name, a case-insensitive string of 1 to 200 characters. If you do not specify an identity group, this command displays information about all identity groups.

member: Displays information about members in the specified identity group. If you do not specify this keyword, the command does not display member information.

group: Specifies identity group members in the specified identity group.

user: Specifies identity user members in the specified identity group.

Usage guidelines

This command displays information about identity users or identity groups, including the information learned from the local user database and information imported from remote servers and .csv files.

Examples

# Display information about all identity groups in identity domain system.

<Sysname> display user-identity domain system user-group

Identity domain: system

  Group ID      Group name

  0x888         abc

  0x123         gp1

 

Total 2 records matched.

# Display information about identity group abc in identity domain system.

<Sysname> display user-identity domain system user-group abc

Identity domain: system

  Group ID      Group name

  0x888         abc

 

Total 1 records matched.

# Display information about identity user members of identity group abc in identity domain system.

<Sysname> display user-identity domain system user-group abc member user

Identity domain: system

  User ID      Username

  0x234        user1

  0xffffffff   user2

 

Total 2 records matched.

# Display information about identity group members of identity group abc in identity domain system.

<Sysname> display user-identity domain system user-group abc member group

Identity domain: system

  Group ID      Group name

  0x567         group1

  0x111         group2

 

Total 2 records matched.

# Display information about all identity users in identity domain system.

<Sysname> display user-identity domain system user

Identity domain: system

  User ID       Username

  0x234         user1

  0xffffffff    user2

 

Total 2 records matched.

# Display information about identity user user1 in identity domain system.

<Sysname> display user-identity domain system user user1

Identity domain: system

  User ID       Username

  0x234         user1

 

Total 1 records matched.

# Display information about identity groups to which identity user user1 belongs in identity domain system.

<Sysname> display user-identity domain system user user1 group

Identity domain: system

  Group ID      Group name

  0x888         abc

  0x123         gp1

 

Total 2 records matched.

# Display information about identity users that do not belong to any identity domain.

<Sysname> display user-identity null-domain user

  User ID     Username

  0x1         test

  0x3         jj

  0x2         abc

 

Total 3 records matched.

Table 1 Command output

Field

Description

Identity domain

Name of the identity domain to which identity users or identity groups belong.

This field is not displayed if identity users or identity groups do not belong to any identity domain.

User ID

ID of the identity user.

Username

Name of the identity user.

Group ID

ID of the identity group.

Group name

Name of the identity group.

Total n records matched.

Total number of matching identity users or identity groups.

 

Related commands

reset user-identity user-account

reset user-identity user-group

display user-identity active-user-group

Use display user-identity active-user-group to display information about active identity groups.

Syntax

display user-identity active-user-group { all | domain domain-name | null-domain }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all identity domains.

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies active identity groups that do not belong to any identity domain.

Usage guidelines

An identity group is active only when it is used by a security module such as bandwidth management for network access control.

Examples

# Display information about active identity groups in identity domain system.

<Sysname> display user-identity active-user-group domain system

Identity domain: system

  Group ID      Group name

  0x888         abc

  0x123         gp1

 

Total 2 records matched.

Table 2 Command output

Field

Description

Identity domain

Name of the identity domain to which active identity groups belong.

This field is not displayed if active identity groups do not belong to any identity domain.

Group ID

ID of the active identity group.

Group name

Name of the active identity group.

Total n records matched.

Total number of matching active identity groups.

 

Related commands

reset user-identity user-group

display user-identity all

Use display user-identity all to display information about all identity users or identity groups.

Syntax

display user-identity all { user | user-group }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user: Specifies identity users.

user-group: Specifies identity groups.

Usage guidelines

This command displays information about all identity users or identity groups, including information learned from the local user database and information obtained from remote servers and .csv files.

Examples

# Display information about all identity users.

<Sysname> display user-identity all user

Identity domain: system

  User ID       Username

  0x121         test1

  0x123         test2

Identity domain: 11

  User ID       Username

  0x888         test3

  0x899         test4

 

Total 4 records matched.

Table 3 Command output

Field

Description

Identity domain

Name of the identity domain to which identity users belong.

This field is not displayed if identity users do not belong to any identity domain.

User ID

ID of the identity user.

Username

Name of the identity user.

Total n records matched.

Total number of matching identity users.

 

# Display information about all identity groups.

<Sysname> display user-identity all user-group

Identity domain: system

  Group ID      Group name

  0x888         abc

  0x123         gp1

Identity domain: 11

  Group ID      Group name

  0x255         001

  0x256         002

 

Total 4 records matched.

Table 4 Command output

Field

Description

Identity domain

Name of the identity domain to which identity groups belong.

This field is not displayed if identity groups do not belong to any identity domain.

Group ID

ID of the identity group.

Group name

Name of the identity group.

Total n records matched.

Total number of matching identity groups.

 

Related commands

reset user-identity user-account

reset user-identity user-group

display user-identity online-user

Use display user-identity online-user to display online identity user information.

Syntax

display user-identity online-user { domain domain-name | null-domain } name user-name

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies online identity users that do not belong to any identity domain.

name user-name: Specifies an online identity user by its username, a case-sensitive string of 1 to 55 characters. The username cannot contain the domain name.

Usage guidelines

This command displays information about online identity users, including static online identity users and dynamic online identity users.

Examples

# Display information about online identity user user1 in identity domain system.

<Sysname> display user-identity online-user domain system name user1

User name: user1

  Identity domain: system

  IP  : 199.199.0.15

  MAC : 0001-0002-0003

  Type: Static

 

Total 1 records matched.

Table 5 Command output

Field

Description

User name

Name of the online identity user.

Identity domain

Name of the identity domain to which online identity users belong.

This field is not displayed if online identity users do not belong to any identity domain.

IP

IP address of the online identity user.

MAC

MAC address of the online identity user.

This field is not displayed if the MAC address of the online identity user is not obtained.

Type

Type of the online identity user:

·     Static.

·     Dynamic.

Total n records matched.

Total number of matching online identity users.

 

Related commands

reset user-identity dynamic-online-user

user-identity static-user

display user-identity restful-server

Use display user-identity restful-server to display RESTful server configuration.

Syntax

display user-identity restful-server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a RESTful server by its server name, a case-insensitive string of 1 to 31 characters. If you do not specify a RESTful server, this command displays configuration information for all RESTful servers.

Examples

# Display configuration information for RESTful server rest1.

<Sysname> display user-identity restful-server rest1

RESTful server name: rest1

  Login name: u1

  Get User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUser

  Get User Group URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/accessUserGroup

  Get Online User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/onlineUser

  Put Online User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOnlineUser

  Put Offline User URI: http://1.1.1.1:8080/imcrs/ssm/imcuser/uploadOfflineUser

  Connectivity detection: Enabled

    Detection interval: 1 minutes

    Maximum times: 1

  Connectivity status: Reachable

Table 6 Command output

Field

Description

Login name

Username used to log in to the RESTful server.

Get User URI

URI used to request user account information.

Get User Group URI

URI used to request user group information.

Get Online User URI

URI used to request online user information.

Put Online User URI

URI used to upload online user information.

Put Offline User URI

URI used to upload offline user information.

Connectivity detection

Whether RESTful server reachability detection is enabled: Enabled or Disabled.

Detection interval

Interval at which the device detects the reachability of the RESTful server, in minutes.

Maximum times

Maximum number of probes per detection.

Connectivity status

Status of the RESTful server:

·     Reachable.

·     Unreachable.

This field is not displayed if RESTful server reachability detection is disabled.

 

Related commands

connection-detect

connection-detect enable

login-name

uri

user-identity restful-server

display user-identity security-manage-server

Use display user-identity security-manage-server to display configuration information for security management server sets.

Syntax

display user-identity security-manage-server [ server-set-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-set-name: Specifies a security management server set by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a security management server set, this command displays configuration information for all security management server sets. The system supports only one security management server set.

Examples

# Display configuration information for security management server set sec1.

<Sysname> display user-identity security-manage-server sec1

Security management server set: sec1

  IP addresses: 192.168.0.1,10.113.0.1

  Listening port: 8200

  Encryption algorithm: 3DES

 

Total 1 records matched

Table 7 Command output

Field

Description

Security management server set

Name of the security management server set.

IP addresses

IP addresses of security management servers.

Listening port

Port for listening to security management servers.

Encryption algorithm

Algorithm for encrypting packets exchanged between the device and security management servers.

Total n records matched

Number of matched security management server sets.

 

Related commands

encryption

ip

listen-port

user-identity security-manage-server

display user-identity user-import-policy

Use display user-identity user-import-policy to display identity user import policy information.

Syntax

display user-identity user-import-policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify an identity user import policy, this command displays information about all identity user import policies.

Examples

# Display information about identity user import policy policy1.

<Sysname> display user-identity user-import-policy policy1

Policy name: policy1

  Interval time: 24 hours

  RESTful server name:

    ser1

  LDAP import type: All

  LDAP scheme name:

    ldap-scheme

 

 Total 1 records matched.

Table 8  Command output

Field

Description

Policy name

Name of the identity user import policy.

Interval time

Interval for automatic identity user account import, in hours.

RESTful server name

Name of the RESTful server.

LDAP import type

Type of user information imported from LDAP servers:

·     All—User and user group information.

·     User—User information.

·     Group—User group information.

LDAP scheme name

Name of an LDAP scheme.

Total n records matched

Total number of matching identity user import policies.

 

Related commands

import-type

user-identity user-import-policy

encryption

Use encryption to configure the encryption algorithm and shared key for securing communication with security management servers.

Use undo encryption to restore the default.

Syntax

encryption algorithm { 3des | aes128 } key { simple | cipher } string

undo encryption algorithm

Default

No encryption algorithm or shared key is configured for securing communication with security management servers.

Views

Security management server set view

Predefined user roles

network-admin

Parameters

algorithm: Specifies the encryption algorithm.

3des: Specifies the 3DES algorithm.

aes128: Specifies the AES algorithm that uses a 128-bit key.

key: Specifies the shared key.

cipher: Specifies the key in encrypted form.

simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. The key string is case sensitive.

·     If the encryption algorithm is 3DES, the plaintext form of the key is a string of 1 to 24 characters. The encrypted form of the key is a string of 1 to 65 characters.

·     If the encryption algorithm is AES-128, the plaintext form of the key is a string of 1 to 16 characters. The encrypted form of the key is a string of 1 to 53 characters.

Usage guidelines

For the device to correctly exchange packets with security management servers, make sure the encryption algorithm and shared key are the same as those configured on the servers.

Examples

# Configure 3DES as the encryption algorithm and plaintext string 123 as the shared key for securing communication with security management servers in security management sever set sec1.

<Sysname> system-view

[Sysname] user-identity security-manage-server sec1

[Sysname-identity-sec-manage-server-sec1] encryption algorithm 3des key simple 123

Related commands

display user-identity security-manage-server

import-type

Use import-type to specify the type of user information to be imported from LDAP servers.

Use undo import-type to restore the default.

Syntax

import-type { all | group | user }

undo import-type

Default

The type of user information to be imported from LDAP servers is not specified. The device imports both user information and user group information from LDAP servers.

Views

Identity user import policy view

Predefined user roles

network-admin

Parameters

all: Specifies both the user and user group types.

group: Specifies the user group type.

user: Specifies the user type.

Usage guidelines

The device imports only user information of the specified type from LDAP servers.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the device to import both user information and user group information from LDAP servers.

<Sysname> system-view

[Sysname] user-identity user-import-policy policy

[Sysname-identity-user-impt-policy-policy] import-type all

Related commands

display user-identity user-import-policy

ip

Use ip to specify IP addresses of security management servers.

Use undo ip to remove the specified IP addresses of security management servers.

Syntax

ip ip-address&<1-10>

undo ip { ip-address&<1-10> | all }

Default

No IP addresses of security management severs are specified.

Views

Security management server set view

Predefined user roles

network-admin

Parameters

ip-address&<1-10>: Specifies a space-separated list of up to 10 IP addresses. The all-zero IP address is not allowed.

all: Specifies all the IP addresses of security management servers.

Usage guidelines

You can specify a maximum of 20 IP addresses of security management servers in a security management server set.

Examples

# Specify security management servers at 192.168.0.1 and 10.113.0.1 for security management server set sec1.

<Sysname> system-view

[Sysname] user-identity security-manage-server sec1

[Sysname-identity-sec-manage-server-sec1] ip 192.168.0.1 10.113.0.1

Related commands

display user-identity security-manage-server

ldap-scheme

Use ldap-scheme to specify an LDAP scheme.

Use undo ldap-scheme to restore the default.

Syntax

ldap-scheme ldap-scheme-name

undo ldap-scheme ldap-scheme-name

Default

No LDAP schemes are specified.

Views

Identity user import policy view

Predefined user roles

network-admin

Parameters

ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

To import identity user account information from the LDAP server specified in the LDAP scheme, use the user-identity user-account import policy command. The device cannot import online identity user information from the LDAP server.

You can specify a maximum of 16 LDAP schemes in an identity user import policy for importing users from multiple LDAP servers in batch.

Examples

# Specify LDAP scheme ser2 for identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity user-import-policy policy1

[Sysname-identity-user-impt-policy-policy1] ldap-scheme ser2

Related commands

display user-identity user-import-policy

ldap scheme

listen-port

Use listen-port to set the port number for listening to security management servers.

Use undo listen-port to restore the default.

Syntax

listen-port port-num

undo listen-port

Default

The device listens to security management servers on port 8001.

Views

Security management server set view

Predefined user roles

network-admin

Parameters

port-num: Specifies the UDP port number for listening to security management servers, in the range of 1 to 65535.

Usage guidelines

For the device to establish connections with security management servers, make sure the listening port is the same as the port that the servers use to send online user information.

Examples

# Set the port to 8048 for listening to security management servers in security management server set sec1.

<Sysname> system-view

[Sysname] user-identity security-manage-server sec1

[Sysname-identity-sec-manage-server-sec1] listen-port 8084

Related commands

display user-identity security-manage-server

login-name

Use login-name to specify the username and password used for logging in to the RESTful server.

Use undo login-name to restore the default.

Syntax

login-name user-name password { cipher | simple } string

undo login-name

Default

No username or password is specified for logging in to the RESTful server.

Views

RESTful server view

Predefined user roles

network-admin

Parameters

user-name: Specifies a username, a case-sensitive string of 1 to 55 characters.

password: Specifies a password.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

The device uses the specified username and password to establish a connection with the RESTful server. If the device is authenticated as legitimate, the RESTful server permits the connection request of the device. Then, the device can request resources on the server.

The specified username and password must exist on the RESTful server.

Examples

# Configure the device to use username abc and plaintext password 123 to log in to the RESTful server.

<Sysname> system-view

[Sysname] user-identity restful-server rest1

[Sysname-restfulserver-rest1] login-name abc password simple 123

Related commands

display user-identity restful-server

user-identity restful-server

reset user-identity dynamic-online-user

Use reset user-identity dynamic-online-user to delete dynamic online identity users.

Syntax

reset user-identity dynamic-online-user { all | { domain domain-name | null-domain } [ name user-name ] | { ip ipv4-address | ipv6 ipv6-address } [ mac mac-address ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all dynamic online identity users.

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies dynamic online identity users that do not belong to any identity domain.

name user-name: Specifies a dynamic online identity user by its username, a case-sensitive string of 1 to 55 characters. If you do not specify this option, the command deletes dynamic online identity users that belong to the specified domain or that do not belong to any domain.

ip ipv4-address: Specifies the IPv4 address of a dynamic online identity user.

ipv6 ipv6-address: Specifies the IPv6 address of a dynamic online identity user.

mac mac-address: Specifies the MAC address of a dynamic online identity user, in the format H-H-H. If you do not specify a MAC address, this command deletes dynamic online identity users that have the specified username regardless of their MAC addresses.

Usage guidelines

This command deletes dynamic online identity users created based on user information obtained from remote servers and it cannot delete static online identity users. To delete static online identity users, use the undo user-identity static-user command.

Examples

# Delete all dynamic online identity users.

<Sysname> reset user-identity dynamic-online-user all

# Delete dynamic online identity users in identity domain abc.

<Sysname> reset user-identity dynamic-online-user domain abc

# Delete dynamic online identity user user1 in identity domain dom1.

<Sysname> reset user-identity dynamic-online-user domain dom1 name user1

# Delete dynamic online identity users that use username user2 and do not belong to any identity domain.

<Sysname> reset user-identity dynamic-online-user null-domain name user2

# Delete the dynamic online identity user whose IP address is 1.2.3.4.

<Sysname> reset user-identity dynamic-online-user ip 1.2.3.4

# Delete the dynamic online identity user whose IP address is 1.2.3.4 and MAC address is 2222-3333-4444.

<Sysname> reset user-identity dynamic-online-user ip 1.2.3.4 mac 2222-3333-4444

Related commands

display user-identity online-user

reset user-identity user-account

Use reset user-identity user-account to delete identity user accounts.

Syntax

reset user-identity user-account { all | { domain domain-name | null-domain } [ name user-name ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all identity user accounts.

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies identity user accounts that do not belong to any identity domain.

name user-name: Specifies an identity user account by its name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user account, this command deletes identity user accounts that belong to the specified domain or that do not belong to any domain.

Usage guidelines

This command deletes identity user accounts created based on the information obtained from remote servers and .csv files. It cannot delete identity user accounts learned from the local user database.

Examples

# Delete all identity user accounts.

<Sysname> reset user-identity user-account all

# Delete identity user account test in identity domain dom1.

<Sysname> reset user-identity user-account domain dom1 name test

Related commands

display user-identity all user

reset user-identity user-group

Use reset user-identity user-group to delete identity groups.

Syntax

reset user-identity user-group { all | { domain domain-name | null-domain } [ name group-name ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all identity groups.

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies identity groups that do not belong to any identity domain.

name group-name: Specifies an identity group by its group name, a case-insensitive string of 1 to 200 characters. If you do not specify an identity group, this command deletes identity groups that belong to the specified domain or that do not belong to any domain.

Usage guidelines

Use this command to delete identity groups created based on user group information obtained from remote servers and .csv files and it cannot delete identity groups learned from the local user database.

Examples

# Delete all identity groups.

<Sysname> reset user-identity user-group all

# Delete identity group g1 in identity domain dom1.

<Sysname> reset user-identity user-group domain dom1 name g1

Related commands

display user-identity all user-group

restful-server

Use restful-server to specify a RESTful server.

Use undo restful-server to restore the default.

Syntax

restful-server server-name

undo restful-server server-name

Default

No RESTful server is specified.

Views

Identity user import policy view

Predefined user roles

network-admin

Parameters

server-name: Specifies a RESTful server by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

To import identity user accounts from the RESTful server, use the user-identity user-account import policy command. To import online identity user information from the RESTful server, use the user-identity online-user import policy command.

You can specify only one RESTful server. To specify a new RESTful server, first remove the currently specified RESTful server by using the undo restful-server command.

Examples

# Specify RESTful server ser1 for identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity user-import-policy policy1

[Sysname-identity-user-impt-policy-policy1] restful-server ser1

Related commands

display user-identity restful-server

display user-identity user-import-policy

user-identity restful-server

uri

Use uri to specify a URI for the RESTful server.

Use undo uri to delete a URI specified for the RESTful server.

Syntax

uri { get-online-user | get-user-database | get-user-group-database | put-offline-user | put-online-user } uri-string

undo uri { get-online-user | get-user-database | get-user-group-database | put-offline-user | put-online-user }

Default

No URIs are specified for the RESTful server.

Views

RESTful server view

Predefined user roles

network-admin

Parameters

get-online-user: Specifies the URI used to request online network access user information.

get-user-database: Specifies the URI used to request network access user account information.

get-user-group-database: Specifies the URI used to request user group information.

put-offline-user: Specifies the URI used to upload offline user information.

put-online-user: Specifies the URI used to upload online user information.

uri-string: Specifies a URI, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The specified URIs must be the same as those provided by the RESTful server. Otherwise, user information interaction will fail.

If the device adds or deletes an identity user that is not imported from the RESTful server, the device uploads the online or offline user information to the RESTful server.

You can repeat this command to specify multiple URIs for the RESTful server.

Examples

# Specify http://1.1.1.1:8080/imcrs/ssm/imcuser/newpath as the URI used to request network access user account information.

<Sysname> system-view

[Sysname] user-identity restful-server rest1

[Sysname-restfulserver-rest1] uri get-user-database http://1.1.1.1:8080/imcrs/ssm/imcuser/newpath

Related commands

display user-identity restful-server

user-identity restful-server

user-identity enable

Use user-identity enable to enable the user identification feature.

Use undo user-identity enable to disable the user identification feature.

Syntax

user-identity enable

undo user-identity enable

Default

The user identification feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With the user identification feature, the device learns online user information from the user access modules such as portal. The device uses the obtained information for user identification and works with other security features for identity-based network access control.

Examples

# Enable the user identification feature.

<Sysname> system-view

[Sysname] user-identity enable

user-identity online-user import policy

Use user-identity online-user import policy to import online identity users from a server.

Syntax

user-identity online-user import policy policy-name

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After this command is executed, the device initiates a connection request to the server specified in the identity user import policy. Then, the device imports online network access user information from the server. The information includes the username, identity domain name, user group name, IP address, and MAC address of the users.

Before you execute this command, make sure the user identification feature is enabled.

Examples

# Import online identity users from the server specified in identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity online-user import policy policy1

Loading...Done.

Related commands

user-identity user-account auto-import policy

user-identity user-import-policy

user-identity online-user-name-match

Use user-identity online-user-name-match to specify username match mode for user identification.

Use undo user-identity online-user-name-match to restore the default.

Syntax

user-identity online-user-name-match { keep-original | with-domain | without-domain }

undo user-identity online-user-name-match

Default

The username match mode for user identification is keep-original.

Views

System view

Predefined user roles

network-admin

Parameters

keep-original: Uses the username entered by a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test@123 in local user accounts.

with-domain: Uses the username that includes the authentication domain name of a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test@abc in local user accounts.

without-domain: Uses the username that excludes the domain name of a user to perform username match. For example, if the authentication domain is abc and the entered username is test@123, the device searches username test in local user accounts that do not join any identity domains.

Usage guidelines

This command specifies the username match mode for user identification. The device creates online identity users only for online users whose usernames can match the usernames in the local identity user accounts.

Examples

# Specify with-domain as the username match mode for user identification.

<Sysname> system-view

[Sysname] user-identity online-user-name-match with-domain

user-identity restful-server

Use user-identity restful-server to create a RESTful server and enter its view, or enter the view of an existing RESTful server.

Use undo user-identity restful-server to delete a RESTful server.

Syntax

user-identity restful-server server-name

undo user-identity restful-server server-name

Default

No RESTful server exists.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies the name of a RESTful server. The RESTful server name is a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can configure parameters of the RESTful server in RESTful server view. The parameters include the URIs of the server and the login account.

You can create only one RESTful server.

Examples

# Create a RESTful server named rest1 and enter its view.

<Sysname> system-view

[Sysname] user-identity restful-server rest1

[Sysname-restfulserver-rest1]

Related commands

display user-identity restful-server

login-name

uri

user-identity user-import-policy

user-identity security-manage-server

Use user-identity security-manage-server to create a security management server set and enter its view, or enter the view of an existing security management server set.

Use undo user-identity security-manage-server to delete a security management server set.

Syntax

user-identity security-manage-server server-set-name

undo user-identity security-manage-server server-set-name

Default

No security management server set exists.

Views

System view

Predefined user roles

network-admin

Parameters

server-set-name: Specifies the name of the security management server set, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The security management server set view defines the related parameters of security management servers. The parameters include the IP addresses of the servers, the port number for listening to the servers, and the shared key to secure communication between the device and the servers.

You can create only one security management server set.

Examples

# Create a security management server set named sec1 and enter its view.

<Sysname> system-view

[Sysname] user-identity security-manage-server sec

[Sysname-identity-sec-manage-server-sec1]

Related commands

display user-identity security-manage-server

encryption

ip

listen-port

user-identity static-user

Use user-identity static-user to configure a static identity user.

Use undo user-identity static-user to delete a static identity user.

Syntax

user-identity static-user user-name [ domain domain-name ] bind { ipv4 ipv4-address | ipv6 ipv6-address } [ mac mac-address ]

undo user-identity static-user user-name [ domain domain-name ] [ bind { ipv4 ipv4-address | ipv6 ipv6-address } [ mac mac-address ] ]

Default

No static identity users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the name of the static identity user, a case-sensitive string of 1 to 55 characters.

domain domain-name: Specifies the identity domain to which the static identity user belongs. The domain-name argument represents an identity domain name, a case-insensitive string of 1 to 255 characters. If you do not specify an identity domain, the static identity user does not belong to any identity domain.

bind: Specifies address attributes bound to the static identity user.

ipv4 ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be an all-zero address, all-one address, or multicast address.

ipv6 ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be an all-zero address, multicast address, loopback address, or link local address.

mac mac-address: Specifies a MAC address in the format of H-H-H. If you do not specify a MAC address, the static identity user can use any MAC address.

Usage guidelines

To allow users to access the network without identity authentication and to use security features to control their access to the network, configure the users as static identity users.

If you do not specify the bind keyword in the undo form of this command, all static identity users that use the specified username are deleted.

Execute this command multiple times to add multiple static identity users.

You can bind one username with multiple IP addresses or with multiple IP-MAC address combinations. You cannot bind one IP address or one IP-MAC address combination with multiple usernames.

Only when the user identification feature is enabled and static identity users match local identity user accounts, the device can generate corresponding static online identity user entries.

Examples

# Configure a static identity user of which the username is test, the identity domain is dom1, and the IP address is 109.15.0.15.

<Sysname> system-view

[Sysname] user-identity static-user test domain dom1 bind ipv4 109.15.0.15

Related commands

display user-identity online-user

user-identity enable

user-identity user-account auto-import policy

Use user-identity user-account auto-import policy to enable automatic identity user account import.

Use undo user-identity user-account auto-import policy to disable automatic identity user account import.

Syntax

user-identity user-account auto-import policy policy-name

undo user-identity user-account auto-import policy policy-name

Default

Automatic identity user account import is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an identity user import policy by its policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After this feature is enabled, the device first imports all identity user accounts and online identity user information from the servers specified in the identity user import policy. Then, the device periodically imports identity user accounts from the servers at the interval set by the account-update-interval command.

For this feature to take effect, make sure the user identification feature is enabled. To enable the user identification feature, use the user-identity enable command.

Examples

# Enable automatic identity user account import for identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity user-account auto-import policy policy1

Related commands

account-update-interval

user-identity user-import-policy

user-identity user-account export url

Use user-identity user-account export url to export identity user accounts to a .csv file.

Syntax

user-identity user-account export url url-string [ { domain domain-name | null-domain } [ user user-name ] | template ]

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies a URL, a case-insensitive string of 1 to 255 characters.

domain domain-name: Specifies an identity domain by its domain name, a case-insensitive string of 1 to 255 characters.

null-domain: Specifies identity user accounts that do not belong to any identity domain.

user user-name: Specifies an identity user account by its account name, a case-sensitive string of 1 to 55 characters. If you do not specify an identity user account, this command exports all identity user accounts.

template: Exports a standard .csv file template. You can use this file template as a reference when editing .csv files.

Usage guidelines

You must save the exported identity user account information to a .csv file.

If you do not specify any parameters, the device exports all identity user account information to a .csv file.

The device supports TFTP and FTP file transfer modes. Table 9 describes the valid URL formats of the .csv file.

Table 9 URL formats

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

·     With FTP username and password:
ftp://username:password@server/path/filename

·     Without FTP username and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP username.

For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv.

 

For identity user account information to be correctly exported by using FTP, follow the input formats in Table 10 when you use special characters in the URL.

Table 10 Input formats for special characters

Special character

Input format

\

\\

"

\"

/

%2F

:

%3A

@

%40

 

If this command is successfully executed, a .csv file with the specified file name will be created on the specified server. If you execute this command with the same parameters multiple times, the new file will override the old file.

Examples

# Export all identity user accounts in identity domain dom1 to a .csv file and save the file to the path tftp://1.1.1.1/user.csv.

<Sysname> system-view

[Sysname] user-identity user-account export url tftp://1.1.1.1/user.csv domain dom1

Related commands

user-identity user-account import url

user-identity user-account import policy

Use user-identity user-account import policy to import identity user accounts from servers.

Syntax

user-identity user-account import policy policy-name

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an identity user import policy by its policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After you execute this command, the device initiates an identity user account information request to the servers specified in the identity user import policy. Then, the device imports identity user account information from the servers.

Examples

# Import identity user accounts from the servers specified in identity user import policy policy1.

<Sysname> system-view

[Sysname] user-identity user-account import policy policy1

Related commands

user-identity user-import-policy

user-identity user-account import url

Use user-identity user-account import url to import identity user accounts from a .csv file.

Syntax

user-identity user-account import url url-string [ auto-create-group | override | start-line line-number ] *

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of the .csv file. The URL is a case-insensitive string of 1 to 255 characters.

auto-create-group: Enables the device to automatically create an identity group for an account if the identity group to which the account belongs does not exist on the device. If you do not specify this keyword, the device does not create nonexistent identity groups.

override: Enables the device to override the existing identity user account with the same name as an identity user account to be imported. If you do not specify this keyword, the device retains the existing identity user account.

start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify this option, the command imports identity user account information from the first line.

Usage guidelines

The file from which identity user accounts are imported must be a .csv file.

You can use the user-identity user-account export url command to export a standard .csv file template.

Examples

# Import identity user accounts from the second line of the user.csv file in path ftp://1.1.1.1/newpath.

<Sysname> system-view

[Sysname] user-identity user-account import url ftp://1.1.1.1/newpath/user.csv start-line 2

Related commands

user-identity user-account export url

user-identity user-import-policy

Use user-identity user-import-policy to create an identity user import policy and enter its view, or enter the view of an existing identity user import policy.

Use undo user-identity user-import-policy to delete an identity user import policy.

Syntax

user-identity user-import-policy policy-name

undo user-identity user-import-policy policy-name

Default

No identity user import policy exists.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an identity user import policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

An identity user import policy determines the policy that the user identification feature uses to import identity user information from servers. The imported user information includes information about identity user accounts and online identity users. Supported servers include H3C IMC servers and LDAP servers.

You can create only one identity user import policy. Before you create a new identity user import policy, first delete the existing identity user import policy by using the undo form of this command.

Examples

# Create an identity user import policy named policy1 and enter its view.

<Sysname> system-view

[Sysname] user-identity user-import-policy policy1

[Sysname-identity-user-impt-policy-policy1]

Related commands

display user-identity user-import-policy