During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.

By default, the device uses the device name as the NAS-ID.

Examples

# Create a NAS-ID profile named aaa and enter its view.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa]

Related commands

nas-id bind vlan

port-security nas-id-profile

portal nas-id-profile

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.

Syntax

aaa session-limit { ftp | http | https | ssh | telnet } max-sessions

undo aaa session-limit { ftp | http | https | ssh | telnet }

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32 for FTP, SSH, and Telnet services, and is 1 to 64 for HTTP and HTTPS services.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.

For HTTP and HTTPS services, the number of concurrent users of an application is separately limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20 concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and NETCONF.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting methods of the ISP domain are used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.

· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.

· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.

Command line accounting can use only a remote HWTACACS server.

Examples

# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

accounting default

command accounting (Fundamentals Command Reference)

hwtacacs scheme

accounting default

Use accounting default to specify default accounting methods for an ISP domain.

Use undo accounting default to restore the default.

Syntax

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default accounting method is used for all users that support this method and do not have an accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· The device fails to send accounting request packets.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

accounting lan-access

Use accounting lan-access to specify accounting methods for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

Default

The default accounting methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· The device fails to send accounting request packets.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

The following guidelines apply to broadcast accounting:

· The device sends start-accounting, update-accounting, and stop-accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends the accounting requests to the secondary servers of the scheme in the order the servers are configured.

· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.

Examples

# In ISP domain test, perform local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

accounting default

local-user

radius scheme

timer realtime-accounting

accounting login

Use accounting login to specify accounting methods for login users.

Use undo accounting login to restore the default.

Syntax

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting login

Default

The default accounting methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· The device fails to send accounting request packets.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local accounting for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login local

# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting login radius-scheme rd local

Related commands

accounting default

hwtacacs scheme

local-user

radius scheme

accounting portal

Use accounting portal to specify accounting methods for portal users.

Use undo accounting portal to restore the default.

Syntax

accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting portal

Default

The default accounting methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

broadcast: Broadcasts accounting requests to servers in RADIUS schemes.

radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.

The remote accounting method is invalid in the following situations:

· The specified accounting scheme does not exist.

· The device fails to send accounting request packets.

· The device does not receive any accounting response packets from an accounting server.

The local accounting method is invalid if the device fails to find the matching local user configuration.

The following guidelines apply to broadcast accounting:

Examples

# In ISP domain test, perform local accounting for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal local

# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal radius-scheme rd local

# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local

Related commands

accounting default

local-user

radius scheme

timer realtime-accounting

accounting quota-out

Use accounting quota-out to configure access control for users that have used up their data or time accounting quotas.

Use undo accounting quota-out to restore the default.

Syntax

accounting quota-out { offline | online }

undo accounting quota-out

Default

The device logs off users that have used up their accounting quotas.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that have used up their accounting quotas.

online: Allows users that have used up their accounting quotas to stay online.

Usage guidelines

If the server notifies the device of portal users' remaining accounting quotas, the time that the device logs out portal users that have used up their accounting quotas might be inaccurate.

Examples

# In ISP domain test, configure the device to allow users that have used up their accounting quotas to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting quota-out online

accounting start-fail

Use accounting start-fail to configure access control for users that encounter accounting-start failures.

Use undo accounting start-fail to restore the default.

Syntax

accounting start-fail { offline | online }

undo accounting start-fail

Default

The device allows users that encounter accounting-start failures to stay online.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users that encounter accounting-start failures.

online: Allows users that encounter accounting-start failures to stay online.

Examples

# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting start-fail online

accounting update-fail

Use accounting update-fail to configure the action to take on users after they have made the specified number of consecutive failed accounting-update attempts.

Use undo accounting update-fail to restore the default.

Syntax

accounting update-fail { [ max-times max-times ] offline | online }

undo accounting update-fail

Default

The device allows users to stay online after the accounting update for them has failed.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1. The setting for this parameter takes effect only on portal users. Its value is fixed at 1 for other types of users, regardless of the setting for this parameter.

offline: Logs off users when the number of consecutive failed accounting-update attempts for them reaches the limit.

online: Allows users to stay online after the number of consecutive failed accounting-update attempts reaches the limit.

Usage guidelines

For a portal user, the NAS takes the action specified by using this command when the maximum number of consecutive accounting-update failures is reached.

For any other types of users, the device takes the action specified by using this command immediately after an accounting-update fails.

The device determines the failure of an accounting-update attempt based on the following factors:

· Maximum number of transmission attempts for a RADIUS packet (set by using the retry command).

· Real-time accounting interval (set by using the timer realtime-accounting command).

· Maximum number of real-time accounting request attempts (set by using the retry realtime-accounting command).

The following information describes the process that the device uses to determine the failure of an accounting-update failure:

1. ‍The device sends accounting request packets at real-time accounting intervals set by using the timer realtime-accounting command.

2. If the device has not received a response to a request packet before the response timeout timer expires, the device resends the request packet.

3. When the number of consecutive transmission attempts for the request reaches the limit set by using the retry command, the device determines that the real-time accounting request fails.

4. When the number of consecutive real-time accounting request failures reaches the limit set by using the retry realtime-accounting command, the device determines that an accounting-update fails.

5. The system determines the action to take upon an accounting-update failure depending on the user type:

¡ If the user is not a portal user, the system immediately takes the action specified by using the accounting update-fail command.

¡ If the user is a portal user, the system will count the failure. If the number of consecutive accounting-update failures reaches the limit set by using the accounting update-fail command, it takes the action specified by using this same command.

Examples

# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting update-fail online

Related commands

retry

retry realtime-accounting

timer realtime-accounting

authen-radius-recover

Use authen-radius-recover to specify an action to take on users in the critical domain when a RADIUS server becomes available.

Use undo authen-radius-recover to restore the default.

Syntax

authen-radius-recover { offline | online domain new-isp-name }

undo authen-radius-recover

Default

No action is specified to take on users in the critical domain when a RADIUS server becomes available.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

offline: Logs off users in the critical domain.

online: Allows users in the critical domain to stay online and assigns the users to the recovery domain.

domain new-isp-name: Specifies a recovery domain to accommodate users in the critical domain when a RADIUS server becomes available. The new-isp-name argument represents the domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

This command takes effect only on 802.1X authentication and MAC authentication users.

According to the network requirements, specify an action to take on users in the critical domain when a RADIUS server becomes available.

· To perform authentication, authorization, and accounting for the users, log off the users.

· To allow the users to stay online without being authenticated, specify a recovery domain. When a RADIUS server becomes available, the users are assigned to the recovery domain from the critical domain.

When you use the online domain new-isp-name option to specify a recovery domain, the device does not immediately assign users in the critical domain to the specified recovery domain. The device assigns these users to the recovery domain when a RADIUS server becomes available.

When you specify a recovery domain for an ISP domain, follow these restrictions and guidelines:

· If the none method is configured as the backup authentication method in the original authentication domain before the users are assigned to the critical domain, the users are still assigned to the recovery domain when a RADIUS server becomes available.

· As a best practice to accurately identify whether a RADIUS authentication server is available and the recovery configuration can take effect in time, configure RADIUS server status detection.

· To delete the ISP domain that has been specified as a recovery domain, you must first use the undo authen-radius-recover command to remove the recovery domain setting from the ISP domain.

· In the current software version, you can specify only an ISP domain as its own recovery domain in the view of the ISP domain.

Examples

# In ISP domain test, log off users in the critical domain when a RADIUS server becomes available.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authen-radius-recover offline

Related commands

authen-radius-unavailable online domain

display domain

radius-server test-profile

authen-radius-unavailable online domain

Use authen-radius-unavailable online domain to specify a critical domain (also known as fail-permit domain) for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.

Use undo authen-radius-unavailable online domain to restore the default.

Syntax

authen-radius-unavailable online domain new-isp-name

undo authen-radius-unavailable online domain

Default

No critical domain is specified for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

new-isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

This command takes effect only on 802.1X authentication and MAC authentication users.

Users in an ISP domain cannot come online correctly if no responses are received for the RADIUS authentication requests sent by the device when all RADIUS authentication servers are unavailable. To resolve this issue, specify a critical domain for this ISP domain to accommodate users that access this ISP domain when all RADIUS servers are unavailable. The users can come online in the critical domain without being authenticated when all RADIUS servers are unavailable.

Users assigned to the critical domain are removed from the critical domain only when the following requirements are met:

· A RADIUS authentication server in the original authentication domain becomes available.

· A recovery domain is specified for the original authentication domain.

When you specify a critical domain for an ISP domain, follow these restrictions and guidelines:

· If an ISP domain has been specified as a critical domain, do not specify a critical domain for that ISP domain. If you do so, the critical domain specified for that ISP domain cannot take effect.

· If a critical domain has been specified for an ISP domain, do not specify that ISP domain as a critical domain. If you do so, that ISP domain cannot act as a critical domain.

· To delete the ISP domain that has been specified as a critical domain, you must first use the undo authen-radius-unavailable online domain command to remove the critical domain setting from the ISP domain.

· If non-none authentication, authorization, or accounting methods are configured in the critical domain for an ISP domain, the non-none authentication or authorization methods cannot take effect on users. However, the non-none accounting methods in the critical domain can take effect on users. As a best practice to reduce user management cost, do not configure non-none authentication, authorization, or accounting methods in the critical domain.

Examples

# Specify critical domain dm1 to accommodate users that access ISP domain test when all RADIUS servers are unavailable.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authen-radius-unavailable online domain dm1

Related commands

authen-radius-recover

display domain

authentication default

Use authentication default to specify default authentication methods for an ISP domain.

Use undo authentication default to restore the default.

Syntax

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication default

Default

The default authentication method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authentication method is used for all users that support this method and do not have an authentication method configured.

You can specify one primary default authentication method and multiple backup default authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· The device fails to send authentication request packets.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication default radius-scheme rd local

Related commands

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication lan-access

Use authentication lan-access to specify authentication methods for LAN users.

Use undo authentication lan-access to restore the default.

Syntax

authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication lan-access

Default

The default authentication methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· The device fails to send authentication request packets.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authentication for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access local

# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication lan-access radius-scheme rd local

Related commands

authentication default

ldap scheme

local-user

radius scheme

authentication login

Use authentication login to specify authentication methods for login users.

Use undo authentication login to restore the default.

Syntax

authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authentication login

Default

The default authentication methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· The device fails to send authentication request packets.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authentication for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login local

# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication login radius-scheme rd local

Related commands

authentication default

hwtacacs scheme

ldap scheme

local-user

radius scheme

authentication portal

Use authentication portal to specify authentication methods for portal users.

Use undo authentication portal to restore the default.

Syntax

authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authentication portal

Default

The default authentication methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authentication.

none: Does not perform authentication.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can specify one primary authentication method and multiple backup authentication methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.

The remote authentication method is invalid in the following situations:

· The specified authentication scheme does not exist.

· The device fails to send authentication request packets.

· The device does not receive any authentication response packets from an authentication server.

The local authentication method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authentication for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal local

# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands

authentication default

ldap scheme

local-user

radius scheme

authentication super

Use authentication super to specify a method for user role authentication.

Use undo authentication super to restore the default.

Syntax

authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *

undo authentication super

Default

The default authentication methods of the ISP domain are used for user role authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.

You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.

Examples

# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.

<Sysname> system-view

[Sysname] super authentication-mode scheme

[Sysname] domain test

[Sysname-isp-test] authentication super hwtacacs-scheme tac

Related commands

authentication default

hwtacacs scheme

radius scheme

authorization command

Use authorization command to specify command authorization methods.

Use undo authorization command to restore the default.

Syntax

authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }

undo authorization command

Default

The default authorization methods of the ISP domain are used for command authorization.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.

Usage guidelines

Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.

When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.

The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.

You can specify one primary command authorization method and multiple backup command authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· The device fails to send authorization request packets.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, configure the device to perform local command authorization.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command local

# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands

command authorization (Fundamentals Command Reference)

hwtacacs scheme

local-user

authorization default

Use authorization default to specify default authorization methods for an ISP domain.

Use undo authorization default to restore the default.

Syntax

authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization default

Default

The default authorization method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

· Non-login users can access the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The default authorization method is used for all users that support this method and do not have an authorization method configured.

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· The device fails to send authorization request packets.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization default radius-scheme rd local

Related commands

hwtacacs scheme

local-user

radius scheme

authorization lan-access

Use authorization lan-access to specify authorization methods for LAN users.

Use undo authorization lan-access to restore the default.

Syntax

authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization lan-access

Default

The default authorization methods of the ISP domain are used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated LAN user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· The device fails to send authorization request packets.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authorization for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access local

# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands

authorization default

local-user

radius scheme

authorization login

Use authorization login to specify authorization methods for login users.

Use undo authorization login to restore the default.

Syntax

authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }

undo authorization login

Default

The default authorization methods of the ISP domain are used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.

local: Performs local authorization.

none: Does not perform authorization. The following default authorization information applies after users pass authentication:

· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· The device fails to send authorization request packets.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authorization for login users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login local

# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization login radius-scheme rd local

Related commands

authorization default

hwtacacs scheme

local-user

radius scheme

authorization portal

Use authorization portal to specify authorization methods for portal users.

Use undo authorization portal to restore the default.

Syntax

authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization portal

Default

The default authorization methods of the ISP domain are used for portal users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization. An authenticated portal user directly accesses the network.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.

You can specify one primary authorization method and multiple backup authorization methods.

When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.

The remote authorization method is invalid in the following situations:

· The specified authorization scheme does not exist.

· The device fails to send authorization request packets.

· The device does not receive any authorization response packets from an authorization server.

The local authorization method is invalid if the device fails to find the matching local user configuration.

Examples

# In ISP domain test, perform local authorization for portal users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal local

# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands

authorization default

local-user

radius scheme

authorization-attribute (ISP domain view)

Use authorization-attribute to configure authorization attributes for users in an ISP domain.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | idle-cut minutes [ flow ] [ traffic { both | inbound | outbound } ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | mld max-access-number max-access-number | url url-string | user-group user-group-name }

undo authorization-attribute { acl | idle-cut | igmp | ip-pool | ipv6-pool | mld | url | user-group }

Default

The idle cut feature is disabled.

An IPv4 user can concurrently join a maximum of four IGMP multicast groups.

An IPv6 user can concurrently join a maximum of four MLD multicast groups.

No other authorization attributes exist.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999. This option is applicable only to portal and LAN users. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.

idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to portal users.

flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.

traffic: Specifies the traffic direction for the idle cut feature. If you do not specify this keyword, the idle cut feature applies to both traffic directions.

both: Specifies both traffic directions.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal users.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal users.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to portal users.

mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to portal users.

url url-string: Specifies a redirect URL for users. The url-string argument is a case-sensitive string of 1 to 255 characters. The URL must start with http:// or https://. You can configure the redirect URL attribute to push advertisements or notifications to users after the users pass authentication or push bill overdue notifications to users. This option is applicable only to LAN users.

user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.

Usage guidelines

When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.

If the server or NAS does not authorize a type of attribute to an authenticated user, the device authorizes the attribute in the ISP domain to the user.

You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.

When you specify an authorization ACL, the following restrictions apply:

· The authorization ACL is invalid if it does not exist or does not contain rules. If strict checking on authorization ACLs is enabled for portal users in this situation, portal users will be forced offline.

· Support for the VPN instance parameter in the ACL rules for LAN users depends on the device model.

· Support for the VPN instance parameter in the ACL rules for portal users depends on the device model.

· For portal users to come online after passing authentication, make sure ACLs assigned to portal users do not have rules specified with a source IP or MAC address.

Examples

# Specify user group abc as the authorization user group for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization-attribute user-group abc

Related commands

display domain

Use display domain to display ISP domain configuration.

Syntax

display domain [ isp-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.

Examples

# Display the configuration of all ISP domains.

<Sysname> display domain

Total 2 domains

Domain: system

State: Active

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Service type: HSI

Session time: Exclude idle time

Dual-stack accounting method: Merge

Authorization attributes:

Idle cut: Disabled

IGMP access limit: 4

MLD access limit: 4

Authen-radius-unavailable: Not configured

Authen-radius-recover: Not configured

Domain: dm

State: Active

Super authentication scheme: RADIUS=rad

Command authorization scheme: HWTACACS=hw

LAN access authentication scheme: RADIUS=r4

Portal authentication scheme: LDAP=ldp

Default authentication scheme: RADIUS=rad, Local, None

Default authorization scheme: Local

Default accounting scheme: None

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out policy: Offline

Service type: HSI

Session time: Include idle time

Dual-stack accounting method: Merge

Authorization attributes:

Idle cut : Enabled

Idle timeout: 2 minutes

Flow: 10240 bytes

Traffic direction: Both

IP pool: appy

ACL number: 3000

User group: ugg

IPv6 pool: ipv6pool

URL: http://test

IGMP access limit: 4

MLD access limit: 4

Authen-radius-unavailable: Online domain dm2

Authen-radius-recover: Offline

Default domain name: system

Table 1 Command output

Field	Description
Domain	ISP domain name.
State	Status of the ISP domain.
Default authentication scheme	Default authentication methods.
Default authorization scheme	Default authorization methods.
Default accounting scheme	Default accounting methods.
Login authentication scheme	Authentication methods for login users.
Login authorization scheme	Authorization methods for login users.
Login accounting scheme	Accounting methods for login users.
Super authentication scheme	Authentication methods for obtaining another user role without reconnecting to the device.
Command authorization scheme	Command line authorization methods.
Command accounting scheme	Command line accounting method.
LAN access authentication scheme	Authentication methods for LAN users.
LAN access authorization scheme	Authorization methods for LAN users.
LAN access accounting scheme	Accounting methods for LAN users.
Portal authentication scheme	Authentication methods for portal users.
Portal authorization scheme	Authorization methods for portal users.
Portal accounting scheme	Accounting methods for portal users.
RADIUS	RADIUS scheme.
HWTACACS	HWTACACS scheme.
LDAP	LDAP scheme.
Local	Local scheme.
None	No authentication, no authorization, or no accounting.
Accounting start failure action	Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting update failure max-times	Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain.
Accounting update failure action	Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users.
Accounting quota out policy	Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users.
Service type	Service type of the ISP domain, including HSI, STB, and VoIP.
Session time	Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period.
Dual-stack accounting method	This field is not supported in the current software version. Accounting method for dual-stack users: · Merge—Merges IPv4 data with IPv6 data for accounting. · Separate—Separates IPv4 data from IPv6 data for accounting.
Authorization attributes	Authorization attributes for users in the ISP domain.
Idle cut	Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state.
Idle timeout	Idle timeout period, in minutes.
Flow	Minimum traffic that a login user must generate in an idle timeout period, in bytes.
Traffic direction	Traffic direction for the idle cut feature: · Both. · Inbound. · Outbound.
IP pool	Name of the authorization IPv4 address pool.
ACL number	Authorization ACL for users.
User group	Authorization user group for users.
IPv6 pool	Name of the authorization IPv6 address pool for users.
URL	Authorization redirect URL for users.
IGMP access limit	Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently.
MLD access limit	Maximum number of MLD groups that an IPv6 user is authorized to join concurrently.
Authen-radius-unavailable	Critical domain to accommodate users when all RADIUS authentication servers are unavailable.
Authen-radius-recover	Action to take on users in the critical domain when a RADIUS authentication server becomes available. · Offline—Logs off the users. · Online domain isp-name—Allows the users to stay online in the recovery domain.

domain

Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.

Use undo domain to delete an ISP domain.

Syntax

domain isp-name

undo domain isp-name

Default

A system-defined ISP domain exists. The domain name is system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

All ISP domains are in active state when they are created.

You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.

An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.

Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.

Examples

# Create an ISP domain named test and enter ISP domain view.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test]

Related commands

display domain

domain default enable

domain if-unknown

state (ISP domain view)

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.

Use undo domain default enable to restore the default.

Syntax

domain default enable isp-name

undo domain default enable

Default

The default ISP domain is the system-defined ISP domain system.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.

Usage guidelines

The system has only one default ISP domain.

Examples

# Create an ISP domain named test, and configure the domain as the default ISP domain.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] quit

[Sysname] domain default enable test

Related commands

display domain

domain

domain if-unknown

Use domain if-unknown to specify an ISP domain to accommodate users that are assigned to nonexistent domains.

Use undo domain if-unknown to restore the default.

Syntax

domain if-unknown isp-name

undo domain if-unknown

Default

No ISP domain is specified to accommodate users that are assigned to nonexistent domains.

Views

System view

Predefined user roles

network-admin

Parameters

isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

The device chooses an authentication domain for each user in the following order:

6. The authentication domain specified for the access module.

7. The ISP domain in the username.

8. The default ISP domain of the device.

If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.

NOTE:

Support for the authentication domain configuration depends on the access module.

Examples

# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.

<Sysname> system-view

[Sysname] domain if-unknown test

Related commands

display domain

local-server log change-password-prompt

Use local-server log change-password-prompt to enable password change prompt logging.

Use undo local-server log change-password-prompt to disable password change prompt logging.

Syntax

local-server log change-password-prompt

undo local-server log change-password-prompt

Default

Password change prompt logging is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature to enhance the protection of passwords for Telnet, SSH, HTTP, HTTPS, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.

This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.

A password is a weak password if it does not meet the following requirements:

· Password composition restriction configured by using the password-control composition command.

· Minimum password length restriction set by using the password-control length command.

· Password complexity checking policy configured by using the password-control complexity command.

For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:

· The current password of the user is the default password or has expired.

· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.

The device will no longer generate password change prompt logs for a user when one of the following conditions exists:

· The password change prompt logging feature is disabled.

· The user has changed the password and the new password meets the password control requirements.

· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.

· The password composition policy or the minimum password length has changed.

You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."

Examples

# Enable password change prompt logging.

<Sysname> system-view

[Sysname] local-server log change-password-prompt

Related commands

display password-control

password-control composition

password-control length

nas-id bind vlan

Use nas-id bind vlan to bind a NAS-ID with a VLAN.

Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.

Syntax

nas-id nas-identifier bind vlan vlan-id

undo nas-id nas-identifier bind vlan vlan-id

Default

No NAS-ID and VLAN bindings exist.

Views

NAS-ID profile view

Predefined user roles

network-admin

Parameters

nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.

vlan-id: Specifies a VLAN ID in the range of 1 to 4094.

Usage guidelines

You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.

A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.

Examples

# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.

<Sysname> system-view

[Sysname] aaa nas-id profile aaa

[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands

aaa nas-id profile

session-time include-idle-time

Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.

Use undo session-time include-idle-time to restore the default.

Syntax

session-time include-idle-time

undo session-time include-idle-time

Default

The device does not include the idle timeout period in the user online duration sent to the server.

Views

ISP domain view

Predefined user roles

network-admin

Usage guidelines

Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned to users by the authorization server after the users pass authentication. For portal users, the device includes the idle timeout period set for the online portal user detection feature in the user online duration. For more information about online detection for portal users, see portal authentication configuration in Security Configuration Guide.

If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.

· If the session-time include-idle-time command is used, the user's online duration sent to the server includes the idle timeout period. The online duration that is generated on the server is longer than the actual online duration of the user.

· If the undo session-time include-idle-time command is used, the user's online duration sent to the server excludes the idle timeout period. The online duration that is generated on the server is shorter than the actual online duration of the user.

Examples

# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] session-time include-idle-time

Related commands

display domain

state (ISP domain view)

Use state to set the status of an ISP domain.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

An ISP domain is in active state.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.

block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.

Usage guidelines

By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected.

Examples

# Place ISP domain test in blocked state.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block

Related commands

display domain

user-address-type

Use user-address-type to specify the user address type in the ISP domain.

Use undo user-address-type to restore the default.

Syntax

user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }

undo user-address-type

Default

No user address type is specified for the ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

ds-lite: Specifies the DS-Lite address type.

ipv6: Specifies the IPv6 address type.

nat64: Specifies the NAT64 address type.

private-ds: Specifies the private-DS address type.

private-ipv4: Specifies the private IPv4 address type.

public-ds: Specifies the public-DS address type.

public-ipv4: Specifies the public IPv4 address type.

Usage guidelines

Any change to the user address type does not affect online users.

Examples

# Specify the private IPv4 address type for users in ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] user-address-type private-ipv4

Related commands

display domain

Local user commands

access-limit

Use access-limit to set the maximum number of concurrent logins using the local user name.

Use undo access-limit to restore the default.

Syntax

access-limit max-user-number

undo access-limit

Default

The number of concurrent logins using the local user name is not limited.

Views

Local user view

Predefined user roles

network-admin

Parameters

max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.

Usage guidelines

This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.

For this command to take effect on network access users, you also need to execute the accounting start-fail offline command in the ISP domain view.

Examples

# Set the maximum number of concurrent logins to 5 for users using the local user name abc.

<Sysname> system-view

[Sysname] local-user abc

[Sysname-luser-manage-abc] access-limit 5

Related commands

accounting start-fail offline

display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.

Syntax

authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool ipv6-pool-name | session-timeout minutes | url url-string | user-role role-name | vlan vlan-id | work-directory directory-name } *

undo authorization-attribute { acl | idle-cut | ip-pool | ipv6-pool | session-timeout | url | user-role role-name | vlan | work-directory } *

Default

The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user are assigned the network-operator user role.

Views

Local user view

User group view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.

idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.

ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.

ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.

session-timeout minutes: Specifies the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.

url url-string: Specifies a redirect URL. The url-string argument is a case-sensitive string of 1 to 255 characters. The URL must start with http:// or https://. You can configure the redirect URL attribute to push advertisements or notifications to users after the users pass authentication or push bill overdue notifications to users. This option is applicable only to LAN users.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

For portal users, only the following authorization attributes take effect: acl, ip-pool, ipv6-pool, and session-timeout.

For LAN users, only the following authorization attributes take effect: acl, session-timeout, url, and vlan.

For SSH, Telnet, and terminal users, only the authorization attributes idle-cut and user-role take effect.

For HTTP and HTTPS users, only the authorization attribute user-role takes effect.

For FTP users, only the authorization attributes user-role and work-directory take effect.

For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

When you specify an authorization ACL, the following restrictions apply:

· Support for the VPN instance parameter in the ACL rules for LAN users depends on the device model.

· Support for the VPN instance parameter in the ACL rules for portal users depends on the device model.

· For portal users to come online after passing authentication, make sure ACLs assigned to portal users do not have rules specified with a source IP or MAC address.

To make sure FTP, SFTP, and SCP users can access the directory after an IRF master/subordinate switchover, do not specify slot information for the working directory.

To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.

· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.

· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.

Examples

# Configure the authorized VLAN of network access user abc as VLAN 2.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view

[Sysname] local-user xyz class manage

[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit

This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

display local-user

display user-group

bind-attribute

Use bind-attribute to configure binding attributes for a local user.

Use undo bind-attribute to remove binding attributes of a local user.

Syntax

bind-attribute { ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *

undo bind-attribute { ip | location | mac | vlan } *

Default

No binding attributes are configured for a local user.

Views

Local user view

Predefined user roles

network-admin

Parameters

ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.

location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to device management, LAN, and portal users.

mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN and portal users.

vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to LAN and portal users.

Usage guidelines

To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.

Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.

The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.

· If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface.

· If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface or Layer 2 aggregate interface.

· If the user is a portal user, specify the portal-enabled interface. Specify the user-attached Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.

Examples

# Bind MAC address 11-11-11 with network access user abc.

<Sysname> system-view

[Sysname] local-user abc class network

[Sysname-luser-network-abc] bind-attribute mac 11-11-11

Related commands

display local-user

company

Use company to specify the company of a local guest.

Use undo company to restore the default.

Syntax

company company-name

undo company

Default

No company is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify company yyy for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] company yyy

Related commands

display local-user

description

Use description to configure a description for a network access user.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a network access user.

Views

Network access user view

Predefined user roles

network-admin

Parameters

text: Configures a description, case-sensitive string of 1 to 255 characters.

Examples

# Configure a description for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] description Manager of MSC company

Related commands

display local-user

display local-guest waiting-approval

Use display local-guest waiting-approval to display pending registration requests for local guests.

Syntax

display local-guest waiting-approval [ user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name must meet the following requirements:

· Cannot contain a domain name.

· Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· Cannot be a, al, or all.

If you do not specify a guest, this command displays pending registration requests for all local guests.

Usage guidelines

On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.

Examples

# Display all pending registration requests for local guests.

<Sysname> display local-guest waiting-approval

Total 1 guest entries matched.

Guest user Smith:

Full name : Smith Li

Company : YYY

Email : [email protected]

Phone : 139189301033

Description: The employee of YYY company

Table 2 Command output

Field	Description
Total 1 guest entries matched.	Number of local guests that have pending registration requests.
Full name	Full name of the local guest.
Company	Company name of the local guest.
Email	Email address of the local guest.
Phone	Phone number of the local guest.
Description	Description of the local guest.

Related commands

reset local-guest waiting-approval

display local-user

Use display local-user to display the local user configuration and online user statistics.

Syntax

display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

manage: Device management user.

network: Network access user.

guest: Guest user account.

idle-cut { disable | enable }: Specifies local users by the status of the idle cut feature.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.

user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

· Cannot contain the domain name.

· Cannot be a, al, or all.

vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.

Usage guidelines

If you do not specify any parameters, this command displays information about all local users.

Examples

# Display information about all local users.

<Sysname> display local-user

Total 2 local users matched.

Device management user root:

State: Active

Service type: SSH/Telnet/Terminal

Access limit: Enabled Max access number: 3

Current access number: 1

User group: system

Bind attributes:

Authorization attributes:

Work directory: flash:

User role list: network-admin

Password control configurations:

Password aging: 3 days

Password history was last reset: 0 days ago

Network access user jj:

State: Active

Service type: LAN-access

User group: system

Bind attributes:

IP address: 2.2.2.2

Location bound: GigabitEthernet1/0/1

MAC address: 0001-0001-0001

VLAN ID: 2

Authorization attributes:

Idle timeout: 33 minutes

Work directory: flash:

ACL number: 2000

User role list: network-operator, level-0, level-3

Description: A network access user from company cc

Validity period:

Start date and time: 2016/01/01-00:01:01

Expiration date and time: 2017/01/01-01:01:01

Password control configurations:

Password length: 4 characters

Network access guest user1:

State: Active

Service type: LAN-access/Portal

User group: guest1

Full name: Jack

Company: cc

Email: [email protected]

Phone: 131129237

Sponsor full name: Sam

Sponsor department: security

Sponsor email: [email protected]

Description: A guest from company cc

Validity period:

Start date and time: 2016/04/01-08:00:00

Expiration date and time: 2017/04/03-18:00:00

Table 3 Command output

Field	Description
State	Status of the local user: active or blocked.
Service type	Service types that the local user can use.
Access limit	Whether the concurrent login limit is enabled.
Max access number	Maximum number of concurrent logins using the local user name.
Current access number	Current number of concurrent logins using the local user name.
User group	Group to which the local user belongs.
Bind attributes	Binding attributes of the local user.
IP address	IP address of the local user.
Location bound	Binding port of the local user.
MAC address	MAC address of the local user.
VLAN ID	Binding VLAN of the local user.
Authorization attributes	Authorization attributes of the local user.
Idle timeout	Idle timeout period of the user, in minutes.
Session-timeout	Session timeout timer for the user, in minutes.
Work directory	Directory that the FTP, SFTP, or SCP user can access.
ACL number	Authorization ACL of the local user.
VLAN ID	Authorized VLAN of the local user.
User role list	Authorized roles of the local user.
IP pool	IPv4 address pool authorized to the local user.
IPv6 pool	IPv6 address pool authorized to the local user.
URL	Authorization redirect URL for the local user.
Password control configurations	Password control attributes that are configured for the local user.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.
Password history was last reset	The most recent time that the history password records were cleared.
Full name	Name of the local guest.
Company	Company name of the local guest.
Email	Email address of the local guest.
Phone	Phone number of the local guest.
Sponsor full name	Name of the guest sponsor.
Sponsor department	Department of the guest sponsor.
Sponsor email	Email address of the guest sponsor.
Description	Description of the network access user.
Validity period	Validity period of the network access user.
Start date and time	Date and time from which the network access user begins to take effect.
Expiration date and time	Date and time at which the network access user expires.

display user-group

Use display user-group to display user group configuration.

Syntax

display user-group { all | name group-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all user groups.

name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.

Examples

# Display the configuration of all user groups.

<Sysname> display user-group all

Total 2 user groups matched.

User group: system

Authorization attributes:

Work directory: flash:

BYOD authorization attributes: Not configured

User group: jj

Authorization attributes:

Idle timeout: 2 minutes

Work directory: flash:/

ACL number: 2000

VLAN ID: 2

BYOD authorization attributes: Not configured

Password control configurations:

Password aging: 2 days

Table 4 Command output

Field	Description
User group	User group name.
Authorization attributes	Authorization attributes of the user group.
Idle timeout	Idle timeout period, in minutes.
Session-timeout	Session timeout timer, in minutes.
Work directory	Directory that FTP, SFTP, or SCP users in the group can access.
ACL number	Authorization ACL.
VLAN ID	Authorized VLAN.
IP pool	IPv4 address pool authorized to the user group.
IPv6 pool	IPv6 address pool authorized to the user group.
URL	Authorization redirect URL for the user group.
BYOD authorization attributes	This field is not supported in the current software version. BYOD authorization attributes of the user group.
Password control configurations	Password control attributes that are configured for the user group.
Password aging	Password expiration time.
Password length	Minimum number of characters that a password must contain.
Password composition	Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password.
Password complexity	Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times.
Maximum login attempts	Maximum number of consecutive failed login attempts.
Action for exceeding login attempts	Action to take on the user that failed to log in after using up all login attempts.

email

Use email to configure an email address for a local guest.

Use undo email to restore the default.

Syntax

email email-string

undo email

Default

No email address is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, [email protected]. The address must comply with RFC 822.

Usage guidelines

The local guest uses the email address to receive notifications from the device.

Examples

# Configure the email address as [email protected] for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] email [email protected]

Related commands

display local-user

full-name

Use full-name to configure the name of a local guest.

Use undo full-name to restore the default.

Syntax

full-name name-string

undo full-name

Default

No name is configured for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the name as abc Snow for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] full-name abc Snow

Related commands

display local-user

group

Use group to assign a local user to a user group.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

A local user belongs to user group system.

Views

Local user view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Examples

# Assign device management user 111 to user group abc.

<Sysname> system-view

[Sysname] local-user 111 class manage

[Sysname-luser-manage-111] group abc

Related commands

display local-user

local-guest email format

Use local-guest email format to configure the subject and body for the email notifications of local guest information.

Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.

Syntax

local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }

undo local-guest email format to { guest | manager | sponsor } { body | subject }

Default

No subject or body is configured for the email notifications of local guest information.

Views

System view

Predefined user roles

network-admin

Parameters

to: Specifies the email recipient.

guest: Specifies the local guest.

manager: Specifies the guest manager.

sponsor: Specifies the guest sponsor.

body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.

subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.

Usage guidelines

Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.

You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.

You must configure both the subject and body for each recipient.

Examples

# Configure the subject and body for the email notifications to send to the local guest.

<Sysname> system-view

[Sysname] local-guest email format to guest subject Guest account information

[Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.

Related commands

local-guest email sender

local-guest email smtp-server

local-guest manager-email

local-guest send-email

local-guest email sender

Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.

Use undo local-guest email sender to restore the default.

Syntax

local-guest email sender email-address

undo local-guest email sender

Default

No email sender address is configured for the email notifications of local guests sent by the device.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters.

Usage guidelines

If you do not specify the email sender address, the device cannot send email notifications.

The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the email sender address as [email protected] for email notifications of local guests.

<Sysname> system-view

[Sysname] local-guest email sender [email protected]

Related commands

local-guest email format

local-guest email smtp-server

local-guest manager-email

local-guest send-email

local-guest email smtp-server

Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.

Use undo local-guest email smtp-server to restore the default.

Syntax

local-guest email smtp-server url-string

undo local-guest email smtp-server

Default

No SMTP server is specified to send email notifications of local guests.

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the SMTP server at smtp://www.test.com/smtp to send local guest email notifications.

<Sysname> system-view

[Sysname] local-guest email smtp-server smtp://www.test.com/smtp

Related commands

local-guest email format

local-guest email sender

local-guest manager-email

local-guest send-email

local-guest generate

Use local-guest generate to create local guests in batch.

Syntax

local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time

Views

System view

Predefined user roles

network-admin

Parameters

username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.

suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.

group group-name: Specifies a user group by the name. The group-name argument is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group system.

count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.

validity-datetime: Specifies the validity period of the local guests.

start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the end date and time of the validity period.

expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

Usage guidelines

Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.

The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.

Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.

If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.

Examples

# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2014/10/01 00:00:00 to 2015/10/02 12:00:00.

<Sysname> system-view

[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00

Related commands

local-user

display local-user

local-guest manager-email

Use local-guest manager-email to configure the email address of the guest manager.

Use undo local-guest manager-email to restore the default.

Syntax

local-guest manager-email email-address

undo local-guest manager-email

Default

No email address is configured for the guest manager.

Views

System view

Predefined user roles

network-admin

Parameters

email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, [email protected]. The address must comply with RFC 822.

Usage guidelines

Use this command to specify the email address to which the device sends the local guest registration requests for approval.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the email address of the guest manager as [email protected].

<Sysname> system-view

[Sysname] local-guest manager-email [email protected]

Related commands

local-guest email format

local-guest email sender

local-guest email smtp-server

local-guest send-email

Use local-guest send-email to send emails to a local guest or guest sponsor.

Syntax

local-guest send-email user-name user-name to { guest | sponsor }

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

· Cannot contain a domain name.

· Cannot be a, al, or all.

to: Specifies the email recipient.

guest: Specifies the local guest.

sponsor: Specifies the guest sponsor.

Usage guidelines

Device managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.

Examples

# Send an email to notify local guest abc of the guest password and validity period information.

<Sysname> local-guest send-email user-name abc to guest

Related commands

sponsor-email

local-guest timer

Use local-guest timer to set the waiting-approval timeout timer for local guests.

Syntax

local-guest timer waiting-approval time-value

undo local-guest timer waiting-approval

Default

The setting is 24 hours.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the waiting-approval timeout timer in the range of 1 to 720, in hours.

Usage guidelines

The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.

Examples

# Set the waiting-approval timeout timer to 12 hours.

<Sysname> system-view

[Sysname] local-guest timer waiting-approval 12

local-user

Use local-user to add a local user and enter its view, or enter the view of an existing local user.

Use undo local-user to delete local users.

Syntax

local-user user-name [ class { manage | network [ guest ] } ]

undo local-user { user-name class { manage | network [ guest ] } | all [ service-type { ftp | http | https | lan-access | portal | ssh | telnet | terminal } | class { manage | network [ guest ] } ] }

Default

No local users exist.

Views

System view

Predefined user roles

network-admin

Parameters

user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters. The name must meet the following requirements:

· Cannot contain a domain name.

· Cannot be a, al, all, au, aut, auto, auto-, auto-d, auto-de, auto-del, auto-dele, auto-delet, or auto-delete.

class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.

manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.

network: Network access user that accesses network resources through the device. Network access users can use LAN access and portal services.

guest: Guest that can access network resources through the device during a specific validity period. Guests can use LAN access and portal services.

all: Specifies all users.

service-type: Specifies the local users that use a specific type of service.

ftp: FTP users.

http: HTTP users.

https: HTTPS users.

lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.

portal: Portal users.

ssh: SSH users.

telnet: Telnet users.

terminal: Terminal users that log in through console ports.

Usage guidelines

The device supports a maximum of 1024 device management users and a maximum of 4294967295 network access users.

If the local username contains Chinese characters, make sure the endpoint software used at device login uses the same character set encoding format as the encoding format (GB18030) used by the device to save local user configuration. If they use different encoding formats, the username cannot be correctly decoded on the device, which might cause local authentication failure.

Examples

# Add a device management user named user1 and enter local user view.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1]

# Add a network access user named user2 and enter local user view.

<Sysname> system-view

[Sysname] local-user user2 class network

[Sysname-luser-network-user2]

# Add a local guest named user3 and enter local guest view.

Sysname> system-view

[Sysname] local-user user3 class network guest

[Sysname-luser-network(guest)-user3]

Related commands

display local-user

service-type (local user view)

local-user auto-delete enable

Use local-user auto-delete enable to enable the local user auto-delete feature.

Use undo local-user auto-delete enable to restore the default.

Syntax

local-user auto-delete enable

undo local-user auto-delete enable

Default

The local user auto-delete feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to examine the validity of local users at fixed time periods of 10 minutes and automatically delete expired local users.

Examples

# Enable the local user auto-delete feature.

<Sysname> system-view

[Sysname] local-user auto-delete enable

Related commands

validity-datetime

local-user-export

Use local-user-export to export local guest account information to a .csv file in the specified path.

Syntax

local-user-export class network guest url url-string

Views

System view

Predefined user roles

network-admin

Parameters

network: Specifies the network access user.

guest: Specifies the local guest.

url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can import the user account information back to the device or to other devices that support the local-user-import command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import."

The device supports TFTP and FTP file transfer modes. Table 5 describes the valid URL formats of the .csv file.

Table 5 URL formats

Protocol	URL format	Description
TFTP	tftp://server/path/filename	Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
FTP	· With FTP user name and password: ftp://username:password@server/path/filename · Without FTP user name and password: ftp://server/path/filename	Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

· With FTP user name and password:
ftp://username:password@server/path/filename

· Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Examples

# Export local guest account information to the guest.csv file in the ftp://1.1.1.1/user/ path.

<Sysname> system-view

[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv

Related commands

local-user-import

Use local-user-import to import local guest account information from a .csv file in the specified path to the device to create local guests based on the imported information.

Syntax

local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *

Views

System view

Predefined user roles

network-admin

Parameters

network: Specifies the network access user.

guest: Specifies the local guest.

url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.

validity-datetime: Specifies the guest validity period of the local guests.

to: Specifies the end date and time of the validity period.

auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group named system.

override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.

start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.

Usage guidelines

The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:

· Username—User name of the guest account. The user name cannot be empty.

· Password—Password of the guest account in plaintext form. If the password is empty, the device generates a random password in encrypted form for the guest.

· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group named system.

· Guest full name—Name of the guest.

· Guest company—Company of the guest.

· Guest email—Email address of the guest.

· Guest phone—Phone number of the guest.

· Guest description—Description of the guest.

· Sponsor full name—Name of the guest sponsor.

· Sponsor department—Department of the guest sponsor.

· Sponsor email—Email address of the guest sponsor.

The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted.

Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,

Jack,abc,visit,Jack Chen,ETP,[email protected],1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,[email protected]

The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file.

Table 6 URL formats

Protocol	URL format	Description
TFTP	tftp://server/path/filename	Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.
FTP	· With FTP user name and password: ftp://username:password@server/path/filename · Without FTP user name and password: ftp://server/path/filename	Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Protocol

URL format

Description

TFTP

tftp://server/path/filename

Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv.

FTP

· With FTP user name and password:
ftp://username:password@server/path/filename

· Without FTP user name and password:
ftp://server/path/filename

Specify an FTP server by IP address or hostname.

The device ignores the domain name in the FTP user name.

For example, specify the file path as ftp://1:[email protected]/user/user.csv or ftp://1.1.1.1/user/user.csv.

Examples

# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.

<Sysname> system-view

[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00

Related commands

display local-user

local-user-export

password (device management user view)

Use password to configure a password for a device management user.

Use undo password to restore the default.

Syntax

password [ { hash | simple } string ]

undo password

Default

A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Device management user view

Predefined user roles

network-admin

Parameters

hash: Specifies a password encrypted by the hash algorithm.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in hashed form.

string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, you enter the interactive mode to set a plaintext password.

A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.

When global password control is enabled, the device handles passwords of device management users as follows:

· All passwords are saved in the history records in hashed form.

· If a user changes its own password in plaintext form, the system requests the user to enter the current password in plaintext form. The new password must be different from all passwords of the user in the history records and the current password. In addition, the new password must have a minimum of four characters different from the current password.

· If a user changes the password for another user in plaintext form, the new password must be different from the target user's all passwords in the history records and current password.

· If a user deletes its own password, the system requests the user to enter the current password in plaintext form.

· Except the above listed situations, the system does not request a user to enter the current plaintext password or compare the new password with passwords in the history records and the current password.

Examples

# Set the password to 123456TESTplat&! in plaintext form for device management user user1.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456TESTplat&!

# Configure the password in interactive mode for device management user test.

<Sysname> system-view

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password

Password:

confirm :

Related commands

display local-user

password (network access user view)

Use password to configure a password for a network access user.

Use undo password to restore the default.

Syntax

password { cipher | simple } string

undo password

Default

A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.

Views

Network access user view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

As a best practice to enhance security, configure a password for each network access user.

Examples

# Set the password to 123456TESTuser&! in plaintext form for network access user user1.

<Sysname> system-view

[Sysname] local-user user1 class network

[Sysname-luser-network-user1] password simple 123456TESTuser&!

Related commands

display local-user

phone

Use phone to specify the phone number of a local guest.

Use undo phone to restore the default.

Syntax

phone phone-number

undo phone

Default

No phone number is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

phone-number: Specifies the phone number, a string of 1 to 32 characters.

Examples

# Specify the phone number as 13813723920 for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] phone 13813723920

Related commands

display local-user

reset local-guest waiting-approval

Use reset local-guest waiting-approval to clear pending registration requests for local guests.

Syntax

reset local-guest waiting-approval [ user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The user name must meet the following requirements:

· Cannot contain a domain name.

· Cannot be a, al, or all.

If you do not specify a guest, this command clears information about all registration requests for local guests.

Examples

# Clear information about all registration requests for local guests.

<Sysname> reset local-guest waiting-approval

Related commands

display local-guest waiting-approval

service-type (local user view)

Use service-type to specify the service types that a local user can use.

Use undo service-type to remove service types configured for a local user.

Syntax

service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal }

undo service-type { ftp | lan-access | { http | https | ssh | telnet | terminal } * | portal }

Default

A local user is not authorized to use any service.

Views

Local user view

Predefined user roles

network-admin

Parameters

ftp: Authorizes the user to use the FTP service. The authorized directory can be modified by using the authorization-attribute work-directory command.

http: Authorizes the user to use the HTTP service.

https: Authorizes the user to use the HTTPS service.

lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.

ssh: Authorizes the user to use the SSH service.

telnet: Authorizes the user to use the Telnet service.

terminal: Authorizes the user to use the terminal service and log in from a console port.

portal: Authorizes the user to use the portal service.

Usage guidelines

You can assign multiple service types to a user.

Examples

# Authorize device management user user1 to use the Telnet and FTP services.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] service-type telnet

[Sysname-luser-manage-user1] service-type ftp

Related commands

display local-user

sponsor-department

Use sponsor-department to specify the department of the guest sponsor for a local guest.

Use undo sponsor-department to restore the default.

Syntax

sponsor-department department-string

undo sponsor-department

Default

No department is specified for the guest sponsor of a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.

Examples

# Specify the department as test for the guest sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-department test

Related commands

display local-user

sponsor-email

Use sponsor-email to specify the email address of the guest sponsor for a local guest.

Use undo sponsor-email to restore the default.

Syntax

sponsor-email email-string

undo sponsor-email

Default

No email address is specified for the guest sponsor.

Views

Local guest view

Predefined user roles

network-admin

Parameters

email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.

Examples

# Specify the email address as [email protected] for the guest sponsor of local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-email [email protected]

Related commands

display local-user

sponsor-full-name

Use sponsor-full-name to specify the guest sponsor name for a local guest.

Use undo sponsor-full-name to restore the default.

Syntax

sponsor-full-name name-string

undo sponsor-full-name

Default

No guest sponsor name is specified for a local guest.

Views

Local guest view

Predefined user roles

network-admin

Parameters

name-string: Specifies the guest sponsor name, a case-sensitive string of 1 to 255 characters.

Examples

# Specify the guest sponsor name as Sam Li for local guest abc.

<Sysname> system-view

[Sysname] local-user abc class network guest

[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li

Related commands

display local-user

state (local user view)

Use state to set the status of a local user.

Use undo state to restore the default.

Syntax

state { active | block }

undo state

Default

A local user is in active state.

Views

Local user view

Predefined user roles

network-admin

Parameters

active: Places the local user in active state to allow the local user to request network services.

block: Places the local user in blocked state to prevent the local user from requesting network services.

Examples

# Place device management user user1 in blocked state.

<Sysname> system-view

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] state block

Related commands

display local-user

user-group

Use user-group to create a user group and enter its view, or enter the view of an existing user group.

Use undo user-group to delete a user group.

Syntax

user-group group-name

undo user-group group-name

Default

A system-defined user group exists. The group name is system.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.

A user group that has local users cannot be deleted.

You can modify settings for the system-defined user group named system, but you cannot delete the user group.

Examples

# Create a user group named abc and enter user group view.

<Sysname> system-view

[Sysname] user-group abc

[Sysname-ugroup-abc]

Related commands

display user-group

validity-datetime

Use validity-datetime to specify the validity period for a network access user.

Use undo validity-datetime to restore the default.

Syntax

In network access user view (except in local guest view):

validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }

undo validity-datetime

In local guest view:

validity-datetime from start-date start-time to expiration-date expiration-time

undo validity-datetime

Default

The validity period for a local user does not expire.

Views

Network access user view

Local guest view

Predefined user roles

network-admin

Parameters

from: Specifies the validity start date and time for the user. If you do not specify this option, the command defines only the expiration date and time of the user.

start-date: Specifies the date on which the user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.

start-time: Specifies the time on the day when the user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.

to: Specifies the expiration date and time for the user. If you do not specify this option, the command defines only the validity start date and time of the user.

Usage guidelines

Expired network access user accounts cannot be used for authentication.

When both from and to options are specified, the expiration date and time must be later than the validity start date and time.

When only the from option is specified, the user is valid since the specified date and time. When only the to option is specified, the user is valid until the specified date and time.

When the RADIUS server feature is enabled on the device, the RADIUS user data for authentication is automatically generated from the network access user configuration. The device ignores the validity start date and time of the RADIUS users.

Examples

# Specify the validity period for network access user 123.

<Sysname> system-view

[Sysname] local-user 123 class network

[Sysname-luser-network-123] validity-datetime from 2015/10/01 00:00:00 to 2016/10/02 12:00:00

Related commands

display local-user

RADIUS commands

aaa device-id

Use aaa device-id to configure the device ID.

Use undo aaa device-id to restore the default.

Syntax

aaa device-id device-id

undo aaa device-id

Default

The device ID is 0.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies a device ID in the range of 1 to 255.

Usage guidelines

RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.

If you modify the device ID, the new device ID does not take effect on users that have been online during the change.

Examples

# Configure the device ID as 1.

<Sysname> system-view

[Sysname] aaa device-id 1

accounting-on enable

Use accounting-on enable to configure the accounting-on feature.

Use undo accounting-on enable to disable the accounting-on feature.

Syntax

accounting-on enable [ interval interval | send send-times ] *

undo accounting-on enable

Default

The accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.

send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.

Usage guidelines

The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.

Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.

Parameters set by using the accounting-on enable command take effect immediately.

Examples

# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands

display radius scheme

accounting-on extended

Use accounting-on extended to enable the extended accounting-on feature.

Use undo accounting-on extended to disable the extended accounting-on feature.

Syntax

accounting-on extended

undo accounting-on extended

Default

The extended accounting-on feature is disabled.

Views

RADIUS scheme view

Predefined user roles

network-admin

network-operator

Usage guidelines

The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.

The extended accounting-on feature is applicable to LAN users. The user data is saved to the member devices through which the users access the IRF fabric.

When this feature is enabled, the IRF fabric automatically sends an accounting-on packet to the RADIUS server after a member device reboots (IRF fabric not reboot). The packet contains the member device identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the IRF fabric through the member device. If no users have come online through the member device, the IRF fabric does not send an accounting-on packet after the member device reboots.

The IRF fabric uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.

Execute the save command to ensure that the accounting-on extended command takes effect at the next member device reboot. For information about the save command, see Fundamentals Command Reference.

Examples

# Enable the extended accounting-on feature for RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] accounting-on extended

Related commands

accounting-on enable

display radius scheme

attribute 5 format

Use attribute 5 format to configure the format of the RADIUS NAS-Port attribute.

Use undo attribute 5 format to restore the default.

Syntax

attribute 5 format port

undo attribute 5 format

Default

The NAS-Port attribute contains the following portions:

· 8-bit IRF member ID.

· 4-bit slot number.

· 8-bit interface index.

· 12-bit VLAN ID.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

port: Specifies the port format.

Usage guidelines

RADIUS servers of different types might have different requirements for the format of the NAS-Port attribute. To ensure correct RADIUS packet exchange, make sure the format of the NAS-Port attribute meets the requirements of the RADIUS servers.

If you specify the port format, the NAS-Port attribute contains the last segment for the interface number of the interface through which a user accesses the device. For example, if a user accesses the device through GigabitEthernet 1/0/2, 2 is used as the value for the RADIUS NAS-Port attribute.

This command does not distinguish user access types and takes effect on RADIUS packets for all users.

Examples

# Configure the format of the RADIUS NAS-Port attribute as the port format in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 5 format port

Related commands

display radius scheme

attribute 15 check-mode

Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.

Use undo attribute 15 check-mode to restore the default.

Syntax

attribute 15 check-mode { loose | strict }

undo attribute 15 check-mode

Default

The strict check method applies for SSH, FTP, and terminal users.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.

strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.

Usage guidelines

Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.

Examples

# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 15 check-mode loose

Related commands

display radius scheme

attribute 25 car

Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.

Use undo attribute 25 car to restore the default.

Syntax

attribute 25 car

undo attribute 25 car

Default

The RADIUS class attribute is not interpreted as CAR parameters.

Views

RADIUS scheme view

Predefined user roles

network-admin

Usage guidelines

Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.

Examples

# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 25 car

Related commands

display radius scheme

attribute 30 mac-format

Use attribute 30 mac-format to configure the format of the MAC address in the RADIUS Called-Station-Id attribute.

Use undo attribute 30 mac-format to restore the default.

Syntax

attribute 30 mac-format section { one | { six | three } separator separator-character } { lowercase | uppercase }

undo attribute 30 mac-format

Default

The MAC address in the RADIUS Called-Station-Id attribute is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

one: Specifies the one-section format HHHHHHHHHHHH.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the format of the MAC address in the RADIUS Called-Station-Id attribute to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify hhhhhhhhhhhh as the format of the MAC address in the RADIUS Called-Station-Id attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 30 mac-format section one lowercase

Related commands

display radius scheme

attribute 31 mac-format

Use attribute 31 mac-format to configure the format of the MAC address in the RADIUS Calling-Station-Id attribute.

Use undo attribute 31 mac-format to restore the default.

Syntax

attribute 31 mac-format section { one | { six | three } separator separator-character } { lowercase | uppercase }

undo attribute 31 mac-format

Default

The MAC address in the RADIUS Calling-Station-Id attribute (attribute 31) is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

section: Specifies the number of sections that a MAC address contains.

one: Specifies the one-section format HHHHHHHHHHHH.

six: Specifies the six-section format HH-HH-HH-HH-HH-HH.

three: Specifies the three-section format HHHH-HHHH-HHHH.

separator separator-character: Specifies a case-sensitive character that separates the sections.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

Usage guidelines

Configure the format of the MAC address in the RADIUS Calling-Station-Id attribute to meet the requirements of the RADIUS servers.

Examples

# In RADIUS scheme radius1, specify hh:hh:hh:hh:hh:hh as the format of the MAC address in the RADIUS Calling-Station-Id attribute.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase

Related commands

display radius scheme

attribute 87 format

Use attribute 87 format to configure the format of the RADIUS NAS-Port-Id attribute (attribute 87).

Use undo attribute 87 format to restore the default.

Syntax

attribute 87 format interface-name

undo attribute 87 format

Default

The default format varies by user access type.

· For portal users, the NAS-Port-Id attribute contains the following portions:

¡ 2-bit member device ID.

¡ 2-bit 0s.

¡ 3-bit interface index.

¡ 9-bit VLAN ID.

· For 802.1X and MAC authentication users, the NAS-Port-Id attribute is in the format of slot=xx;subslot=xx;port=xx;vlanid=xx.

¡ slot—IRF member ID.

¡ subslot—Slot number.

¡ port—Interface index.

¡ vlanid—VLAN ID.

· For login users, the NAS-Port-Id attribute is not included in RADIUS packets.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

interface-name: Specifies the interface name format.

Usage guidelines

RADIUS servers of different types might have different requirements for the format of the NAS-Port-Id attribute. To ensure correct RADIUS packet exchange, configure the format of the NAS-Port-Id attribute to meet the requirements of the RADIUS servers.

If you specify the interface name format, the NAS-Port-Id attribute contains the name of the interface through which a user accesses the device. For example, if a user accesses the device through GigabitEthernet 1/0/1, GigabitEthernet 1/0/1 is used as the value for the RADIUS NAS-Port-Id attribute.

This command does not distinguish user access types and takes effect on RADIUS packets for all users.

Examples

# Configure the format of the RADIUS NAS-Port-Id attribute as the interface name format in RADIUS scheme radius1.

<Sysname> system-view

[Sysname] radius scheme radius1

[Sysname-radius-radius1] attribute 87 format interface-name

Related commands

display radius scheme

attribute convert (RADIUS DAS view)

Use attribute convert to configure a RADIUS attribute conversion rule.

Use undo attribute convert to delete RADIUS attribute conversion rules.

Syntax

attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }

undo attribute convert [ src-attr-name ]

Default

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.

Views

RADIUS DAS view

Predefined user roles

network-admin

Parameters

src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

coa-ack: Specifies the CoA acknowledgment packets.

coa-request: Specifies the CoA request packets.

received: Specifies the received DAE packets.

sent: Specifies the sent DAE packets.

Usage guidelines

The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.

The conversion rules take effect only when the RADIUS attribute translation feature is enabled.

When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:

· The source and destination RADIUS attributes in a rule must use the same data type.

· The source and destination RADIUS attributes in a rule cannot use the same name.

· A source RADIUS attribute can be converted only by one criterion, packet type or direction.

· One source RADIUS attribute cannot be converted to multiple destination attributes.

If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.

Examples

# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the Connect-Info attribute.

<Sysname> system-view

[Sysname] radius dynamic-author server

[Sysname-radius-da-server] attribute convert Hw-Server-String to Connect-Info received

Related commands

attribute translate

attribute convert (RADIUS scheme view)

Use attribute convert to configure a RADIUS attribute conversion rule.

Use undo attribute convert to delete RADIUS attribute conversion rules.

Syntax

attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }

undo attribute convert [ src-attr-name ]

Default

No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.

Views

RADIUS scheme view

Predefined user roles

network-admin

Parameters

src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.

access-accept: Specifies the RADIUS Access-Accept packets.

access-request: Specifies the RADIUS Access-Request packets.

accounting: Specifies the RADIUS accounting packets.

received: Specifies the received RADIUS packets.

sent: Specifies the sent RADIUS packets.