Login
- Table of Contents
-
- 17-BRAS Services Command Reference
- 00-Preface
- 01-AAA commands
- 02-ANCP commands
- 03-PPP commands
- 04-Value-added services commands
- 05-DHCP commands
- 06-DHCPv6 commands
- 07-User profile commands
- 08-Connection limit commands
- 09-L2TP commands
- 10-PPPoE commands
- 11-IPoE commands
- 12-802.1X commands
- 13-UCM commands
- 14-CP-UP connection management commands
- 15-UP backup commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-AAA commands | 2.17 MB |
Contents
aaa abnormal-offline-record enable
aaa authorize user-name netstream-sampler
aaa de-authorize user-name netstream-sampler
aaa login-failed alarm-threshold
aaa normal-offline-record enable
aaa shared-account-user no-family
authen-radius-unavailable online domain
authentication-method none authorization-attribute
authorization-attribute (ISP domain view)
display aaa abnormal-offline-record
display aaa normal-offline-record
display aaa online-fail-record
display aaa online-offline-reason
display domain access-user statistics
dynamic-authorization effective-attribute
ipv6 nd autoconfig managed-address-flag
local-server log change-password-prompt
redirect move-temporarily enable
reset aaa abnormal-offline-record
reset aaa normal-offline-record
secondary-web-server { ip | ipv6 }
service rate-limit mode (ISP domain view)
service-type (ISP domain view)
session-time include-idle-time
strict-check access-interface vpn-instance
authorization-attribute (local user view/user group view)
display user-group identity-active
local-guest auto-delete enable
password (device management user view)
password (network access user view)
service-type (local user view)
snmp-agent trap enable user-group
validity-datetime (local guest view)
validity-datetime (device management user view)
aaa nas-port-id vlanid uppercase
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
data-flow-format (RADIUS scheme view)
display radius server-load statistics
display stop-accounting-buffer (for RADIUS)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
radius authentication-request first
radius offline-reason-convert user-type ppp
radius stop-accounting-buffer cache
radius stop-accounting-buffer overwrite-oldest
radius stop-accounting-buffer warning-threshold
radius-server authen-state-check interval
reset radius server-load statistics
reset stop-accounting-buffer (for RADIUS)
retry stop-accounting (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
stop-accounting-buffer enable (RADIUS scheme view)
stop-accounting-packet send-force
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
display stop-accounting-buffer (for HWTACACS)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
reset stop-accounting-buffer (for HWTACACS)
retry stop-accounting (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
stop-accounting-buffer enable (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
snmp-agent trap enable local-bill
AAA commands
In standard operating mode, both IPoE and PPPoE are supported and are available only for the following cards:
· CEPC cards: CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RX-L
· CSPEX cards: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1602X, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CSPEX-1802X, CSPEX-1812X-E, CSPEX-2304X-G
· SPE cards: RX-SPE200, RX-SPE200-E
In SDN-WAN operating mode, IPoE is supported and is available only for the following cards:
· CSPEX cards: CSPEX-1802X, CSPEX-1812X-E, CSPEX-2304X-G
· SPE cards: RX-SPE200-E
For more information about the system operating modes, see managing the device in Fundamentals Configuration Guide.
General AAA commands
aaa abnormal-offline-record enable
Use aaa abnormal-offline-record enable to enable user abnormal offline recording.
Use undo aaa abnormal-offline-record enable to disable user abnormal offline recording.
Syntax
aaa abnormal-offline-record enable
undo aaa abnormal-offline-record enable
Default
User abnormal offline recording is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to record information about users that go offline abnormally. These records help the administrator analyze the causes and resolve the issues for abnormal user offline events. To display user abnormal offline records, use the display aaa abnormal-offline-record command.
This feature takes effect only when user offline recording is enabled.
The maximum number of abnormal offline records that can be stored varies by device model. When the maximum number is reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user abnormal offline recording.
<Sysname> system-view
[Sysname] aaa abnormal-offline-record enable
Related commands
aaa offline-record enable
display aaa abnormal-offline-record
aaa authorize user-name netstream-sampler
Use aaa authorize user-name netstream-sampler to assign an authorization NetStream sampler to a user and enable NetStream sampling for the user traffic.
Syntax
aaa authorize user-name user-name netstream-sampler sampler-name [ inbound | outbound ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name: Specifies a user by its name, a case-sensitive string of 1 to 253 characters.
sampler-name: Specifies a sampler by its name, a case-insensitive string of 1 to 31 characters. For more information about samplers, see sampler configuration in Network Management and Monitoring Configuration Guide.
inbound: Specifies the user traffic in inbound direction.
outbound: Specifies the user traffic in outbound direction.
Usage guidelines
This command enables the device to assign a sampler to a user and uses the sampler to perform NetStream sampling on the user's traffic in the specified directions. The device stops NetStream sampling for a user only if the user goes offline, a new sampler is assigned to the user, or the authorization sampler configuration for the user is cancelled.
For a user, this NetStream sampling configuration takes precedence over the NetStream sampling configuration (if any) on the access interface of the user. For more information about NetStream sampling, see NetStream configuration in Network Management and Monitoring Configuration Guide.
If you do not specify the inbound or outbound keyword, NetStream sampling is enabled for both inbound and outbound user traffic.
If you specify a sampler for user traffic in the same direction multiple times, the most recent configuration takes effect.
If the configuration of the sampler that has been assigned to the user changes, the changes do not take effect on the user.
Examples
# Assign sampler sam1 to user user1 and enable NetStream sampling for the user traffic in the inbound direction.
<Sysname> aaa authorize user-name user1 netstream-sampler sam1 inbound
Related commands
aaa de-authorize user-name netstream-sampler
aaa de-authorize user-name netstream-sampler
Use aaa de-authorize user-name netstream-sampler to remove the authorization NetStream sampler assigned to a user.
Syntax
aaa de-authorize user-name user-name netstream-sampler [ inbound | outbound ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name: Specifies a user by its name, a case-sensitive string of 1 to 253 characters.
inbound: Specifies the user traffic in inbound direction.
outbound: Specifies the user traffic in outbound direction.
Usage guidelines
This command removes the authorization NetStream sampler assigned to a user and stops NetStream sampling on the user's traffic in the specified directions. For more information about NetStream sampling, see NetStream configuration in Network Management and Monitoring Configuration Guide.
If you do not specify the inbound or outbound keyword, the device stops NetStream sampling on both inbound and outbound traffic of the user.
Examples
# Remove the NetStream sampler assigned to user user1 and stop NetStream sampling on the user's traffic.
<Sysname> aaa de-authorize user-name user1 netstream-sampler
Related commands
aaa authorize user-name netstream-sampler
aaa default-domain
Use aaa default-domain to configure default ISP domains on an interface.
Use undo aaa default-domain to remove default ISP domain configuration from an interface.
Syntax
aaa default-domain { authentication [ force | replace ] isp-name | pre-authentication isp-name } *
undo aaa default-domain [ authentication | pre-authentication ]
Default
No default ISP domains are configured on an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
authentication: Specifies a default authentication domain. If you do not specify the force or replace keyword, this command specifies a common default authentication domain that applies only to users with usernames that do not include a domain name.
authentication force: Specifies a force default authentication domain. The device forcibly uses this domain to authenticate users but remains the ISP domain names in the users' usernames unchanged.
authentication replace: Specifies a replacement default authentication domain. The device forcibly uses this domain to authenticate users and changes the ISP domain names in the users' usernames to the name of this domain.
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). You must specify an existing ISP domain.
pre-authentication: Specifies a default preauthentication domain. The device assigns unauthenticated users to this domain so that the users can obtain an IP address.
Usage guidelines
If the access module does not specify an authentication domain for a user, the device uses one of the default authentication domains to accommodate the user.
This command is applicable only to PPP, IPoE, and LAN users. The default preauthentication domain is applicable only to IPoE users.
On an interface, you can configure only one default authentication domain (common default authentication domain, force default authentication domain, or replacement default authentication domain). If you configure the default authentication domain multiple times, the most recent configuration takes effect.
Examples
# Specify ISP domain my-domain as the force default authentication domain on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa default-domain authentication force my-domain
Related commands
domain
aaa deny-domain
Use aaa deny-domain to specify a denied domain on an interface.
Use undo aaa deny-domain to remove denied domains from an interface.
Syntax
aaa deny-domain isp-name
undo aaa deny-domain [ isp-name ]
Default
No denied domains are specified on an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). You must specify an existing ISP domain.
Usage guidelines
Use this command to deny users in the specified ISP domain from accessing an interface.
This command is applicable only to PPP, IPoE, and LAN users.
You can specify a maximum of 16 denied domains on an interface.
If you do not specify an ISP domain, the undo form of this command removes all denied domains from an interface.
On an interface, this command is mutually exclusive with the aaa permit-domain command.
Examples
# Specify ISP domain my-domain2 as a denied domain on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa deny-domain my-domain2
Related commands
aaa permit-domain
domain
aaa login-failed alarm-threshold
Use aaa login-failed alarm-threshold to configure SNMP notification parameters for user login failures.
Use undo aaa login-failed alarm-threshold to restore the default.
Syntax
aaa login-failed alarm-threshold trigger-threshold trigger-threshold clear-threshold clear-threshold period period
undo aaa login-failed alarm-threshold
Default
The triggering threshold, clearing threshold, and alarm period is 30, 20, and 5 minutes, respectively.
Views
System view
Predefined user roles
network-admin
Parameters
trigger-threshold trigger-threshold: Specifies the triggering threshold in the range of 0 to 100. If you set the threshold value to 0, the system does not generate SNMP notifications for user login failures.
clear-threshold clear-threshold: Specifies the clearing threshold in the range of 1 to 100. The clearing threshold must be equal to or lower than the triggering threshold. If you set the clearing threshold value to 0 or 1, the system generates an alarm removal message only when no login failure is detected during an alarm period.
period period: Specifies the alarm period in the range of 1 to 120 minutes. If you set the triggering threshold to 0, the configured alarm period does not take effect.
Usage guidelines
Application scenarios
This feature allows the system to generate alarms for frequent admin user login failures so that the network administrators can take corresponding measures.
Operating mechanism
With this feature configured, the system generates a user login failure alarm for a device management user when either of the following cases exist:
· The number of user login failures reaches the triggering threshold for the first time within an alarm period.
· The number of user login failures increases from a value below the clearing threshold to the triggering threshold within an alarm period.
When the number of user login failures drops from the triggering threshold or higher to the clearing threshold or lower within an alarm period, the systems generates an alarm removal message.
Examples
# Set the triggering threshold, clearing threshold, and alarm period to 40, 20, and 10 minutes, respectively for SNMP notification for user login failures.
<Sysname> system-view
[Sysname] aaa login-failed alarm-threshold trigger-threshold 40 clear-threshold 20 period 10
Related commands
snmp-agent trap enable aaa
aaa nas-id
Use aaa nas-id to set the NAS-ID on an interface.
Use undo aaa nas-id to restore the default.
Syntax
aaa nas-id nas-identifier
undo aaa nas-id
Default
No NAS-ID is set on an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-insensitive string of 1 to 253 characters.
Usage guidelines
You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID on an interface.
3. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
The NAS-ID on an interface is applicable only to PPP and IPoE users.
Examples
# Set the NAS-ID to test on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa nas-id test
Related commands
aaa nas-id profile
nas-id
aaa nas-id profile
Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Use undo aaa nas-id profile to delete a NAS-ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Default
No NAS-ID profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.
By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.
A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.
For example, map the NAS-ID companyA to all VLANs of company A. The device will send companyA in the NAS-Identifier attribute for the RADIUS server to identify requests from any Company A users.
You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
4. NAS-ID bound with VLANs in a NAS-ID profile.
5. NAS-ID on an interface.
6. NAS-ID in an ISP domain.
Examples
# Create a NAS-ID profile named aaa and enter its view.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Related commands
aaa nas-id
aaa nas-id-profile
nas-id bind
aaa nas-id-profile
Use aaa nas-id-profile to specify a NAS-ID profile for an interface.
Use undo aaa nas-id-profile to restore the default.
Syntax
aaa nas-id-profile profile-name
undo aaa nas-id-profile
Default
No NAS-ID profile is specified for an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a NAS-ID profile by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command takes effect only on PPP and IPoE users.
Examples
# Specify NAS-ID profile bbb for Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname–Ten-GigabitEthernet3/1/1] aaa nas-id-profile bbb
Related commands
aaa nas-id profile
nas-id bind
aaa nas-ip
Use aaa nas-ip to set the NAS IP address on an interface.
Use undo aaa nas-ip to remove the NAS IP address from the interface.
Syntax
aaa nas-ip { ipv4-address | ipv6 ipv6-address }
undo aaa nas-ip [ ipv6 ]
Default
No NAS IP address is set on an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.
The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.
You can specify the NAS IP address in interface view, RADIUS scheme view, and system view.
· The NAS IP address specified by using this command in interface view applies only to users that access the network through the interface.
· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.
The priority order is as follows:
1. The NAS IP address specified in interface view.
2. The NAS IP address specified in RADIUS scheme view.
3. The NAS IP address specified in system view.
An interface can have only one NAS IPv4 address and one NAS IPv6 address for RADIUS packets.
If you do not specify the ipv6 keyword for the undo aaa nas-ip command, the command removes the configured NAS IPv4 address for RADIUS packets.
Examples
# Specify IP address 1.1.1.1 as the NAS IPv4 address of RADIUS packets on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa nas-ip 1.1.1.1
Related commands
nas-ip (RADIUS scheme view)
radius nas-ip
aaa normal-offline-record enable
Use aaa normal-offline-record enable to enable user normal offline recording.
Use undo aaa normal-offline-record enable to disable user normal offline recording.
Syntax
aaa normal-offline-record enable
undo aaa normal-offline-record enable
Default
User normal offline recording is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to record information about users that go offline normally. These records help the administrator analyze causes of user offline events. To display user normal offline records, use the display aaa normal-offline-record command.
This feature takes effect only when user offline recording is enabled.
The maximum number of normal offline records that can be stored varies by device model. When the maximum number is reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user normal offline recording.
<Sysname> system-view
[Sysname] aaa normal-offline-record enable
Related commands
aaa offline-record enable
display aaa normal-offline-record
aaa offline-record enable
Use aaa offline-record enable to enable user offline recording.
Use undo aaa offline-record enable to disable user offline recording.
Syntax
aaa offline-record enable
undo aaa offline-record enable
Default
User offline recording is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You must enable this feature so that user abnormal offline recording and user normal offline recording can take effect. Then, the system can record information about users that go offline normally and abnormally. To display user offline records, use the display aaa offline-record command.
The device can save a maximum of 65536 user offline records. When the maximum number is reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user offline recording.
<Sysname> system-view
[Sysname] aaa offline-record enable
Related commands
aaa abnormal-offline-record enable
aaa normal-offline-record enable
display aaa offline-record
aaa online-fail-record enable
Use aaa online-fail-record enable to enable user online failure recording.
Use undo aaa online-fail-record enable to disable user online failure recording.
Syntax
aaa online-fail-record enable
undo aaa online-fail-record enable
Default
User online failure recording is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to record information about users that fail to come online. These records help the administrator identify causes of user online failures and check for malicious users. To display user online failure records, use the display aaa online-fail-record command.
The maximum number of user online failure records that can be stored varies by device model. When the maximum number is reached, a new record overwrites the oldest record.
To reduce the memory usage, you can disable this feature.
Examples
# Enable user online failure recording.
<Sysname> system-view
[Sysname] aaa online-fail-record enable
Related commands
display aaa online-fail-record
aaa permit-domain
Use aaa permit-domain to specify a permitted domain on an interface.
Use undo aaa permit-domain to remove permitted domains from an interface.
Syntax
aaa permit-domain isp-name
undo aaa permit-domain [ isp-name ]
Default
No permitted domains are specified on an interface. All ISP domains are permitted.
Views
Interface view
Predefined user roles
network-admin
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). You must specify an existing ISP domain.
Usage guidelines
Use this command to allow only users in the specified ISP domain to access an interface.
This command is applicable only to PPP, IPoE, and LAN users.
You can specify a maximum of 16 permitted domains on an interface.
If you do not specify an ISP domain, the undo form of this command removes all permitted domains from an interface. The interface allows users in any ISP domains to access.
On an interface, this command is mutually exclusive with the aaa deny-domain command.
Examples
# Specify ISP domain my-domain as a permitted domain on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa permit-domain my-domain
Related commands
aaa deny-domain
domain
aaa roam-domain
Use aaa roam-domain to specify a roaming domain on an interface.
Use undo aaa roam-domain to remove the roaming domain from an interface.
Syntax
aaa roam-domain isp-name
undo aaa roam-domain
Default
No roaming domain is specified on an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). You must specify an existing ISP domain.
Usage guidelines
The device uses the roaming domain to authenticate a user if the user is assigned to the ISP domain carried in the username but the assigned domain does not exist.
This command is applicable only to PPP, IPoE, and LAN users.
Examples
# Specify ISP domain domain1 as the roaming domain on Ten-GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa roam-domain domain1
Related commands
domain
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
aaa session-limit { ftp | http | https | ssh [ service-type { netconf | scp | sftp | stelnet } ] | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh [ service-type { netconf | scp | sftp | stelnet } ] | telnet }
Default
The maximum number of concurrent users is 32 for each user type.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users. SSH users include the following types:
· netconf: NETCONF over SSH users.
· scp: SCP users.
· sftp: SFTP users.
· stelnet: Stelnet users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range for FTP, SSH, and Telnet services is 1 to 32, and the value range for HTTP and HTTPS services is 1 to 64.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
For HTTP and HTTPS services, the number of concurrent users of an application is separately limited. For example, if the maximum number of concurrent HTTP users is 20, a maximum of 20 concurrent users are allowed for each HTTP-based application, such as RESTful, Web, and NETCONF.
You can set the maximum number of concurrent login users for all SSH users in total and for SSH users of a specific type (NETCONF over SSH, SCP, SFTP, or Stelnet). When an SSH user comes online, the system operates as follows:
1. Examines if the number of total online SSH users has reached the upper limit.
2. Examines if the number of online SSH users of the specific type has reached its upper limit.
The user can come online when neither limit is reached.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
aaa shared-account-user no-family
Use aaa shared-account-user no-family to process shared-account users as non-family users.
Use undo aaa shared-account-user no-family to restore the default.
Syntax
aaa shared-account-user no-family
undo aaa shared-account-user no-family
Default
Shared-account users (concurrent users that share a user account) are processed as family users. The device collectively limits the traffic rate of each shared-account user according to the traffic policing parameters assigned to the shared-account.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to process shared-account users as non-family users. In this way, the device will separately limit the traffic rate for each shared-account user according to the traffic policing parameters assigned to the shared account.
This command is applicable only to PPPoE, IPoE, and L2TP users. It takes effect only on users that come online after the command execution.
For this command to take effect on users, make sure one of the following conditions exists:
· The server assigns the Port-Limit attribute (attribute 62) to users.
· For the ISP domain to which the users belong, the users-per-account command has been configured to set the maximum number of concurrent logins for a user account.
Examples
# Configure the device to process shared-account users as non-family users.
<Sysname> system-view
[Sysname] aaa shared-account-user no-family
Related commands
users-per-account
aaa ssid
Use aaa ssid to set the SSID on an interface
Use undo aaa ssid to restore the default.
Syntax
aaa ssid ssid-name
undo aaa ssid
Default
No SSID is set on an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
ssid-name: Specifies an SSID name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
In a wireless network, the SSID on a user access interface identifies the SSID of the wireless network to which users on the interface access. The SSID is used as follows:
· Carried in the Web server URL to which the device redirects users.
To carry an SSID in the Web server URL, you must specify the ssid keyword when you execute the web-server url-parameter command.
· Populated in the standard attribute 30 (Called-Station-Id attribute) of outgoing RADIUS authentication requests. The format of the SSID information is 00-00-00-00-00-00:ssid-name.
Do not execute the aaa ssid command if no wireless users exist on the interface.
Examples
# Set the SSID on Ten-GigabitEthernet 3/1/1 to test11.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/1/1
[Sysname-Ten-GigabitEthernet3/1/1] aaa ssid test11
Related commands
web-server url-parameter
access-limit
Use access-limit to set the maximum number of users allowed to access an ISP domain.
Use undo access-limit to restore the default.
Syntax
access-limit limit-number
undo access-limit
Default
No limit is placed on the number of users allowed to access an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
limit-number: Specifies the maximum number of users allowed to access the ISP domain. The value range is 1 to 2147483647.
Usage guidelines
This command does not distinguish the service types of users. When the number of concurrent users in an ISP domain reaches the maximum number, the system denies access of subsequent users to the domain.
The maximum number of concurrent login users is also restricted by the aaa session-limit command in system view.
This limit does not affect reauthenticated users, ITA users, or EDSG users.
Examples
# Allow a maximum of 100 users to access ISP domain my-domain.
<Sysname> system-view
[Sysname] domain name my-domain
[Sysname-isp-my-domain] access-limit 100
Related commands
display domain
access-user auto-save enable
Use access-user auto-save enable to enable automatic user backup.
Use undo access-user auto-save enable to disable automatic user backup.
Syntax
access-user auto-save enable
undo access-user auto-save enable
Default
Automatic user backup is enabled.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
This feature is a memory-intensive feature. As a best practice, enable this feature when the system initially starts up or the service load is light, and disable this feature when the device memory is limited.
Typically, DHCPv4, DHCPv6, or IPv6 ND RS users are logged out and the user information gets lost if the access card or interface fails or the device reboots. After the failure recovers or the device restarts up, the clients might not initiate authentication to come online again because they do not sense the failure or reboot. The device also will not allow the users to come online automatically because it does not have the user information. To resolve the issue, enable automatic user backup on the device.
When this feature is enabled, the device will instruct the access module to back up the user information after the users pass authentication. With this feature, the device allows the users to come online automatically after they are logged out because of card or interface failure or device reboot.
For this feature to take effect, you must set the maximum number of users that can be backed up by using the ip subscriber auto-save max-user command.
To avoid the loss of the backup user information caused by device reboot, use the ip subscriber save-file command to save the backup to a non-volatile storage medium. Then, if the users are logged out because of device reboot, the access module can use the backup stored in the non-volatile storage medium to reauthenticate the users.
This feature takes effect only on IPoE users.
Examples
# Enable automatic user backup in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] access-user auto-save enable
Related commands
display domain
ip subscriber auto-save max-user (BRAS Services Command Reference)
ip subscriber save-file (BRAS Services Command Reference)
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting methods of the ISP domain are used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record valid commands that have been successfully executed on the device.
· When the command line authorization feature is disabled, the accounting server records all valid commands that have been successfully executed.
· When the command line authorization feature is enabled, the accounting server records only authorized commands that have been successfully executed.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
accounting default
command accounting (Fundamentals Command Reference)
hwtacacs scheme
accounting default
Use accounting default to specify default accounting methods for an ISP domain.
Use undo accounting default to restore the default.
Syntax
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users that support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
For high availability, you can specify multiple accounting methods. The device tries these methods in the order in which they are specified. If the first specified method is invalid, the device tries the next one. This process continues until a method succeeds or all methods are exhausted.
For example, the radius-scheme radius-scheme-name local none parameters specify RADIUS-based remote accounting, local accounting, and no accounting in sequence. The device first performs RADIUS accounting and then performs local accounting if the RADIUS accounting method is invalid. If both remote and local accounting are invalid, the device does not perform accounting.
|
|
NOTE: A remote accounting method is invalid if the device fails to find the specified accounting scheme, send accounting packets, or receive responses from any accounting servers. Local accounting is invalid if the device fails to find a local user account for the requesting user when it performs local accounting. |
When the primary accounting method is local, the following rules apply:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain system, specify local as the default accounting method.
<Sysname> system-view
[Sysname] domain name system
[Sysname-isp-system] accounting default local
# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
accounting dual-stack
Use accounting dual-stack to specify the accounting method for dual-stack users.
Use undo accounting dual-stack to restore the default.
Syntax
accounting dual-stack { merge | separate }
undo accounting dual-stack
Default
The merge method applies.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
merge: Merges IPv4 data with IPv6 data for accounting.
separate: Separates IPv4 data from IPv6 data for accounting.
Usage guidelines
If the charging rates are different for IPv4 and IPv6 data, use the separate method for the accounting of dual-stack users.
If the separate method is used for the accounting of dual-stack users, the authorization CAR action is also separately applied to PPP and IPoE users' basic IPv4 traffic and basic IPv6 traffic.
Examples
# In ISP domain test, configure the device to merge IPv4 data with IPv6 data for the accounting of dual-stack users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting dual-stack merge
accounting ipoe
Use accounting ipoe to specify accounting methods for IPoE users.
Use undo accounting ipoe to restore the default.
Syntax
accounting ipoe { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting ipoe
Default
The default accounting methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the IPoE service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
The following guidelines apply to broadcast accounting:
· The device sends start-accounting, update-accounting, and stop-accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for IPoE users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ipoe local
# In ISP domain test, perform RADIUS accounting for IPoE users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ipoe radius-scheme rd local
# In ISP domain test, broadcast accounting requests of IPoE users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ipoe broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
local-user
radius scheme
timer realtime-accounting (RADIUS scheme view)
accounting lan-access
Use accounting lan-access to specify accounting methods for LAN users.
Use undo accounting lan-access to restore the default.
Syntax
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting lan-access
Default
The default accounting methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
The following guidelines apply to broadcast accounting:
· The device sends start-accounting, update-accounting, and stop-accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable in a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access local
# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local
accounting default
local-user
radius scheme
timer realtime-accounting (RADIUS scheme view)
accounting login
Use accounting login to specify accounting methods for login users.
Use undo accounting login to restore the default.
Syntax
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
Default
The default accounting methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
accounting ppp
Use accounting ppp to specify accounting methods for PPP users.
Use undo accounting ppp to restore the default.
Syntax
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting ppp
Default
The default accounting methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The remote accounting method is invalid in the following situations:
· The specified accounting scheme does not exist.
· Accounting packet sending fails.
· The device does not receive any accounting response packets from an accounting server.
The local accounting method is invalid if the device fails to find the matching local user configuration.
The following guidelines apply to broadcast accounting:
· The device sends start-accounting, update-accounting, and stop-accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the real-time accounting interval set in the primary broadcast RADIUS scheme. If the primary server is unavailable for a scheme, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
When the primary accounting method is local, the following rules apply to the accounting of a user:
· The device uses the backup accounting methods in sequence only if local accounting is invalid for one of the following reasons:
¡ An exception occurs in the local accounting process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup accounting methods if local accounting is invalid because of any other reason. Accounting fails for the user.
Examples
# In ISP domain test, perform local accounting for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp local
# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp radius-scheme rd local
# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
timer realtime-accounting (RADIUS scheme view)
accounting pppoea
Use accounting pppoea to configure an accounting method for PPPoEA users.
Use undo accounting pppoea to restore the default.
Syntax
accounting pppoea { none | radius-scheme radius-scheme-name [ none ] }
undo accounting pppoea
Default
The default accounting method is used for PPPoEA users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Application scenarios
In a campus and ISP unification scenario, PPPoE agency dialup can be configured on the BRAS device in the campus network to provide self-service ISP selection and automatic PPPoE dialup. This feature simplifies unified operation between campus and ISP and provides the optimal network experience for campus network users.
Operating mechanism
In a campus and ISP unification scenario, campus network users can apply for different ISP services as needed and obtain the ISP account bound to the campus network account. For an IPoE user requesting ISP network access, the campus AAA server authorizes a user group marked with PPPoE agency dialup and the BRAS devices perform PPPoE agency dialup.
During PPPoE agency dialup, the campus BRAS device acts as the PPPoE client and the ISP BRAS device acts as the PPPoE server. The users are called PPPoE agency dialup (PPPoEA) users.
When agency dialup succeeds, the BRAS device performs accounting on the PPPoEA users or does not perform accounting based on the accounting method configured in the corresponding domain.
Restrictions and guidelines
For PPPoEA users in an authentication domain, the system supports configuring only the accounting methods, and does not supporting configuring authentication or authorization methods. By default, the system does not perform authentication or authorization on PPPoEA users in an authentication domain.
For PPPoEA users, you can configure RADIUS accounting or no accounting. To use the AAA server in the campus to control traffic to ISP networks, configure a RADIUS accounting scheme as a best practice. If no accounting scheme is configured for agency dialup in the authentication domain used by PPPoEA users, the default accounting method in the domain is used. If the default accounting method is not radius-scheme or none, accounting fails.
Examples
# In ISP domain test, use RADIUS scheme rd to perform accounting on PPPoEA users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting pppoea radius-scheme rd
# In ISP domain test, use RADIUS scheme rd to perform accounting on PPPoEA users and specify none as the backup accounting method.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting pppoea radius-scheme rd none
Related commands
radius scheme
accounting quota-out
Use accounting quota-out to configure access control for users that have used up their data or time accounting quotas.
Use undo accounting quota-out to restore the default.
Syntax
accounting quota-out { offline | online | redirect-url url-string [ stop-accounting ] [ user-profile profile-name ] } [ no-accounting-update ]
undo accounting quota-out
Default
The device sends accounting-update packets to the server to request new quotas for the users that have used up their accounting quotas. A user is logged off if the device does not receive any new quota for the user.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that have used up their accounting quotas.
online: Allows users that have used up their accounting quotas to stay online.
redirect-url url-string: Specifies the URL to which users are redirected when they have used up their accounting quotas. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPPoE, L2TP, and IPoE users.
stop-accounting: Sends stop-accounting packets for users that have used up their accounting quotas. If you do not specify this keyword, the device does not send stop-accounting packets for users that have used up their accounting quotas.
user-profile profile-name: Specifies a user profile to restrict behavior of users that have used up their accounting quotas. The profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. If you do not specify a user profile, the users that have used up their accounting quotas are not restricted by any user profile before they obtain new accounting quotas.
no-accounting-update: Disables the device from sending accounting-update requests to refresh the users' quotas.
Usage guidelines
The server might divide the accounting quota of a user into multiple portions and assign a portion to the user each time. If the server does not support dividing user accounting quota, specify the no-accounting-update keyword to decrease the burden of the server as a best practice.
If the redirect-url, stop-accounting, and user-profile settings are configured, the device sends a stop-accounting request to the RADIUS server with the specified user profile name included in the RADIUS attributes for a user that has used up the accounting quota. The RADIUS attributes used in the request depend on the user profile authorization state:
· If the RADIUS server has authorized user profiles to the user, the device uploads the specified user profile name.
¡ If the authorized inbound user profile is the same as the outbound user profile, the device uses two private RADIUS attributes (Inbound-User-Profile-Name and Outbound-User-Profile-Name) and one standard RADIUS attribute (Filter-ID) to carry the user profile name. The attribute values are the same.
¡ If the authorized inbound user profile is different from the outbound user profile, the device uses two private RADIUS attributes (Inbound-User-Profile-Name and Outbound-User-Profile-Name) to carry the user profile name. The attribute values are the same.
¡ If only the inbound or outbound user profile is authorized, the device uses the private RADIUS attribute of the same direction (Inbound-User-Profile-Name or Outbound-User-Profile-Name) to carry the user profile name.
· If the RADIUS server assigned no user profile to the user, the device does not upload the specified user profile name.
Examples
# In ISP domain test, configure the device to allow users that have used up their accounting quotas to stay online.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting quota-out online
accounting start-delay
Use accounting start-delay to set the start-accounting delay (the period of time that the device waits before sending a start-accounting request).
Use undo accounting start-delay to restore the default.
Syntax
accounting start-delay delay-time
undo accounting start-delay
Default
The start-accounting delay is 0 seconds.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
delay-time: Specifies the start-accounting delay, in the range of 1 to 300 seconds.
Usage guidelines
This command applies only to IPoE and PPPoE dual-stack users.
By default, the device sends a start-accounting request for a dual-stack user immediately after the user obtains the first IP address. Then, the device sends a real-time accounting request each time the dual-stack user obtains another IP address. If the server requires the device not to send an accounting request each time the user obtains an IP address, you can set the start-accounting delay to meet the requirement.
After you set the start-accounting delay, the device sends accounting requests for a dual-stack user as follows:
· If a dual-stack user obtains all IP addresses within the start-accounting delay, the device sends a start-accounting request immediately after the user obtains all IP addresses.
· If the dual-stack user does not obtain all IP addresses within the start-accounting delay, the device sends a start-accounting request when the delay ends. Then, the device sends an update-accounting request each time the user obtains an IP address.
Whether the user obtains all IP addresses is determined by the access module.
A long delay affects the accounting accuracy and a short delay causes frequent sending of accounting requests. Set an appropriate start-accounting delay based on the time required by IP address allocation for dual-stack users.
Examples
# In ISP domain test, set the start-accounting delay to 10 seconds.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting start-delay 10
Related commands
display domain
accounting start-fail
Use accounting start-fail to configure access control for users that encounter accounting-start failures.
Use undo accounting start-fail to restore the default.
Syntax
accounting start-fail { offline | online }
undo accounting start-fail
Default
The device allows users that encounter accounting-start failures to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that encounter accounting-start failures.
online: Allows users that encounter accounting-start failures to stay online.
Examples
# In ISP domain test, configure the device to allow users that encounter accounting-start failures to stay online.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting start-fail online
accounting update-fail
Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.
Use undo accounting update-fail to restore the default.
Syntax
accounting update-fail { [ max-times max-times ] offline | online }
undo accounting update-fail
Default
The device allows users that have failed all their accounting-update attempts to stay online.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the times argument is 1 to 255, and the default value is 1. The setting for this parameter takes effect only on IPoE and PPP users. Its value is fixed at 1 for other users, regardless of the setting for this parameter.
offline: Logs off users that have failed all their accounting-update attempts.
online: Allows users that have failed all their accounting-update attempts to stay online.
Usage guidelines
For an IPoE or PPP user, the device takes the action specified by using this command when the maximum number of consecutive accounting-update failures is reached.
For any other types of users, the device takes the action specified by using this command immediately after an accounting-update fails.
The device determines the failure of an accounting-update attempt based on the following factors:
· Maximum number of transmission attempts for a RADIUS packet (set by using the retry command).
· Real-time accounting interval (set by using the timer realtime-accounting command).
· Maximum number of real-time accounting request attempts (set by using the retry realtime-accounting command).
The following information describes the process that the device uses to determine the failure of an accounting-update failure:
1. The device sends accounting request packets at real-time accounting intervals set by using the timer realtime-accounting command.
2. If the device has not received a response to a request packet when the response timeout timer expires, the device resends the request packet.
3. When the number of consecutive transmission attempts for the request reaches the limit set by using the retry command, the device determines that the real-time accounting request fails.
4. When the number of consecutive real-time accounting request failures reaches the limit set by using the retry realtime-accounting command, the device determines that an accounting-update fails.
5. The system determines the action to take upon an accounting-update failure depending on the user type:
¡ If the user is not an IPoE or PPP user, the system immediately takes the action specified by using the accounting update-fail command.
¡ If the user is an IPoE or PPP user, the system will count the failure. If the number of consecutive accounting-update failures reaches the limit set by using the accounting update-fail command, it takes the action specified by using the same command.
Examples
# In ISP domain test, configure the device to allow users that have failed all their accounting-update attempts to stay online.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] accounting update-fail online
Related commands
retry
retry realtime-accounting
timer realtime-accounting
authen-fail
Use authen-fail to configure the authentication failure policy for users in an ISP domain.
Use undo authen-fail to restore the default.
Syntax
authen-fail { offline | online domain new-isp-name }
undo authen-fail
Default
The device logs out users in an ISP domain if the users fail authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs out users that fail authentication.
online: Allows users that fail authentication to stay online.
domain new-isp-name: Specifies an authentication-fail (authen-fail) domain to accommodate users that fail authentication. The new-isp-name argument represents the name of the reauthentication domain, a case-insensitive string of 1 to 255 characters. The specified domain must already exist. The domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
Use this command to flexibly process users that fail authentication in an ISP domain according to the network requirements. You can configure the device to take one of the following actions on the users:
· Log out the users.
· Allow the users to stay online, and then assign the users to the reauthentication domain of the ISP domain for reauthentication.
You cannot delete an ISP domain if that ISP domain has been specified as a reauthentication domain. To delete such an ISP domain, first use the undo authen-fail command to cancel the reauthentication domain configuration.
The reauthentication domain of an ISP domain does not take effect on any of the following users:
· Device management users that fail authentication in the ISP domain.
· Users that fail authentication in the ISP domain because of authentication timeout, for example, no response from the authentication server or no local user account.
· Users that fail authentication in the ISP domain because the ISP domain is in blocked state or is a denied domain.
· Users that fail authentication in the ISP domain because the maximum number of access users in the ISP domain has been reached.
· Users that have been assigned to the reauthentication domain fails authentication again.
· Users that fail reauthentication in the ISP domain.
Examples
# Specify ISP domain dm1 as the auth-fail domain to accommodate users that fail authentication in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authen-fail online domain dm1
Related commands
display domain
authen-radius-recover
Use authen-radius-recover to specify the action to take on users in the critical domain when a RADIUS server in the users' original authentication domain becomes available.
Use undo authen-radius-recover to restore the default.
Syntax
authen-radius-recover { offline | online domain new-isp-name }
undo authen-radius-recover
Default
No action is specified to take on users in the critical domain when a RADIUS server in the users' original authentication domain becomes available.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users in the critical domain.
online: Allows users in the critical domain to stay online and assigns the users to the recovery domain.
domain new-isp-name: Specifies a recovery domain to accommodate users in the critical domain when a RADIUS server in the users' original authentication domain becomes available. The new-isp-name argument represents the domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
This command takes effect only on IPoE and PPPoE users.
Depending on the network requirements, specify an action to take on users in the critical domain when a RADIUS server in the users' original authentication domain becomes available.
· To perform authentication, authorization, and accounting for the users, log off the users.
· To assign the users back to their original authentication domain, allow the users to stay online and specify the original authentication domain as the recovery domain. The device does not perform authentication, authorization, or accounting for the users after the users are assigned to the recovery domain. The users can obtain the effective authorization attributes in the recovery domain. To specify the effective authorization attributes, use the dynamic-authorization effective-attribute command.
When you specify a recovery domain for an ISP domain, follow these restrictions and guidelines:
· If the none method is configured as the backup authentication method in the original authentication domain before the users are assigned to the critical domain, the users still can be assigned to the recovery domain when a RADIUS server becomes available.
· As a best practice to accurately identify whether a RADIUS authentication server is available and the recovery configuration can take effect in time, configure RADIUS server status detection.
· If you do not specify the original authentication domain as the recovery domain, users in the critical domain are assigned to the recovery domain after a RADIUS server becomes available. However, the device does not perform authentication, authorization, or accounting for the users.
· To delete an ISP domain that has been specified as the recovery domain, you must first use the undo authen-radius-recover command to remove the recovery domain setting from the ISP domain.
Examples
# In ISP domain test, log off users in the critical domain when a RADIUS server in the users' original authentication domain becomes available.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authen-radius-recover offline
Related commands
authen-radius-unavailable online domain
display domain
radius-server test-profile
authen-radius-unavailable online domain
Use authen-radius-unavailable online domain to specify a critical domain (also known as fail-permit domain) for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.
Use undo authen-radius-unavailable online domain to restore the default.
Syntax
authen-radius-unavailable online domain new-isp-name
undo authen-radius-unavailable online domain
Default
No critical domain is specified for an ISP domain to accommodate users that access the ISP domain when all RADIUS servers are unavailable.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
new-isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. The name must exist and cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
This command takes effect only on IPoE and PPPoE users.
Users in an ISP domain cannot come online correctly if no responses are received for the RADIUS authentication requests sent by the device when all RADIUS authentication servers are unavailable. To resolve this issue, specify a critical domain for this ISP domain to accommodate users that access this ISP domain when all RADIUS servers are unavailable. The users can come online in the critical domain without being authenticated when all RADIUS servers are unavailable.
Users assigned to the critical domain are removed from the critical domain only when both of the following requirements are met:
· A RADIUS authentication server in the original authentication domain becomes available.
· A recovery domain is specified for the original authentication domain.
When you specify a critical domain for an ISP domain, follow these restrictions and guidelines:
· If an ISP domain has been specified as a critical domain, do not specify a critical domain for that ISP domain. If you do so, the critical domain specified for that ISP domain cannot take effect.
· If a critical domain has been specified for an ISP domain, do not specify that ISP domain as a critical domain. If you do so, that ISP domain cannot act as a critical domain.
· To delete an ISP domain that has been specified as the critical domain, you must first use the undo authen-radius-unavailable online domain command to remove the critical domain setting from the ISP domain.
· If non-none authentication, authorization, or accounting methods are configured in the critical domain for an ISP domain, the non-none authentication or authorization methods cannot take effect on users. However, the non-none accounting methods in the critical domain can take effect on users.
Examples
# Specify critical domain dm1 to accommodate users that access ISP domain test when all RADIUS servers are unavailable.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authen-radius-unavailable online domain dm1
Related commands
authen-radius-recover
display domain
authentication default
Use authentication default to specify default authentication methods for an ISP domain.
Use undo authentication default to restore the default.
Syntax
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users that support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain system, specify local as the default authentication method.
<Sysname> system-view
[Sysname] domain name system
[Sysname-isp-system] authentication default local
# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication ipoe
Use authentication ipoe to specify authentication methods for IPoE users.
Use undo authentication ipoe to restore the default.
Syntax
authentication ipoe { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-proxy [ radius-scheme radius-scheme-name | local ] * [ none ] | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication ipoe
Default
The default authentication methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-proxy: Performs RADIUS proxy authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the IPoE service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
If the RADIUS proxy feature is enabled on the device, you must specify RADIUS proxy authentication for IPoE users. When an IPoE user in the domain comes online, the device first matches the user MAC address and the RADIUS proxy client IP address with existing local proxy user entries. If a match is found, the user passes authentication. If no match is found, the device turns to the backup authentication methods. For example, the authentication ipoe radius-proxy radius-scheme radius-scheme-name local command specifies RADIUS proxy authentication as the primary authentication method and RADIUS authentication and local authentication as two backup methods. The device performs RADIUS proxy authentication first and turns to RADIUS authentication if RADIUS proxy authentication is invalid. The device performs local authentication if both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for IPoE users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ipoe local
# In ISP domain test, perform RADIUS authentication for IPoE users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ipoe radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
radius-proxy
authentication lan-access
Use authentication lan-access to specify authentication methods for LAN users.
Use undo authentication lan-access to restore the default.
Syntax
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ ldap-scheme ldap-scheme-name | radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication lan-access
Default
The default authentication methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication lan-access local
# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication default
ldap scheme
local-user
radius scheme
authentication login
Use authentication login to specify authentication methods for login users.
Use undo authentication login to restore the default.
Syntax
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | local [ ldap-scheme ldap-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
Default
The default authentication methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication ppp
Use authentication ppp to specify authentication methods for PPP users.
Use undo authentication ppp to restore the default.
Syntax
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication ppp
Default
The default authentication methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
The remote authentication method is invalid in the following situations:
· The specified authentication scheme does not exist.
· Authentication packet sending fails.
· The device does not receive any authentication response packets from an authentication server.
The local authentication method is invalid if the device fails to find the matching local user configuration.
When the primary authentication method is local, the following rules apply to the authentication of a user:
· The device uses the backup authentication methods in sequence only if local authentication is invalid for one of the following reasons:
¡ An exception occurs in the local authentication process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authentication methods if local authentication is invalid because of any other reason. Authentication fails for the user.
Examples
# In ISP domain test, perform local authentication for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ppp local
# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication ppp radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
local-user
radius scheme
authentication super
Use authentication super to specify methods for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication methods of the ISP domain are used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
To enable a user to obtain another user role without reconnecting to the device, you must configure user role authentication. The device supports local and remote methods for user role authentication. For more information about user role authentication, see RBAC configuration in Fundamentals Configuration Guide.
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain name test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
hwtacacs scheme
radius scheme
authentication-method none authorization-attribute
Use authentication-method none authorization-attribute to configure authorization attributes for none-authentication users.
Use undo authentication-method none authorization-attribute to restore the default.
Syntax
authentication-method none authorization-attribute session-timeout timeout
undo authentication-method none authorization-attribute session-timeout
Default
Authorization attributes for users in an ISP domain are those assigned by the server. If the server does not assign authorization attributes, the authorization attributes configured in the ISP domain are used.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
session-timeout timeout: Specifies an authorization session timeout timer in the range of 1 to 4294967294 seconds. The device logs out a user when the session timeout timer for the user expires. This attribute is applicable only to LAN access, PPP, and IPoE users.
Usage guidelines
None-authentication users refer to the users that are allowed to come online without being authenticated.
Typically, a user's authorization attributes can be assigned by the authorization server or obtained from its ISP domain. The device does not distinguish the authentication methods of users when it issues the authorization attributes obtained from an ISP domain to the users.
To centrally manage authorization attributes for none-authentication users, perform this task to configure authorization attributes specific to these users in an ISP domain.
In the current software version, you can configure only the authorization session timeout timer for none-authentication users.
For none-authentication users, the authorization attributes configured by using this command take precedence over those configured by using the authorization-attribute command in ISP domain view.
Examples
# In ISP domain test, set the authorization session timeout timer to 60 seconds for none-authentication users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authentication-method none authorization-attribute session-timeout 60
Related commands
authorization-attribute
authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether each entered command is permitted.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user roles.
The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
command authorization (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify default authorization methods for an ISP domain.
Use undo authorization default to restore the default.
Syntax
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Non-login users can access the network.
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users that support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain system, specify local as the default authorization method.
<Sysname> system-view
[Sysname] domain name system
[Sysname-isp-system] authorization default local
# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
authorization ipoe
Use authorization ipoe to specify authorization methods for IPoE users.
Use undo authorization ipoe to restore the default.
Syntax
authorization ipoe { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-proxy [ radius-scheme radius-scheme-name | local ] * [ none ] | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ipoe
Default
The default authorization methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-proxy: Performs RADIUS proxy authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme. To use RADIUS proxy authorization, you must also use RADIUS proxy authentication.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the IPoE service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
If RADIUS proxy authorization is used for IPoE users, the device performs authorization for an IPoE user depending on whether the user matches a local proxy user entry on the device. If a matching entry is found, the device assigns the authorization information of the entry to the user. If no matching entry is found, the device turns to the backup authorization methods. For example, the authorization ipoe radius-proxy radius-scheme radius-scheme-name local command specifies RADIUS proxy authorization as the primary authorization method and RADIUS authorization and local authorization as two backup methods. The device performs RADIUS proxy authorization first and turns to RADIUS authorization if RADIUS proxy authorization is invalid. The device performs local authorization if both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for IPoE users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ipoe local
# In ISP domain test, perform RADIUS authorization for IPoE users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ipoe radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
radius-proxy
authorization lan-access
Use authorization lan-access to specify authorization methods for LAN users.
Use undo authorization lan-access to restore the default.
Syntax
authorization lan-access { local [ radius-scheme radius-scheme-name ] [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization lan-access
Default
The default authorization methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated LAN user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the LAN access service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for LAN users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization lan-access local
# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization default
local-user
radius scheme
authorization login
Use authorization login to specify authorization methods for login users.
Use undo authorization login to restore the default.
Syntax
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
Default
The default authorization methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. Login users include the Telnet, FTP, SFTP, SCP, and terminal users. Terminal users can access the device through the console port. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the service for accessing the device.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization ppp
Use authorization ppp to specify authorization methods for PPP users.
Use undo authorization ppp to restore the default.
Syntax
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name ] * [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization ppp
Default
The default authorization methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
The remote authorization method is invalid in the following situations:
· The specified authorization scheme does not exist.
· Authorization packet sending fails.
· The device does not receive any authorization response packets from an authorization server.
The local authorization method is invalid if the device fails to find the matching local user configuration.
When the primary authorization method is local, the following rules apply to the authorization of a user:
· The device uses the backup authorization methods in sequence only if local authorization is invalid for one of the following reasons:
¡ An exception occurs in the local authorization process.
¡ The user account is not configured on the device or the user is not allowed to use the PPP service.
· The device does not turn to the backup authorization methods if local authorization is invalid because of any other reason. Authorization fails for the user.
Examples
# In ISP domain test, perform local authorization for PPP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ppp local
# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization ppp radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization-attribute (ISP domain view)
Use authorization-attribute to configure authorization attributes for users in an ISP domain.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minutes [ flow ] [ traffic { both | inbound | outbound } ] | igmp max-access-number max-access-number | ip-pool ipv4-pool-name | ip-pool-group ipv4-pool-group-name | { ipv4 | ipv6 } multicast-user-profile profile-name | ipv6-nd-prefix-pool ipv6-prefix-pool-name | ipv6-nd-prefix-pool-group ipv6-prefix-pool-group-name | ipv6-pool ipv6-pool-name | ipv6-pool-group ipv6-pool-group-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number max-access-number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | redirect-times times | session-group-profile session-group-profile-name | session-timeout timeout | url url-string [ unlimited ] | user-group user-group-name | user-priority { inbound | outbound } priority | user-profile [ inbound | outbound ] profile-name | vpn-instance vpn-instance-name }
undo authorization-attribute { acl | car | idle-cut | igmp | ip-pool | ip-pool-group | ipv6-nd-prefix-pool | ipv6-nd-prefix-pool-group | ipv6-pool | ipv6-pool-group | { ipv4 | ipv6 } multicast-user-profile | ipv6-prefix | mld | primary-dns | redirect-times | secondary-dns | session-group-profile | session-timeout | url | user-group | user-priority { inbound | outbound } | user-profile [ inbound | outbound ] | vpn-instance }
Default
The idle cut feature is disabled.
An IPv4 user can concurrently join a maximum of four IGMP multicast groups.
An IPv6 user can concurrently join a maximum of four MLD multicast groups.
The device redirects a maximum of two times a user's Web visit requests to the redirect URL.
No other authorization attributes exist.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 4999. This option is applicable only to LAN users. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
car: Specifies a CAR action for users. This keyword is applicable only to IPoE and PPP users.
inbound: Specifies the upload rate of users.
outbound: Specifies the download rate of users.
cir committed-information-rate: Specifies the committed information rate in kbps. The value range for the committed-information-rate argument is 8 to 300000000.
pir peak-information-rate: Specifies the peak information rate in kbps. The peak information rate must be equal to or greater than the committed information rate. If you do not specify this option, the CAR action does not restrict users by peak information rate. The value range for the peak-information-rate argument is 8 to 300000000.
idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 600. This option is applicable only to PPP and IPoE users.
flow: Specifies the minimum traffic that must be generated in the idle timeout period, in bytes. The value range is 1 to 10240000, and the default value is 10240.
traffic: Specifies the traffic direction for the idle cut feature. If you do not specify this keyword, the idle cut feature applies to both traffic directions.
both: Specifies both traffic directions.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to IPoE and PPP users.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool for users. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP and IPoE users.
ip-pool-group ipv4-pool-group-name: Specifies an IPv4 address pool group for users. The ipv4-pool-group-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to IPoE and PPP users.
ipv4: Specifies an IPv4 multicast user profile.
ipv6: Specifies an IPv6 multicast user profile.
multicast-user-profile profile-name: Specifies a multicast user profile by its name, a case-sensitive string of 1 to 31 characters. The multicast user profile restricts multicast traffic of users. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The multicast access user profile name can begin with a letter or digit, but it cannot be all digits. This option is applicable only to IPoE and PPP users.
ipv6-nd-prefix-pool ipv6-prefix-pool-name: Specifies an ND prefix pool for users. The ipv6-prefix-pool-name argument represents an IPv6 address pool to assign ND prefixes to users, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to IPoE and PPP users. This optional is applicable to scenarios where each user has an exclusive IPv6 prefix.
ipv6-nd-prefix-pool-group ipv6-prefix-pool-group-name: Specifies an ND prefix pool group for IPv6 users. The ipv6-prefix-pool-group-name argument represents the name of an IPv6 address pool group to assign ND prefixes to users, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to PPP and IPoE users, and it has lower priority than the ipv6-nd-prefix-pool parameter. This optional is applicable to scenarios where each user has an exclusive IPv6 prefix.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument represents an IPv6 address pool to assign IPv6 addresses to users, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to IKE, IPoE, and PPP users.
ipv6-pool-group ipv6-pool-group-name: Specifies an IPv6 address pool group for users. The ipv6-pool-group-name argument represents an IPv6 address pool group, and it is a case-insensitive string of 1 to 63 characters. This option is applicable only to IPoE, L2TP, and PPP users.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the prefix-length argument is 1 to 128. This option is applicable only to IPoE, L2TP, and PPP users.
mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to IPoE and PPP users.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to IPoE, L2TP, and PPPoE users.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to IPoE, L2TP, and PPPoE users.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to IPoE, L2TP, and PPPoE users.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to IPoE, L2TP, and PPPoE users.
redirect-times times: Sets the maximum number of times allowed by the device to redirect a user to the redirect URL. If the maximum number is reached and the device does not receive any Web request destined for the redirect URL from the user, the device stops redirecting that user to the redirect URL. The value range for the times argument is 1 to 10. This option is applicable only to PPPoE, L2TP, and IPoE users.
session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters and can contain only letters, digits, underscores (_), and dots (.). The string can begin with a letter or a digit, but it cannot be all digits. The session-group-profile session-group-profile-name option is applicable only to IPoE and PPP users.
session-timeout timeout: Specifies the session timeout time for users, in seconds. The value range for the timeout argument is 1 to 4294967294. The device logs out a user when the session timeout timer for the user expires. If the RADIUS server assigns a user the Session-Timeout attribute, the value in the assigned attribute takes precedence. This attribute is applicable only to PPP, L2TP, IPoE, and LAN users.
url url-string: Specifies the redirect URL for users. Users are redirected to the URL. For example, the device can redirect the users to the webpages that display advertisements or notices the first time the users access the network after they pass authentication. When the charge of a user is overdue, the device can redirect that user to the charge notification page. The url-string argument is a case-sensitive string of 1 to 255 characters and must begin with http:// or https://. This option is applicable only to IPoE, L2TP, and PPPoE users. For IPoE users, specify a URL that uses port number 80 or 443. For PPPoE and L2TP users, specify a URL that uses port number 80 or 8080.
unlimited: Does not limit the number of times that the device redirects a user to the redirect URL. If you do not specify this keyword, the device limits the number of times that it redirects a user to the redirect URL based on the redirect-times attribute.
user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.
user-priority: Specifies a user priority for users. The device uses the specified user priority to perform QoS priority mapping on user packets, and then assigns the user packets to a queue based on the target priority. Packets in a high-priority queue are preferentially scheduled when congestion occurs. In addition, the device replaces the value of the IP Precedence field in upstream packets of users with the specified user priority. You can set the upstream user priority in conjunction with the downstream user priority. By default, no user priority is assigned to users. This keyword is applicable to PPPoE, L2TP, and IPoE users.
inbound: Applies the user priority to upstream packets of users.
outbound: Applies the user priority to downstream packets of users. L2TP users do not support this keyword.
priority: Specifies a user priority in the range of 0 to 7. The greater the value, the higher the priority.
user-profile: Specifies an authorization user profile for users. The user profile restricts the behavior of authenticated users. This attribute is applicable only to IPoE, LAN, and PPP users. If you do not specify the inbound or outbound keyword after this keyword, the specified user profile applies to both upstream and downstream packets of users.
inbound: Applies the user profile to upstream packets of users.
outbound: Applies the user profile to downstream packets of users.
profile-name: Specifies an authorization user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. When a user passes authentication, it has permission to access the network resources in the specified VPN. This option is applicable only to PPP and IPoE users.
Usage guidelines
When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.
If authorization attributes are configured in an IPoE preauthentication domain, the device assigns the attributes to the users after the users pass preauthentication and obtain IP addresses. The attributes restrict access behaviors of the users before the users pass Web authentication.
If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user. However, if the server authorizes the CAR action attribute only for one direction, the device does not authorize the CAR action attribute of the ISP domain for the other direction.
In addition to the redirect-times times and url url-string [ unlimited ] options, the device also supports the Web-URL and Authen-Detail-Result attributes assigned by a RADIUS server. The device interprets the Web-URL attribute as a redirect URL and the Authen-Detail-Result attribute as a redirect action. Redirect actions include stopping redirecting a user to the redirect URL, redirecting a user to the redirect URL every time, and redirecting a user to the redirect URL a number of times.
When a PPPoE or IPoE user comes online, the following rules apply to the redirect URL attributes:
· If the server assigns a redirect URL with action redirecting the user to the redirect URL every time, the device uses the server-assigned redirect URL and does not limit the number of redirect times.
· If the server assigns a redirect URL with action redirecting the user to the redirect URL a number of times, the device uses the server-assigned redirect URL and limits the redirect times based on the redirect-times attribute in the ISP domain. If the redirect-times times option is not configured, the maximum number of redirect times is 2.
· If the server does not assign a redirect URL, the device uses the configuration of the url and redirect-times parameters in the ISP domain. In addition, the device will ignore the Authen-Detail-Result attribute assigned by the server.
¡ If the unlimited keyword is specified for URL redirection in the ISP domain, the device does not limit the number of redirect times.
¡ If the unlimited keyword is not specified for URL redirection in the ISP domain, the device limits the number of redirect times based on the configuration of the redirect-times times option.
When a PPPoE or IPoE user is online, the following rules apply to the redirect URL attributes:
· If the server assigns the action of stopping redirecting the user to the redirect URL, the device stops redirecting the Web visit requests of that user to the redirect URL.
· If the server assigns the action of redirecting the user to the redirect URL every time, the following rules apply:
¡ If the server assigns a redirect URL, the device uses the server-assigned redirect URL and does not limit the number of redirect times.
¡ If the server does not assign a redirect URL, the device ignores the server-assigned redirect action and returns redirect attribute assignment failure to the server.
· If the server assigns the action of redirecting the user to the redirect URL a number of times, the following rules apply:
¡ If the server assigns a redirect URL, the device uses the server-assigned redirect URL and limits the number of redirect times based on the configuration of the redirect-times times option in the ISP domain. If the redirect-times times option is not configured, the maximum number of redirect times is 2.
¡ If the server does not assign a redirect URL, the device ignores the server-assigned redirect action and returns redirect attribute assignment failure to the server.
You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same attribute specified, the most recent configuration takes effect.
If both the address pool group and address pool attributes are assigned to a user, the address pool attribute has higher priority.
The authorization-attribute redirect-times command has lower priority than the active period for the redirect URL configured by using the redirect active-time command.
When you configure an authorization user profile, follow these guidelines:
· If you configure different user profiles for the same direction, only the most recent configured user profile takes effect. For example, if you execute the authorization-attribute user-profile xyz and authorization-attribute user-profile inbound abc commands in sequence, only user profile abc takes effect.
· If you configure user profiles for both directions, both the user profiles take effect. For example, if you execute the authorization-attribute user-profile inbound abc and authorization-attribute user-profile outbound def commands in sequence, both user profiles abc and def take effect.
For users access the network from an interface configured with multicast access control, the multicast traffic is restricted by the multicast user profile authorized to the users. If both a multicast user profile and a user profile are configured in the ISP domain, only the multicast user profile takes effect. If no multicast user profile but only a user profile is configured in the ISP domain, the user profile takes effect.
When you specify an authorization ACL, the authorization ACL is invalid if it does not exist or does not contain rules.
Examples
# Configure the idle cut feature for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] authorization-attribute idle-cut 30 10240
Related commands
display domain
redirect active-time
basic-service-ip-type
Use basic-service-ip-type to specify the types of IP addresses that PPPoE and L2TP users must rely on to use the basic services.
Use undo basic-service-ip-type to restore the default.
Syntax
basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *
undo basic-service-ip-type
Default
PPPoE and L2TP users do not rely on any types of IP addresses to use the basic services.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
A PPPoE or L2TP user might request multiple services of different IP address types. The device logs off the user if the user does not obtain the IP addresses of all types for the services. This command enables the device to allow the user to come online if the user has obtained IP addresses of the specified types for the basic services.
The device does not allow a PPPoE or L2TP user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a user to come online if the user does not obtain an IPv6 address.
If you specify both the ipv6 and ipv6-pd keywords, the device does not allow a PPPoE or L2TP user that fails IPv6 address negotiation or PD negotiation to come online.
Examples
# In ISP domain test, specify PPPoE and L2TP users to rely on IPv4 addresses to use the basic services.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] basic-service-ip-type ipv4
Related commands
display domain
dhcpv6-follow-ipv6cp
Use dhcpv6-follow-ipv6cp to set the IPv6 address wait timer for PPPoE and L2TP users.
Use undo dhcpv6-follow-ipv6cp to restore the default.
Syntax
dhcpv6-follow-ipv6cp timeout delay-time
undo dhcpv6-follow-ipv6cp
Default
The IPv6 address wait timer is 60 seconds for PPPoE and L2TP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
timeout delay-time: Specifies the IPv6 address wait timer, in the range of 30 to 1000 seconds.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
The IPv6 address wait timer defines the maximum amount of time that a user can wait before the device determines that the user fails to obtain an IPv6 address or PD prefix.
The device starts an IPv6 address wait timer for a user after it finishes IPv6CP negotiation with the user. If the user's basic service relies on an IPv6 address or PD prefix but it fails to obtain any IPv6 address or PD prefix when the timer expires, the user cannot come online.
As a best practice, increase the IPv6 address wait timer in the following situations:
· The network connectivity is unstable.
· The device uses DHCPv6 to assign IPv6 addresses to users.
· The ISP domain serves a large number of PPPoE and L2TP users.
Examples
# In ISP domain test, set the IPv6 address wait timer to 90 seconds for PPPoE and L2TP users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90
Related commands
basic-service-ip-type
display domain
display aaa abnormal-offline-record
Use display aaa abnormal-offline-record to display user abnormal offline records.
Syntax
In standalone mode:
display aaa abnormal-offline-record { access-type { ipoe | lan-access | login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa abnormal-offline-record offline-reason { idle-cut | quota-out | realtime-acct-fail | session-timeout | user-detect-fail } [ brief ]
display aaa abnormal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa abnormal-offline-record
In IRF mode:
display aaa abnormal-offline-record { access-type { ipoe | lan-access | login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa abnormal-offline-record offline-reason { idle-cut | quota-out | realtime-acct-fail | session-timeout | user-detect-fail } [ brief ]
display aaa abnormal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa abnormal-offline-record
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
access-type: Specifies users by the access type.
ipoe: Specifies IPoE users.
lan-access: Specifies LAN users.
login: Specifies login users, such as SSH users, Telnet users, and FTP users.
ppp: Specifies PPP users.
domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
interface interface-type interface-number: Specifies an interface by its interface type and interface number.
ip ipv4-address: Specifies a user by its IPv4 address.
ipv6 ipv6-address: Specifies a user by its IPv6 address.
mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.
c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.
username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.
fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.
offline-reason: Specifies a user offline reason.
idle-cut: Specifies the reason as session idle timeout.
quota-out: Specifies the reason as data quota out.
realtime-acct-fail: Specifies the reason as realtime accounting failure.
session-timeout: Specifies the reason as session timeout.
user-detect-fail: Specifies the reason as user online detection failure.
time: Specifies user abnormal offline records generated in a time range.
begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.
begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
brief: Displays brief information about user abnormal offline records. If you do not specify this keyword, the command displays detailed information about user abnormal offline records.
count count: Specifies the number of user abnormal offline records to be displayed. The value range for the count argument is 1 to 32768.
Usage guidelines
You can specify multiple query criteria to filter user abnormal offline records. This command displays the most recent user abnormal offline records that match the specified criteria in reverse chronological order.
If user abnormal offline records exist in the system, you can use this command to display the records regardless of whether user abnormal offline recording is enabled or not.
If you do not specify any parameters, this command displays detailed information about user abnormal offline records for all users.
If the usernames that the server sends to the device include invisible characters, for information about users with such usernames to be displayed, you must specify the fuzzy-match keyword in this command.
Examples
# Display detailed information about abnormal offline records for all users.
<Sysname> display aaa abnormal-offline-record
Total count: 1
Username: jay
Domain: dm1
MAC address: -
Access type: SSH
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.2
IPv6 address: -
Online request time: 2019/01/02 15:20:33
Offline time: 2019/02/28 15:20:56
Offline reason: User disconnected from the server.
# Display brief information about abnormal offline records for login users.
<Sysname> display aaa abnormal-offline-record access-type login brief
Username: jay
MAC address: -
IP address: 11.2.2.41
IPv6 address: -
Offline reason: User disconnected from the server.
Table 1 Command output
|
Field |
Description |
|
Total count |
Total number of matching user abnormal offline records. |
|
Username |
Name of a user. This field does not display anything if the system failed to obtain the username. |
|
Domain |
Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain. |
|
MAC address |
MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address. |
|
Access type |
Access type of the user: · PPPoPhy—PPP over physical link. · PPPoE—PPP over Ethernet. · PPPoL2TP—PPP over L2TP. · PPPoEA—PPPoEA user. · PPPoFR—PPP over Frame Relay. · VPPP—L2TP auto dial-up. · 802.1X—Access based on 802.1X authentication. · Web authentication. · Telnet—Telnet access. · FTP—FTP access. · SSH—SSH access. · IPoE—Common IPoE user. · IPoE interface leased—IPoE interface leased user. · IPoE subnet leased—IPoE subnet leased user. · IPoE L2VPN leased—IPoE L2VPN leased user. · IPoE static—IPoE static user. · NETCONF over SOAP—Access through NETCONF over SOAP sessions. · NETCONF over RESTful—Access through NETCONF over RESTful sessions. · Terminal—Terminal login such as console login. |
|
Access interface |
Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface. |
|
SVLAN/CVLAN |
SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user. |
|
IP address |
IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address. |
|
IPv6 address |
IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address. |
|
Online request time |
Time when the user requested to come online. |
|
Offline time |
Time when the user went offline. |
|
Offline reason |
Reason that the user went offline. For more information about the reasons, see Table 2. |
|
Detailed message |
Detailed information about the offline reason, including the following: · Location of the interface card or UP through which the user accesses the network. · Reason that the user went offline. This field is displayed only when the interface card or UP fails. |
Table 2 shows user online failure reasons and user offline reasons. Support for the reasons depends on the device model.
Table 2 User online failure reasons and user offline reasons
|
Reason |
Description |
|
Lost carrier. |
The physical link went down. |
|
Lost service. |
The service that the user requested is not supported. |
|
NAS error. |
An error occurred on the device. |
|
NAS reboot. |
The device rebooted. |
|
Admin reboot. |
The administrator rebooted the device. |
|
Process exit. |
The access process exited. |
|
NAS request. |
The device requested to log out the user. |
|
Cut command. |
The administrator manually logged out the user at the CLI. |
|
Logged off by the RADIUS server. |
The RADIUS server logged out the user. |
|
User request. |
The user requested to go offline. |
|
Authentication failed |
Authentication failed. |
|
Authorization failed. |
Authorization failed. |
|
Start accounting failed. |
The device failed to start accounting for the user. |
|
No AAA response during authentication. |
The device did not receive a response from the remote authentication server within the authentication timeout time. |
|
RADIUS authentication rejected. |
The user failed RADIUS authentication because the username or password was inconsistent with that on the RADIUS server. |
|
AAA authorization information invalid. |
The authorization information was invalid or the device did not have configuration of the authorized items. |
|
No AAA response for accounting start. |
The device did not receive a response for the start-accounting request sent to the remote server within the start-accounting timeout time. |
|
Authentication request to AAA failed. |
The device failed to send the authentication request to the RADIUS server because the route between the device and the RADIUS server is unreachable. |
|
Accounting request to AAA failed. |
The device failed to send the accounting request to the RADIUS server because the route between the device and the RADIUS server is unreachable. |
|
TACACS authentication rejected. |
The user failed HWTACACS authentication because the username or password was inconsistent with that on the HWTACACS server. |
|
Authentication method error. |
The authentication method of the user was inconsistent with the authentication method configured on the access interface. |
|
No AAA response for accounting stop. |
The device did not receive a response for the stop-accounting request sent to the server. |
|
The local user doesn't exist. |
The local user does not exist on the device. |
|
Local authentication request was rejected. |
The user failed local authentication because of incorrect password. |
|
IP assignment failed. |
IP address assignment for the user failed. |
|
Concurrent user login limit reached. |
Maximum number of concurrent local users that use the username already reached. |
|
NAS interface access limit reached. |
Maximum number of online users on the interface already reached. |
|
Maximum number of concurrent users that use this account already reached. |
Maximum number of concurrent users that use the username already reached. |
|
PPP negotiation terminated. |
PPP negotiation for the user failed. |
|
Insufficient hardware resources. |
Hardware resources were insufficient. |
|
Failed to obtain IPv6 prefix. |
No IPv6 prefix was available to be assigned to the user. |
|
No response from DHCP server. |
The device did not receive a response for the request sent to the DHCP server to apply an IP address for the user. |
|
DHCP IP address allocation failure. |
DHCPv6 address assignment for the user failed. Possible reasons include: · No authorization IPv6 pool is configured in the ISP domain. · The IPv6 pool is being locked. |
|
DHCP session conflict. |
The DHCP session to be created conflicted with an existing DHCP session. |
|
DHCP user request. |
The DHCP user requested to go offline. |
|
DHCP lease timeout. |
The allocated IP address lease of the DHCP user expired. |
|
DHCP declined. |
The device received a DHCP-decline packet from the DHCP user because the allocated IP address was being used by another DHCP user. |
|
DHCP configuration changed. |
The DHCP configuration changed. |
|
UP ID synchronization between DHCP and UPLB failed. |
N/A |
|
DHCP configuration synchronization between CTRL-VM and BRAS-VM failed. |
N/A |
|
DHCP VSRP status changed to Down. |
The master server or backup server in the VSRP group went down. |
|
Address leases deleted in bulk on the VSRP backup device. |
N/A |
|
Address leases deleted upon CPDR backup mode change from hot to cold. |
N/A |
|
Network for the DHCP pool was deleted. |
The device automatically deletes the IP address leases from an DHCP address pool upon deletion of the network configuration for that pool. |
|
All subnets in the DHCP address pool have been allocated. |
No idle subnets are available for allocation in the ODAP-type IP address pool. |
|
All subnets in the DHCP address pool group have been allocated. |
No idle subnets are available for allocation in the ODAP-type IP address pool group. |
|
All subnets in the DHCPv6 address pool have been allocated. |
No idle subnets are available for allocation in the ODAP-type IPv6 address pool. |
|
All subnets in the DHCPv6 address pool group have been allocated. |
No idle subnets are available for allocation in the ODAP-type IPv6 address pool group. |
|
All prefix ranges in the DHCPv6 address pool have been allocated. |
No idle prefix ranges are available for allocation in the ODAP-type IPv6 address pool. |
|
All prefix ranges in the DHCPv6 address pool group have been allocated. |
No idle prefix ranges are available for allocation in the ODAP-type IPv6 address pool group. |
|
NAK from the DHCP server or tenant duration is 0. |
The IP address that the DHCP user requested was not on the network segment specified for IP assignment on the device or the lease duration of the address was not extended. |
|
IP conflict on DHCP server. |
The device detected an IP address conflict. |
|
DHCP server notified. |
The DHCP server instructed the device to log off the user. |
|
DHCP server notified, and the device deleted the user. |
The DHCP server instructed the device to log off the user and the device deleted the user. |
|
Force user offline by up switch unbind. |
The user was forced offline because the master and backup interface pair was removed from the UP backup profile. |
|
Force user offline by deleting the remote interface. |
The user was forced offline because the remote interface for the user access interface on the UP was deleted. |
|
Force user offline by removing the interface from up-backup-profile in warm-standby mode. |
The user was forced offline because the interface was removed from the UP backup profile for UP backup in warm standby mode. |
|
DHCPv6 requests with DUID mismatch. |
With ipv6 dhcp duid-mismatch offline configured, the DHCPv6 server received a DHCPv6 request with the same MAC address but different DUID from a user, and deleted the lease of the online user. |
|
DHCP with dhcp user offline configured. |
With dhcp user offline configured, the DHCP device received a DHCP-DISCOVER or REBOOT-REQUEST with the same MAC address as a user, and deleted the lease of the online user. |
|
DHCP with the fast-renew method specified for roaming users. |
With (ipv6)dhcp session-mismatch action fast-renew configured, the DHCP device received a DHCP/DHCPv6 request from a user with the same MAC address but a changed physical location, and deleted the lease of the online user. |
|
DHCP with dhcp conflict-ip-address offline configured. |
With dhcp conflict-ip-address offline configured, the device detected an IP address conflict between an assigned IP address and the IP address of an online user, and deleted the online user. |
|
DHCP-UCM smooth aging by equal MAC. |
During smooth transition between DHCP and UCM, the DHCP device already has a user entry with the same MAC address as an address synchronized from UCM, and deleted the user entry on DHCP. |
|
DHCP request interface address. |
The DHCP user requests an interface address of the device. |
|
DHCP lease release with ICMP. |
The system detected a user address conflict through ICMP packets and released the release. |
|
DHCP request IP is used. |
The address requested by the user is already in use. |
|
DHCP request info mismatch. |
The PPP user already exists on DHCP but the user information, such as VLAN, is inconsistent. |
|
DHCP request IP conflict of NDRA relogin user. |
The address requested by NDRA user reassociation is a conflicting address. |
|
DHCP reserve IP in detect subnet table. |
The requested reserved IP address is already in the detect subnet table. |
|
DHCP reserve prefix failed due to share type conflict. |
The share type of the reserved prefix requested by the user is inconsistent from the actual share type of the prefix. |
|
DHCP reserve unshare prefix is used. |
The requested non-share reserved prefix is already in use. |
|
DHCP reserve share prefix already used by another type user. |
The requested share reserved prefix is used by a user of another type. |
|
DHCP reserve subnet is used. |
The requested reserved subnet is already in use. |
|
DHCP reserve subnet in detect IP table. |
The requested reserved subnet is already in the detect IP table. |
|
DHCP reserve subnet is used by unknown source. |
The requested reserved subnet is used by an unknown source user. |
|
Invalid DHCP request info, pool-group not exist. |
The requested address pool group does not exist. |
|
DHCP temporarily not process the user request. |
The user request has not yet been processed. |
|
Invalid DHCP request info, pool VPN not exist. |
The configured VPN for the address pool does not exist. |
|
Invalid DHCP request info, VPN mismatch. |
The VPN to which the user belongs is inconsistent from the VPN configured for the address pool. |
|
Invalid DHCP request info, network not exist. |
The requested address pool is not configured with a network. |
|
Invalid DHCP request info, pool not exist. |
The requested address pool does not exist. |
|
DHCP smooth failed, IP mismatch. |
Smooth transition of PPP user lease failed. The DHCP user lease is inconsistent from the lease in UCM smoothing. |
|
DHCP smooth failed, lease not exist. |
Smooth transition of PPP user lease failed. The user lease does not exist in the DHCP module. |
|
DHCP reserve subnet not exist. |
The requested reserved subnet does not exist. |
|
DHCP lease initialization failed. |
Lease initialization failed. |
|
DHCP reserve IP failed, invalid reserved ip. |
The requested reserved IP address is an invalid address. |
|
DHCP PPP online failed, request lease failed. |
The PPP user failed to request for a lease and failed to come online. |
|
DHCP delete user, VT interface deactive. |
DHCP received a deactive event sent by a virtual template interface and deleted users associated with the interface. |
|
DHCP proxy entry timeout. |
The proxy entry aged out and was deleted. |
|
DHCP delete proxy entry upon NAK. |
DHCP relay received a DHCP-NAK packet and deleted a proxy entry. |
|
DHCP delete proxy entry. |
A proxy entry was deleted. |
|
DHCP delete MAC-port entry. |
A MAC-port entry was deleted. |
|
DHCP delete timeout MAC-port entry. |
A MAC-port entry aged out and was deleted. |
|
DHCP pool-group delete. |
The address pool group of the address pool used for association was deleted. |
|
DHCP delete pool from pool-group. |
The address pool used for association was deleted from the address pool group. |
|
DHCP delete pool. |
The address pool used for association was deleted. |
|
DHCP start ICMP failed. |
DHCP failed to start ICMP probe. |
|
DHCP NDRS request exceed maximum. |
The number of pending requests of NDRS has reached the upper limit. New requests cannot be received now. |
|
DHCP NDRS online timeout. |
NDRS user association timed out. |
|
DHCP pool locked. |
The address pool was locked. |
|
DHCP reserve subnet failed, subnet mask lower than network mask. |
The requested subnet mask is lower than the network segment mask. Failed to request for a reserved subnet. |
|
DHCP reserve subnet failed, unusable network. |
Subnet availability check failed. Failed to request for a reserved subnet. |
|
DHCP reserve prefix failed, unusable prefix. |
Prefix pool availability check failed. Failed to request for a reserved prefix. |
|
DHCP NDRA relogin failed, no available pool in pool-group. |
The address pool does not match the address pool group. NDRA user reassociation failed. |
|
DHCP NDRA relogin failed, lease pool not found. |
The address pool to which the lease belongs does not exist. NDRA user reassociation failed. |
|
DHCP NDRA relogin failed. |
NDRA user reassociation failed. |
|
DHCP NDRA smooth failed, another address lease already exist. |
NDRA user smoothing failed. The user has leases for inconsistent addresses. |
|
DHCP prefix lease initialization failed. |
Failed to initialize the prefix lease. |
|
DHCP delete lease after another module notify. |
Another module notifies DHCP to delete the lease. |
|
DHCP NDRA smooth failed. |
NDRA user smoothing failed. |
|
DHCP dual NDRS backup request failed. |
Dual-active NDRS user: The backup device fails to send address requests to the master device. |
|
DHCP static reserve IP failed, unsable IP. |
Address availability check failed. Failed to request for a static reserved IP address. |
|
DHCP alloc mode error. |
Incorrect allocation mode. |
|
DHCP request timeout in pool-group. |
The request for PPPoE address pool group-based association was not processed in time. Association failed. |
|
DHCP request timeout in pool. |
The request for PPPoE address pool-based association was not processed in time. Association failed. |
|
DHCP Cinfo refresh by detecting lease released. |
The lease assigned to a new user is the same as the lease of an online user. After Cinfo information update, the old user was logged off. |
|
DHCPv6 REPLY packet info invalid. |
Information carried in the DHCPv6 REPLY packet is invalid. Association or lease renewal failed. The lease time or status code carries the failure error code. |
|
DHCP inform request has no response. |
A temporary user generated during inform packet processing was deleted because no inform response was received. |
|
DHCP inform request process successfully. |
A temporary user generated during info packet processing was deleted after inform processing. |
|
AM configuration error. |
AM configuration error. |
|
The static session already exists. |
The dynamic IPoE session to be created conflicted with an existing static IPoE session. |
|
NAT444 failed. |
IPoE failed to collaborate with NAT444. |
|
The ND RS session is updated. |
The device received a new ND RS session request for the user when the user was online. |
|
L2TP tunnel terminated by the peer. |
The peer device terminated the L2TP tunnel. It might because the peer device determined that the user had gone offline. |
|
The peer did not respond to control packets. |
The peer device did not respond to the PPP control packet from the device. |
|
Failed to set up an L2TP session. |
An L2TP session was failed to be created. |
|
Repeated LCP negotiation packets. |
The device received a duplicated LCP negotiation packet. It might because the user terminated the connection and then initiated a connection again. |
|
COA failure. |
The device failed to process a CoA message for the user. |
|
Failed to update authorization information. |
The device failed to update the authorization information for the user. |
|
Realtime accounting request to AAA failed. |
The real-time accounting request for the user failed. |
|
Session timeout. |
The session of the user timed out. |
|
Data quota limit reached. |
The data quotas of the user were used up. |
|
Session idle cut. |
The device logged out of the user because the user's traffic in the idle timeout period at the specified direction is less than the specified minimum traffic. |
|
User online detection failure. |
The user failed online detection. |
|
Port was removed from VLAN. |
The access interface of the user was removed from the VLAN. |
|
Port error. |
A port error occurred. |
|
Interface down or deactive. |
The protocol of the interface went down, the link on the interface went down, or the interface was deactivated. |
|
VSRP status changed. |
VSRP status changed. |
|
Backup device deleted user data that is inconsistent with data on the master device. |
The backup device in the VSRP group deleted user data inconsistent with data on the master device. |
|
MAC address change. |
The MAC address of the user changed. |
|
Failed to recover AAA resources. |
The device failed to recover AAA resources for the user. |
|
Deleted users because of inter-card session conflict. |
The device deleted the user because sessions on different cards conflict. |
|
User aged out before coming online. |
The online wait timer for the user expired. |
|
MPU-LPU data synchronization failure. |
Inter-card data smoothing failed. |
|
Failed to synchronize data with DHCP server. |
The device failed to synchronize data with the DHCP server. |
|
Failed to synchronize user information with the server. |
The device failed to synchronize user data with the DHCP server. |
|
User recovery failure. |
User data recovery failed. |
|
Failed to obtain physical information. |
The device failed to obtain physical information of the user. |
|
Authorization ACL for the online user changed. |
The authorization ACL for the user changed. |
|
Authorization user profile for the online user changed. |
The authorization user profile for the user changed. |
|
Magic number check failed. |
Magic number check failed. |
|
Reauthentication failed. |
Reauthentication for the user failed. |
|
No AAA response during realtime accounting. |
The device did not receive a response for the real-time accounting request sent to the server. |
|
Invalid username or password. |
Invalid username or password. |
|
No VTY line available. |
No available VTY line because the maximum number of users that use VTY lines already reached. |
|
SSH server received a packet with an incorrect message authentication code. |
The message authentication code in the packet from the SSH client was incorrect. |
|
User disconnected from the server. |
The SSH or FTP user disconnected from the server. |
|
No working directory available. |
No working directory is available. |
|
PTY allocation failed. |
PTY allocation failed. |
|
FTP server error. |
The user failed to log in to the FTP server because an error existed on the FTP server. |
|
Server is disabled. |
The service was disabled. |
|
Service type not supported. |
The type of the service that the user requested was not supported. |
|
RBAC denied file management operations in the login command. |
RBAC denied file management operations in the login command. |
|
Failed to issue RBAC access permissions to the login user. |
The device failed to issue RBAC access permissions to the login user. |
|
NETCONF inner error. |
An internal NETCONF error occurred. |
|
NETCONF session was terminated by another NETCONF session. |
The NETCONF session of the user was terminated by another NETCONF session. |
|
Failed to allocate public network ports in a CGN network. |
Public network port allocation failed on the CGN network. |
|
Failed to obtain an IP address of the type specified for basic services of users. |
The user failed to obtain an IP address of the type specified for the basic services of the user. |
|
UserGroup configuration changed. |
The configuration of the user group changed. |
|
MAC conflict. |
MAC address conflict occurred. |
|
RedisDBM clear. |
A RedisDBM session clear operation was executed on the migration source device. |
|
RedisDBM conflict. |
Data conflict occurred on the migration destination device during RedisDBM data recovery. |
|
RedisDBM block. |
A RedisDBM session block operation was executed on the migration source device. |
|
Logged out by the RADIUS proxy |
The user was logged out by the RADIUS proxy. |
|
NAT failed to issue the user port block info to the driver. |
The port block issues information to the driver after a user comes online. If the port block fails to issue information, the user will be logged out. |
|
Failed to match NAT configuration. |
The device fails to find a matching NAT configuration for the user when the user was coming online or the user information was being smoothed. |
|
Failed to come online by using CGN because the matching NAT doesn't support port block-based NAT. |
The matching NAT configured for the user does not support port block-based NAT. |
|
Failover group failure. |
The failover group failed. |
|
Failed to get NAT instance or NAT instance configuration is not correct. |
The device failed to get NAT instance for the load-sharing user group or the NAT instance obtained is incorrect. |
|
The NAT address was released. |
The NAT address of the user was reclaimed. |
|
NAT configured with flow-triggered port block assignment doesn't support CGN. |
In the current software version, only port block-based NAT is supported for CGN. If a NAT instance is configured with flow-triggered port block assignment, the user redirected to the NAT instance will fail to come online. |
|
NAT failed to issue the user port block info to the driver. |
The port block will issue information to the driver after a user comes online. If the port block fails to issue information, the user will be logged out. |
|
Failed to come online by using CGN because of session service-location configuration matching failure. |
The device failed to find a matching failover group for processing session-based services for the user. |
|
Online failed because of matched CGN configuration doesn't support port block. |
The matching CNG configuration does not support port block. |
|
Memory allocation failed for AFT. |
AFT failed to apply memory resources for the user because of insufficient memory resources. |
|
Failed to add NAT user data (invalid private network address). |
The device failed to add the data of the NAT user because the user address is invalid. |
|
NAT obtained an invalid backup instance ID from the user online request message in a UP hot backup environment. |
In a UP hot backup environment, the backup instance ID that NAT obtained from the user online request message is invalid. |
|
NAT instance state error. |
State error for NAT instance. |
|
The NAT instance was unbound from CGN-UP backup profile. |
The NAT instance was unbound from CGN-UP backup profile. |
|
Failed to obtain user group information. |
Failed to obtain user group information. |
|
NAT and BRAS unification failed due to UCM and CGN backup mode mismatch. |
N/A |
|
User authentication and NAT unification failed due to nat instance is sub type. |
User authentication and NAT unification failed because the NAT instance in the message is a subinstance. |
|
Login time beyond validity period. |
The login time is beyond the validity period of the local user. |
|
Maximum number of concurrent SSH users already reached. |
The number of concurrent online SSH users has reached the maximum number supported. |
|
BRAS user offline. |
An IPoE user goes offline from BRAS, causing the corresponding PPPoEA user to go offline. |
|
User is in local-user blacklist |
The local user is in the password control denylist. |
|
The user's 802.1X client has not come online. |
The static 802.1X user access through an interface enabled with static 802.1X authentication is rejected by the BRAS device. This symptom occurs if the BRAS device receives an ARP packet, unknown-sourced IP packet, or NS/NA packet from the user before the user passes authentication. Static 802.1X user authentication can be configured by ip subscriber static-dot1x-user enable. |
|
The source IP address of the L2TP tunnel does not support backup. |
The L2TP user is logged off after switching to the new master LAC UP. This symptom occurs if master/backup switchover is triggered by LAC UP in 1:1 hot backup, N:1 warm backup, or 1:N warm backup if the L2TP tunnel is established by using the source IP address specified by the tunnel up-id up-id source-ip source-ip-address [ vpn-instance vpn-instance-name ] command. |
|
Layer2 IPoE leased subusers do not support access through IA_PD or the NDRS scenario of one prefix per user. |
The leased subuser cannot come online because Layer 2 IPoE leased subusers do not support access through IA_PD or NDRS with one prefix per user. |
Related commands
reset aaa abnormal-offline-record
display aaa normal-offline-record
Use display aaa normal-offline-record to display user normal offline records.
Syntax
In standalone mode:
display aaa normal-offline-record { access-type { ipoe | lan-access | login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa normal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa normal-offline-record
In IRF mode:
display aaa normal-offline-record { access-type { ipoe | lan-access | login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa normal-offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa normal-offline-record
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
access-type: Specifies users by the access type.
ipoe: Specifies IPoE users.
lan-access: Specifies LAN users.
login: Specifies login users, such as SSH users, Telnet users, and FTP users.
ppp: Specifies PPP users.
domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
interface interface-type interface-number: Specifies an interface by its interface type and interface number.
ip ipv4-address: Specifies a user by its IPv4 address.
ipv6 ipv6-address: Specifies a user by its IPv6 address.
mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.
c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.
username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.
fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.
time: Specifies user normal offline records generated in a time range.
begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.
begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
brief: Displays brief information about user normal offline records. If you do not specify this keyword, the command displays detailed information about user normal offline records.
count count: Specifies the number of user normal offline records to be displayed. The value range for the count argument is 1 to 32768.
Usage guidelines
You can specify multiple query criteria to filter user normal offline records. This command displays the most recent user normal offline records that match the specified criteria in reverse chronological order.
If user normal offline records exist in the system, you can use this command to display the records regardless of whether user normal offline recording is enabled or not.
If you do not specify any parameters, this command displays detailed information about user normal offline records for all users.
If the usernames that the server sends to the device include invisible characters, for information about users with such usernames to be displayed, you must specify the fuzzy-match keyword in this command.
Examples
# Display detailed information about normal offline records for all users.
<Sysname> display aaa normal-offline-record
Total count: 1
Username: jay
Domain: dm1
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.2
IPv6 address: -
Online request time: 2019/01/02 15:20:33
Offline time: 2019/02/28 15:20:56
Offline reason: User request.
# Display brief information about normal offline records for login users.
<Sysname> display aaa normal-offline-record access-type login brief
Username: jay
MAC address: -
IP address: 11.2.2.41
IPv6 address: -
Offline reason: User request.
Table 3 Command output
|
Field |
Description |
|
Total count |
Total number of matching user normal offline records. |
|
Username |
Name of a user. This field does not display anything if the system failed to obtain the username. |
|
Domain |
Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain. |
|
MAC address |
MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address. |
|
Access type |
Access type of the user: · PPPoPhy—PPP over physical link. · PPPoE—PPP over Ethernet. · PPPoL2TP—PPP over L2TP. · PPPoFR—PPP over Frame Relay. · PPPoEA—PPPoEA user. · VPPP—L2TP auto dial-up. · 802.1X—Access based on 802.1X authentication. · Web authentication—Access based on Web authentication. · Telnet—Telnet access. · FTP—FTP access. · SSH—SSH access. · IPoE—Common IPoE user. · IPoE interface leased—IPoE interface leased user. · IPoE subnet leased—IPoE subnet leased user. · IPoE L2VPN leased—IPoE L2VPN leased user. · IPoE static—IPoE static user. · NETCONF over SOAP—Access through NETCONF over SOAP sessions. · NETCONF over RESTful—Access through NETCONF over RESTful sessions. · Terminal—Terminal login such as console login. |
|
Access interface |
Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface. |
|
SVLAN/CVLAN |
SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user. |
|
IP address |
IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address. |
|
IPv6 address |
IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address. |
|
Online request time |
Time when the user requested to come online. |
|
Offline time |
Time when the user went offline. |
|
Offline reason |
Reason that the user went offline. For more information about the reasons, see Table 2. |
Related commands
reset aaa normal-offline-record
display aaa offline-record
Use display aaa offline-record to display user offline records.
Syntax
In standalone mode:
display aaa offline-record { access-type { ipoe | lan-access | login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa offline-record
In IRF mode:
display aaa offline-record { access-type { ipoe | lan-access | login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa offline-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa offline-record
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
access-type: Specifies users by the access type.
lan-access: Specifies LAN users.
login: Specifies login users, such as SSH users, Telnet users, and FTP users.
ipoe: Specifies IPoE users.
ppp: Specifies PPP users.
domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
interface interface-type interface-number: Specifies an interface by its interface type and interface number.
ip ipv4-address: Specifies a user by its IPv4 address.
ipv6 ipv6-address: Specifies a user by its IPv6 address.
mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.
c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.
username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.
fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.
time: Specifies user offline records generated in a time range.
begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.
begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
brief: Displays brief information about user offline records. If you do not specify this keyword, the command displays detailed information about user offline records.
count count: Specifies the number of user offline records to be displayed. The value range for the count argument is 1 to 65536.
Usage guidelines
You can specify multiple query criteria to filter user offline records. This command displays the most recent user offline records that match the specified criteria in reverse chronological order.
If user offline records exist in the system, you can use this command to display the records regardless of whether user offline recording is enabled or not.
If you do not specify any parameters, this command displays detailed information about user offline records for all users.
If the usernames that the server sends to the device include invisible characters, for information about users with such usernames to be displayed, you must specify the fuzzy-match keyword in this command.
Examples
# Display detailed information about offline records for all users.
<Sysname> display aaa offline-record
Total count: 1
Username: jay
Domain: dm1
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.2
IPv6 address: -
Online request time: 2019/01/02 15:20:33
Offline time: 2019/02/28 15:20:56
Offline reason: User request
# Display brief information about offline records for login users.
<Sysname> display aaa offline-record access-type login brief
Username: jay
MAC address: -
IP address: 20.20.20.1
IPv6 address: -
Offline reason: User request.
Username: test
MAC address: -
IP address: 20.20.20.3
IPv6 address: -
Offline reason: User request.
Table 4 Command output
|
Field |
Description |
|
Total count |
Total number of matching user offline records. |
|
Username |
Name of a user. This field does not display anything if the system failed to obtain the username. |
|
Domain |
Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain. |
|
MAC address |
MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the MAC address. |
|
Access type |
Access type of the user: · PPPoPhy—PPP over physical link. · PPPoE—PPP over Ethernet. · PPPoEA—PPPoEA user. · PPPoL2TP—PPP over L2TP. · PPPoFR—PPP over Frame Relay. · VPPP—L2TP auto dial-up. · 802.1X—Access based on 802.1X authentication. · Web authentication—Access based on Web authentication. · Telnet—Telnet access. · FTP—FTP access. · SSH—SSH access. · IPoE—Common IPoE user. · IPoE interface leased—IPoE interface leased user. · IPoE subnet leased—IPoE subnet leased user. · IPoE L2VPN leased—IPoE L2VPN leased user. · IPoE static—IPoE static user. · NETCONF over SOAP—Access through NETCONF over SOAP sessions. · NETCONF over RESTful—Access through NETCONF over RESTful sessions. · Terminal—Terminal login such as console login. |
|
Access interface |
Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface. |
|
SVLAN/CVLAN |
SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user. |
|
IP address |
IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address. |
|
IPv6 address |
IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address. |
|
Online request time |
Time when the user requested to come online. |
|
Offline time |
Time when the user went offline. |
|
Offline reason |
Reason that the user went offline. For more information about the reasons, see Table 2. |
|
Detailed message |
Detailed reason that the user went offline. This field is displayed only if the user went offline because the interface module or UP failed. It includes the location of the interface module and the detailed reason. |
Related commands
reset aaa offline-record
display aaa online-fail-record
Use display aaa online-fail-record to display user online failure records.
Syntax
In standalone mode:
display aaa online-fail-record { access-type { ipoe | lan-access | login | ppp } | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | slot slot-number | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa online-fail-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa online-fail-record
In IRF mode:
display aaa online-fail-record { access-type { ipoe | lan-access | login | ppp } | chassis chassis-number slot slot-number | domain domain-name | interface interface-type interface-number | { ip ipv4-address | ipv6 ipv6-address } | mac-address mac-address | s-vlan svlan-id [ c-vlan cvlan-id ] | username user-name [ fuzzy-match ] } * [ brief | count count ]
display aaa online-fail-record time begin-time end-time [ date begin-date end-date ] [ brief ]
display aaa online-fail-record
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
access-type: Specifies users by the access type.
ipoe: Specifies IPoE users.
lan-access: Specifies LAN users.
login: Specifies login users, such as SSH users, Telnet users, and FTP users.
ppp: Specifies PPP users.
domain domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
interface interface-type interface-number: Specifies an interface by its interface type and interface number.
ip ipv4-address: Specifies a user by its IPv4 address.
ipv6 ipv6-address: Specifies a user by its IPv6 address.
mac-address mac-address: Specifies a user by its MAC address in the format of H-H-H.
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
s-vlan svlan-id: Specifies an SVLAN by its VLAN ID in the range of 1 to 4094.
c-vlan cvlan-id: Specifies a CVLAN by its VLAN ID in the range of 1 to 4094.
username user-name: Specifies users using the specified username, a case-sensitive string of 1 to 253 characters.
fuzzy-match: Matches the username in fuzzy mode. In fuzzy mode, a user matches if the user's username includes the specified username. If you do not specify this keyword, the device matches the username in exact mode. In exact mode, a user matches if the user's username is the same as the specified username.
time: Specifies user online failure records generated in a time range.
begin-time: Specifies the start time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
end-time: Specifies the end time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59.
date: Specifies a date range. If you do not specify a date range, this command displays user abnormal offline records on the current day.
begin-date: Specifies the start date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
end-date: Specifies the end date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
brief: Displays brief information about user online failure records. If you do not specify this keyword, the command displays detailed information about user online failure records.
count count: Specifies the number of user online failure records to be displayed. The value range for the count argument is 1 to 32768.
Usage guidelines
You can specify multiple query criteria to filter user online failure records. This command displays the most recent user online failure records that match the specified criteria in reverse chronological order.
If user online failure records exist in the system, you can use this command to display the records regardless of whether user online failure recording is enabled or not.
If you do not specify any parameters, this command displays detailed information about user online failure records for all users.
If the usernames that the server sends to the device include invisible characters, for information about users with such usernames to be displayed, you must specify the fuzzy-match keyword in this command.
Examples
# Display detailed information about the most recent two online failure records for login users that use the username aaa.
<Sysname> display aaa online-fail-record username aaa access-type login count 2
Username: aaa
Domain: test
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: 100/-
IP address: 19.19.0.1
IPv6 address: -
Online request time: 2019/01/02 15:20:37
Online failure reason: Authentication failed.
Server reply message: no user exists.
Username: aaa
Domain: test
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.2
IPv6 address: -
Online request time: 2019/01/02 15:20:33
Online failure reason: Authentication failed.
Server reply message: no user exists.
# Display brief information about user online failure records generated from 2019-03-01 13:20:50 to 2019-03-02 17:20:30.
<Sysname> display aaa online-fail-record time 13:20:50 10:20:30 date 2019/3/1 2019/3/2 brief
Username: aaa
MAC address: -
IP address: 19.19.0.2
IPv6 address: -
Online failure reason: Authentication failed.
Server reply message: no user exists.
# Display detailed information about user online failure records generated from 2019-03-01 13:20:50 to 2019-03-02 17:20:30.
<Sysname> display aaa online-fail-record time 13:20:50 17:20:30 date 2019/3/1 2019/3/2
Username: aaa
Domain: test
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.1
IPv6 address: -
Online request time: 2019/03/02 16:20:33
Online failure reason: Authentication failed
Server reply message: no user exists.
Username: aaa
Domain: test
MAC address: -
Access type: Telnet
Access interface: Ten-GigabitEthernet3/1/1
SVLAN/CVLAN: -/-
IP address: 19.19.0.2
IPv6 address: -
Online request time: 2019/03/01 15:20:51
Online failure reason: Authentication failed.
Server reply message: no user exists.
Table 5 Command output
|
Field |
Description |
|
Total count |
Total number of matching user online failure records. |
|
Username |
Name of a user. This field does not display anything if the system failed to obtain the username. |
|
Domain |
Name of the ISP domain to which the user belongs. This field does not display anything if the system failed to obtain the ISP domain. |
|
MAC address |
MAC address of the user. This filed displays a hyphen (-) if the system failed to obtain the user's MAC address. |
|
Access type |
Access type of the user: · PPPoPhy—PPP over physical link. · PPPoE—PPP over Ethernet. · PPPoL2TP—PPP over L2TP. · PPPoEA—PPPoEA user. · PPPoFR—PPP over Frame Relay. · VPPP—L2TP auto dial-up. · 802.1X—Access based on 802.1X authentication. · Web authentication—Access based on Web authentication. · Telnet—Telnet access. · FTP—FTP access. · SSH—SSH access. · IPoE—Common IPoE user. · IPoE interface leased—IPoE interface leased user. · IPoE subnet leased—IPoE subnet leased user. · IPoE L2VPN leased—IPoE L2VPN leased user. · IPoE static—IPoE static user. · NETCONF over SOAP—Access through NETCONF over SOAP sessions. · NETCONF over RESTful—Access through NETCONF over RESTful sessions. · Terminal—Terminal login such as console login. |
|
Access interface |
Interface through which the user accesses the network. This field displays a hyphen (-) if the system failed to obtain the access interface. |
|
SVLAN/CVLAN |
SVLAN and CVLAN to which the user belongs. This field displays a hyphen (-) for the SVLAN or CVLAN in the following situations: · The user does not belong to an SVLAN. · The system failed to obtain the SVLAN or CVLAN of the user. |
|
IP address |
IPv4 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv4 address. |
|
IPv6 address |
IPv6 address of the user. This field displays a hyphen (-) if the system failed to obtain the IPv6 address. |
|
Online request time |
Time when the user requested to come online. |
|
Online failure reason |
Reason that the user failed to come online. For more information about the reasons, see Table 2. |
|
Server reply message |
Message sent from the server. This field is not displayed if the server does not send a message. |
Related commands
reset aaa online-fail-record
display aaa online-offline-reason
Use display aaa online-offline-reason to display descriptions of online-offline reason codes.
Syntax
display aaa online-offline-reason [ code code-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
code code-id: Specifies an online-offline reason code by its ID. The minimum value is 1. To view the value range of the code-id argument, press a question mark (?) in the place of this argument when you enter this command in the CLI. If you do not specify an online-offline reason code, this command displays descriptions for all online-offline reason codes (except reserved reason codes).
Usage guidelines
The device uses online-offline reason codes to identify the reasons that users fail to come online and that users go offline normally or abnormally. When a user goes offline, the device carries an online-offline reason code in the stop-accounting request sent to the server. Use this command to identify the meaning of these codes.
There are a large number of online-offline reason codes. For easy identification, specify a reason code when you execute this command.
Examples
# Display the description of online-offline reason code 1.
<Sysname> display aaa online-offline-reason code 1
Code Description
1 user logoff
display domain
Use display domain to display ISP domain configuration.
Syntax
display domain [ name isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Usage guidelines
To display load-sharing user groups in an ISP domain and the number of users in each group, you must specify the ISP domain when executing this command.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domains
Domain: system
Current state: Active
State configuration: Active
PPPoEA authentication scheme: None
PPPoEA authorization scheme: None
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out policy: Offline
Send accounting update:Yes
Service type: HSI
Session time: Exclude idle time
DHCPv6-follow-IPv6CP timeout: 60 seconds
IPv6CP interface ID assignment: Enable
Dual-stack accounting method: Merge
NAS-ID: N/A
Service rate-limit mode: Separate
Web server IPv4 URL : Not configured
Track : Not configured
Web server IPv6 URL : Not configured
Track : Not configured
Web server URL parameters : Not configured
Web server IPv4 address : Not configured
Web server IPv6 address : Not configured
Secondary Web server IPv4 URL : Not configured
Track : Not configured
Secondary Web server IPv6 URL : Not configured
Track : Not configured
Secondary Web server IPv4 address : Not configured
Secondary Web server secondary IPv4 address: Not configured
Secondary Web server IPv6 address : Not configured
Secondary Web server secondary IPv6 address: Not configured
Redirect active time : Not configured
Redirect server IPv4 address : Not configured
Temporary redirect : Disabled
Redirect server IPv6 address : Not configured
Access user auto-save : Enabled
Authorization attributes:
Idle cut: Disabled
IGMP access limit: 4
MLD access limit: 4
Inbound user profile: a
Outbound user profile: b
IPv4 multicast user profile: c
IPv6 multicast user profile: d
Access limit: Not configured
Access interface VPN instance strict check: Disabled
Dynamic authorization effective attributes: Not configured
Authen-radius-unavailable: Not configured
Authen-radius-recover: Not configured
IP resource usage warning thresholds:
High threshold: Not configured
Low threshold: Not configured
IPv6 resource usage warning thresholds:
High threshold: Not configured
Low threshold: Not configured
Authen-fail action: Offline
L2TP-user RADIUS-force: Disabled
IPv6 ND autoconfiguration:
Managed-address flag: Unset
Other flag : Unset
Domain: dm
Current state: Active
State configuration: Blocked during specific time ranges
Time ranges:
t1
t2
Online-user logoff: Enabled
Login authentication scheme: RADIUS=rad
Login authorization scheme: HWTACACS=hw
Super authentication scheme: RADIUS=rad
PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local
Command authorization scheme: HWTACACS=hw
LAN access authentication scheme: RADIUS=r4
IPoE authentication scheme: RADIUS=rad, Local, None
PPPoEA authentication scheme: None
PPPoEA authorization scheme: None
PPPoEA accounting scheme: RADIUS=rad, None
Default authentication scheme: RADIUS=rad, Local, None
Default authorization scheme: Local
Default accounting scheme: None
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out policy: Redirect
Redirect URL : http://3.3.3.3/web
Stop accounting: Yes
User profile : abc
Send accounting update:Yes
ITA service policy: ita1
Service type: HSI
Session time: Include idle time
User basic service IP type: IPv4 IPv6 IPv6-PD
DHCPv6-follow-IPv6CP timeout: 33 seconds
IPv6CP interface ID assignment: Enable
Accounting start delay: 60 seconds
Dual-stack accounting method: Merge
NAS-ID: test
Service rate-limit mode: Separate
Web server IPv4 URL : http://1.2.3.4
Track : 11 (Positive)
Web server IPv6 URL : http://1:2::3:4
Track : 12 (Positive)
Web server URL parameters : userurl=http://www.test.com/welcome
userip=source-address
usermac=source-mac (format: XXXX-XXXX-XXXX)
userlct=user-location (format: port:vlan1.vlan2)
Web server IPv4 address : 1.2.3.4
Web server secondary IPv4 address: Not configured
Web server IPv6 address : Not configured
Web server secondary IPv6 address: Not configured
Secondary Web server IPv4 URL : Not configured
Track : Not configured
Secondary Web server IPv6 URL : Not configured
Track : Not configured
Secondary Web server IPv4 address : Not configured
Secondary Web server secondary IPv4 address: Not configured
Secondary Web server IPv6 address : Not configured
Secondary Web server secondary IPv6 address: Not configured
Redirect active time : 60 seconds
Redirect server IPv4 address : 1.1.1.2
Temporary redirect : Enabled
Redirect server IPv6 address : 1:2::3:2
Access user auto-save : Enabled
Authorization attributes:
Idle cut : Enabled
Idle timeout: 2 minutes
Flow: 10240 bytes
Traffic direction: Both
IP pool: appy
User profile: test
Session group profile: abc
Inbound CAR: CIR 64000 bps PIR 640000 bps
Outbound CAR: CIR 64000 bps PIR 640000 bps
ACL number: 3000
User group: ugg
IPv6 prefix: 1::/34
IPv6 pool: ipv6pool
IPv6 ND prefix pool: rnd
Primary DNS server: 6.6.6.6
Secondary DNS server: 3.6.2.3
URL: http://abc
Redirect limit: 5
VPN instance: vpn1
IGMP access limit: 12
MLD access limit: 35
User session timeout: 28 seconds
Access limit: 400
Access interface VPN instance strict check: Enabled
Dynamic authorization effective attributes:
CAR
URL
User group
Authen-radius-unavailable: Online domain dm2
Authen-radius-recover: Online domain dm
IP resource usage warning thresholds:
High threshold: 70%
Low threshold: 10%
IPv6 resource usage warning thresholds:
High threshold: 70%
Low threshold: 10%
Authen-fail action: Online on domain dm1
L2TP-user RADIUS-force: Enabled
L2TP-group group-number: 1
Access limit per account (case-sensitive): 5
Authorization attributes specific to none authentication:
User session timeout: 28 seconds
IPv6 ND autoconfiguration:
Managed-address flag: Set
Other flag : Unset
Default domain name: system
# Display the configuration of ISP domain bbb and load-sharing user group information in the domain.
<Sysname> display domain name bbb
Domain: bbb
Current state: Active
State configuration: Active
PPPoEA authentication scheme: None
PPPoEA authorization scheme: None
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out policy: Offline
Send accounting update:Yes
Service type: HSI
Session time: Exclude idle time
DHCPv6-follow-IPv6CP timeout: 60 seconds
IPv6CP interface ID assignment: Enable
Dual-stack accounting method: Merge
NAS-ID: N/A
Service rate-limit mode: Separate
Web server IPv4 URL : Not configured
Track : Not configured
Web server IPv6 URL : Not configured
Track : Not configured
Web server URL parameters : Not configured
Web server IPv4 address : Not configured
Web server secondary IPv4 address: 1.2.3.5
Web server IPv6 address : Not configured
Web server secondary IPv6 address: Not configured
Secondary Web server IPv4 URL : Not configured
Track : Not configured
Secondary Web server IPv6 URL : Not configured
Track : Not configured
Secondary Web server IPv4 address : Not configured
Secondary Web server secondary IPv4 address: 1.2.3.6
Secondary Web server IPv6 address : Not configured
Secondary Web server secondary IPv6 address: Not configured
Redirect active time : Not configured
Redirect server IPv4 address : Not configured
Temporary redirect : Disabled
Redirect server IPv6 address : Not configured
Access user auto-save : Enabled
Authorization attributes:
Idle cut: Disabled
IGMP access limit: 4
MLD access limit: 4
Access limit: Not configured
Access interface VPN instance strict check: Enabled
Dynamic authorization effective attributes: Not configured
Authen-radius-unavailable: Not configured
Authen-radius-recover: Offline
IP resource usage warning thresholds:
High threshold: Not configured
Low threshold: Not configured
IPv6 resource usage warning thresholds:
High threshold: Not configured
Low threshold: Not configured
Load-sharing user groups:
g1: 323 user(s)
g2: 324 user(s)
Authen-fail action: Offline
L2TP-user RADIUS-force: Disabled
Authorization attributes specific to none authentication:
User session timeout: 28 seconds
IPv6 ND autoconfiguration:
Managed-address flag: Unset
Other flag : Unset
Table 6 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
Current state |
Current state of the ISP domain: · Blocked. · Active. |
|
State configuration |
State settings of the ISP domain: · Active—The ISP domain is set to the active state. · Blocked during specific time ranges—The ISP domain is set to the blocked state during the listed time ranges. · Blocked—The ISP domain is set to the blocked state. |
|
Time ranges |
Time ranges during which the ISP domain is in blocked state. |
|
Online-user logoff |
Status for the feature of logging off online users when the state of the ISP domain changes to blocked: · Enabled. · Disabled. |
|
Default authentication scheme |
Default authentication methods. |
|
Default authorization scheme |
Default authorization methods. |
|
Default accounting scheme |
Default accounting methods. |
|
Login authentication scheme |
Authentication methods for login users. |
|
Login authorization scheme |
Authorization methods for login users. |
|
Login accounting scheme |
Accounting methods for login users. |
|
Super authentication scheme |
Authentication methods for obtaining another user role without reconnecting to the device. |
|
PPP authentication scheme |
Authentication methods for PPP users. |
|
PPP authorization scheme |
Authorization methods for PPP users. |
|
PPP accounting scheme |
Accounting methods for PPP users. |
|
Command authorization scheme |
Command line authorization methods. |
|
Command accounting scheme |
Command line accounting method. |
|
LAN access authentication scheme |
Authentication methods for LAN users. |
|
LAN access authorization scheme |
Authorization methods for LAN users. |
|
LAN access accounting scheme |
Accounting methods for LAN users. |
|
IPoE authentication scheme |
Authentication methods for IPoE users. |
|
IPoE authorization scheme |
Authorization methods for IPoE users. |
|
IPoE accounting scheme |
Accounting methods for IPoE users. |
|
PPPoEA authentication scheme |
Authentication methods for PPPoEA users. |
|
PPPoEA authorization scheme |
Authorization methods for PPPoEA users. |
|
PPPoEA accounting scheme |
Accounting methods for PPPoEA users. |
|
RADIUS |
RADIUS scheme. |
|
HWTACACS |
HWTACACS scheme. |
|
LDAP |
LDAP scheme. |
|
Local |
Local scheme. |
|
None |
No authentication, no authorization, or no accounting. |
|
Accounting start failure action |
Access control for users that encounter accounting-start failures: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting update failure max-times |
Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain. |
|
Accounting update failure action |
Access control for users that have failed all their accounting-update attempts: · Online—Allows the users to stay online. · Offline—Logs off the users. |
|
Accounting quota out policy |
Access control for users that have used up their accounting quotas: · Online—Allows the users to stay online. · Offline—Logs off the users. · Redirect—Redirects the users to the specified URL. |
|
Redirect URL |
URL to which users are redirected when the users have used up their data quotas. |
|
Stop accounting |
Whether to send stop-accounting packets for users that have used up their data quotas. |
|
User profile |
Name of the user profile assigned to users that have used up their data quotas. |
|
Send accounting update |
Whether to send accounting-update packets to refresh users' data quotas: · Yes. · No. |
|
ITA service policy |
ITA policy applied to the ISP domain. |
|
Service type |
Service type of the ISP domain, including HSI, STB, and VoIP. |
|
Session time |
Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period. |
|
User address type |
Type of IP addresses for users in the ISP domain. This field is not displayed if no user address type is specified for the ISP domain. |
|
User basic service IP type |
Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD. |
|
DHCPv6-follow-IPv6CP timeout |
IPv6 address wait timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users. |
|
IPv6CP interface ID assignment |
Whether the device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation: · Enable—The device is configured to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It ignores the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users. · Disable—The device is configured not to forcibly assign interface IDs to PPP users during IPv6CP negotiation. It accepts the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users. |
|
Dual-stack accounting method |
Accounting method for dual-stack users: · Merge—Merges IPv4 data with IPv6 data for accounting. · Separate—Separates IPv4 data from IPv6 data for accounting. |
|
Accounting start delay |
Start-accounting delay. This field is not available if no start-accounting delay has been set. |
|
NAS-ID |
NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain. |
|
Service rate-limit mode |
Rate limit mode for EDSG services: · Merge—In-band mode. In this mode, the device limits the overall rates of both EDSG traffic and non-EDSG traffic for a user within the available basic bandwidth of the user. · Separate—Out-band mode. In this mode, the device limits the rate of EDSG traffic for a user within the independent EDSG bandwidth of the user. The bandwidth for the non-EDSG traffic is not affected. |
|
Web server IPv4 URL |
IPv4 URL of the Web server. |
|
Web server IPv6 URL |
IPv6 URL of the Web server. |
|
Track |
ID of the track entry associated with the Web server URL and the state of the track entry is enclosed into a pair of parentheses. If no track entry is associated with the Web server URL, this field displays Not configured. |
|
Web server URL parameters |
Parameters added to the URL of the Web server. |
|
format |
Format of the MAC address added to the URL of the Web server: · XXXXXXXXXXXX (or xxxxxxxxxxxx)—The MAC address is in the one-section format. · XXXX-XXXX-XXXX (or xxxx-xxxx-xxxx)—The MAC address is in the three-section format. · XX-XX-XX-XX-XX-XX (or xx-xx-xx-xx-xx-xx)—The MAC address is in the six-section format. The delimiter in the three-section format and the six-section format is configurable. |
|
Web server IPv4 address |
IPv4 address of the Web server. |
|
Web server secondary IPv4 address |
Backup IPv4 address of the Web server. If the Web server has two IPv4 addresses and you use the web-server command with the secondary keyword to specify one of the IPv4 addresses, the specified IPv4 address is displayed in this field. |
|
Web server IPv6 address |
IPv6 address of the Web server. |
|
Web server secondary IPv6 address |
Backup IPv6 address of the Web server. If the Web server has two IPv6 addresses and you use the web-server command with the secondary keyword to specify one of the IPv6 addresses, the specified IPv6 address is displayed in this field. |
|
Secondary Web server IPv4 URL |
IPv4 URL of the secondary Web server. |
|
Secondary Web server IPv6 URL |
IPv6 URL of the secondary Web server. |
|
Secondary Web server IPv4 address |
IPv4 address of the secondary Web server. |
|
Secondary Web server secondary IPv4 address |
Backup IPv4 address of the secondary Web server. If the secondary Web server has two IPv4 addresses and you use the secondary-web-server command with the secondary keyword to specify one of the IPv4 addresses, the specified IPv4 address is displayed in this field. |
|
Secondary Web server IPv6 address |
IPv6 address of the secondary Web server. |
|
Secondary Web server secondary IPv6 address |
Backup IPv6 address of the secondary Web server. If the secondary Web server has two IPv6 addresses and you use the secondary-web-server command with the secondary keyword to specify one of the IPv6 addresses, the specified IPv6 address is displayed in this field. |
|
Redirect active time |
Active period (in seconds) during which all Web visit requests of a user are redirected to the redirect URL. |
|
Redirect server IPv4 address |
IPv4 address of the redirect server. |
|
Temporary redirect |
Status of the temporary redirect feature. |
|
Redirect server IPv6 address |
IPv6 address of the redirect server. |
|
Access user auto-save |
Status of the automatic user backup feature, which can be Enabled or Disabled. |
|
Authorization attributes |
Authorization attributes for users in the ISP domain. |
|
Idle cut |
Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Flow |
Minimum traffic that a login user must generate in an idle timeout period, in bytes. |
|
Traffic direction |
Traffic direction for the idle cut feature: · Both. · Inbound. · Outbound. |
|
IP pool |
Name of the authorization IPv4 address pool. |
|
IP pool group |
Name of the authorization IPv4 address pool group. |
|
Inbound user profile |
Name of the authorization inbound user profile. |
|
Outbound user profile |
Name of the authorization outbound user profile. |
|
User profile |
Name of the authorization user profile. |
|
IPv4 multicast user profile |
Name of the authorization IPv4 multicast user profile. |
|
IPv6 multicast user profile |
Name of the authorization IPv6 multicast user profile. |
|
Session group profile |
Name of the authorization session group profile. |
|
Inbound CAR |
Authorization inbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorization outbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. If no outbound CAR is authorized, this field displays N/A. |
|
ACL number |
Authorization ACL for users. |
|
User group |
Authorization user group for users. |
|
IPv6 prefix |
Authorization IPv6 address prefix for users. |
|
IPv6 pool |
Name of the authorization IPv6 address pool for users. |
|
IPv6 pool group |
Name of the authorization IPv6 address pool group for users. |
|
IPv6 ND prefix pool |
Name of the authorization prefix pool for users. |
|
IPv6 ND prefix pool group |
Name of the authorization prefix pool group for users. |
|
Primary DNS server |
IPv4 address of the authorization primary DNS server for users. |
|
Secondary DNS server |
IPv4 address of the authorization secondary DNS server for users. |
|
Primary DNSV6 server |
IPv6 address of the authorization primary DNS server for users. |
|
Secondary DNSV6 server |
IPv6 address of the authorization secondary DNS server for users. |
|
URL |
Authorization redirect URL for users. |
|
Redirect limit |
Maximum number of times the device redirects a user to the redirect URL. If no limit is set, this field displays Unlimited. |
|
VPN instance |
Name of the authorization VPN instance for users. |
|
IGMP access limit |
Maximum number of IGMP groups that an IPv4 user is authorized to join concurrently. |
|
MLD access limit |
Maximum number of MLD groups that an IPv6 user is authorized to join concurrently. |
|
Inbound user priority |
Authorization user priority for users' upstream packets. |
|
Outbound user priority |
Authorization user priority for users' downstream packets. |
|
User session timeout |
Authorization session timeout time for users, in seconds. |
|
Access limit |
Maximum number of users allowed to access the domain. |
|
Access interface VPN instance strict check |
Whether to enable strict check for VPN instances bound to the user access interfaces: · Enabled. · Disabled. |
|
Dynamic authorization effective attributes |
Effective authorization attributes in the ISP domain for users assigned to the ISP domain from another ISP domain. |
|
Authen-radius-unavailable |
Critical domain to accommodate users when all RADIUS authentication servers are unavailable. |
|
Authen-radius-recover |
Action to take on users in the critical domain when a RADIUS authentication server becomes available. · Offline—Logs off the users. · Online domain isp-name—Allows the users to stay online in the recovery domain. |
|
IP resource usage warning thresholds |
Alarm thresholds for authorization IPv4 address usage. |
|
IPv6 resource usage warning thresholds |
Alarm thresholds for authorization IPv6 address or prefix usage. |
|
High threshold |
High alarm threshold for authorization IPv4 address usage or authorization IPv6 address or prefix usage. This field displays Not configured if the high alarm threshold is not set. |
|
Low threshold |
Low alarm threshold for authorization IPv4 address usage or authorization IPv6 address or prefix usage. This field displays Not configured if the low alarm threshold is not set. |
|
Load-sharing user groups |
Load-sharing user groups and the number of users in each group. |
|
User group and NAT instance bindings |
Load-sharing user groups, the number of users in each group, and the NAT instance to which each load-sharing user group is bound. |
|
Authen-fail action |
Authentication failure policy for users that fail authentication in the ISP domain: · Offline—Logs out the users. · Online on domain isp-name—Allows the users to stay online and assigns the users to the reauthentication domain represented by the isp-domain argument for reauthentication. |
|
L2TP-user RADIUS-force |
Status of the forcible use of RADIUS server-authorized L2TP attributes: · Enabled—The device decides whether to process a PPP user as an L2TP user only based on the server-assigned L2TP attributes. · Disabled—The device processes a PPP user as an L2TP user depends on the local L2TP configuration or the L2TP attributes that the RADIUS server assigns to the user. |
|
L2TP-group group-number |
Group number of the L2TP group specified for the ISP domain. |
|
L2TP-group group-name |
Name of the L2TP group specified for the ISP domain. |
|
Access limit per account (case-sensitive) |
Maximum number of concurrent logins for a user account (usernames in user accounts are case sensitive). |
|
Access limit per account (case-insensitive) |
Maximum number of concurrent logins for a user account (usernames in user accounts are case insensitive). |
|
Authorization attributes specific to none authentication |
Authorization attributes for none-authentication users. |
|
IPv6 ND autoconfiguration |
Status of autoconfiguration flags in RA advertisements. |
|
Managed-address flag |
Status of the M flag in RA advertisements: · Set—The host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. · Unset—The host uses stateful or stateless autoconfiguration to generate an IPv6 address. |
|
Other flag |
Status of the O flag in RA advertisements: · Set—The host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than the IPv6 address. · Unset—The host uses stateful or stateless autoconfiguration. |
|
Default domain name |
N/A |
display domain access-user statistics
Use display domain access-user statistics to display statistics for online access users in ISP domains.
Syntax
display domain [ name isp-name ] access-user statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays online access user statistics for all ISP domains.
Usage guidelines
This command displays detailed statistics only for online IPoE and PPP users in the current software version.
Sessions of value-added services are identified separately from those of non-value-added services for authentication, authorization, and accounting. The display domain access-user statistics command does not count the sessions of value-added services.
Examples
# Display online access user statistics for all ISP domains.
<Sysname> display domain access-user statistics
Total online access users: 20
IPoE users: 8
PPP users: 8
Others: 4
Total domains: 3
Domain State Online user count
system Active 15
isp1 Active 0
isp2 Active 5
Domain: system
IPoE users: 3 (Bind 0, Pre-auth 0, Web 0, 802.1X 0, Leased 3)
PPP users: 8 (PPPoE 4, PPPoA 2, PPPoFR 0, LAC 0, LNS 2, PPPoEA 0)
Others: 4
Domain: isp2
IPoE users: 5 (Bind 0, Pre-auth 0, Web 0, 802.1X 0, Leased 5)
PPP users: 0
Others: 0
# Display online access user statistics for ISP domain isp2.
<Sysname> display domain name isp2 access-user statistics
Domain: isp2
Online user count: 5
IPoE users: 5 (Bind 0, Pre-auth 0, Web 0, 802.1X 0, Leased 5)
PPP users: 0
Others: 0
Table 7 Command output
|
Field |
Description |
|
Total online access users |
Total number of online access users and total number of users by user type. · IPoE users—Total number of online IPoE users. · PPP users—Total number of online PPP users. · Others—Total number of online users other than IPoE and PPP users. |
|
Total domains |
Total number of ISP domains. |
|
Domain |
Name of the ISP domain. |
|
State |
Current state of the ISP domain: · Blocked. · Active. |
|
Online user count |
Total number of online access users. |
|
IPoE users |
Total number of IPoE users, including the following types: · Bind—IPoE bind authentication users. · Pre-auth—Preauthentication domain users of Web authentication or IPoE 802.1X authentication. · Web—IPoE Web authentication users. · 802.1X—IPoE 802.1X authentication users. · Leased—IPoE leased users. |
|
PPP users |
Total number of PPP users, including the following types: · PPPoE—PPPoE users. · PPPoA—PPP over ATM users. · PPPoFR—PPPoFR users. · LAC—L2TP users on the LAC. · LNS—L2TP users on the LNS. · PPPoEA—PPPoEA users. |
|
Others |
Total number of online users other than IPoE and PPP users. |
Related commands
ppp account-statistics enable (BRAS Services Command Reference)
domain
Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.
Use undo domain to delete an ISP domain.
Syntax
domain name isp-name
undo domain name isp-name
Default
A system-defined ISP domain exists. The domain name is system.
Views
System view
Predefined user roles
network-admin
Parameters
name isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
All ISP domains are in active state when they are created.
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.
An ISP domain cannot be deleted when it is the default system ISP domain. Before you use the undo domain command, change the domain to a non-default system ISP domain by using the undo domain default enable command.
Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users. An ISP domain name longer than 253 characters cannot take effect.
To delete an ISP domain that has been specified by using the aaa default-domain, aaa permit-domain, aaa deny-domain, or aaa roam-domain command in interface view, you must first remove the command configuration.
If an ISP domain has online users in it, you cannot delete the domain by using the undo domain name command.
Examples
# Create an ISP domain named test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain name test
Related commands
aaa default-domain
aaa deny-domain
aaa permit-domain
aaa roam-domain
display domain
domain default enable
domain if-unknown
state (ISP domain view)
domain default enable
Use domain default enable to specify the default system ISP domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default system ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.
Usage guidelines
The system has only one default system ISP domain.
An ISP domain cannot be deleted when it is the default system ISP domain. Before you use the undo domain command, change the domain to a non-default system ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default system ISP domain.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
display domain
domain
domain if-unknown
Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.
Use undo domain if-unknown to restore the default.
Syntax
domain if-unknown isp-name
undo domain if-unknown
Default
No ISP domain is specified to accommodate users that are assigned to nonexistent domains.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
Usage guidelines
The device selects an authentication domain for each user in a specific order. For more information about ISP domain selection, see AAA in BRAS Services Configuration Guide.
If the selected domain does not exist on the device, the device searches for the ISP domain to accommodate users that are assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.
Examples
# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.
<Sysname> system-view
[Sysname] domain if-unknown test
Related commands
display domain
dynamic-authorization effective-attribute
Use dynamic-authorization effective-attribute to specify effective authorization attributes in an ISP domain for users that are assigned to this ISP domain from another ISP domain.
Use undo dynamic-authorization effective-attribute to restore the default.
Syntax
dynamic-authorization effective-attribute { car | session-group-profile | session-timeout | url | user-group | user-priority | user-profile | web-server } *
undo dynamic-authorization effective-attribute { car | session-group-profile | session-timeout | url | user-group | user-priority | user-profile | web-server } *
Default
No effective authorization attributes are specified in an ISP domain for users that are assigned to this ISP domain from another ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
car: Specifies the CAR attributes assigned as authorization attributes in the ISP domain.
session-group-profile: Specifies the session group profile assigned as an authorization attribute in the ISP domain.
session-timeout: Specifies the user session timeout time assigned as an authorization attribute in the ISP domain.
url: Specifies the redirect URL assigned as an authorization attribute in the ISP domain.
user-group: Specifies the user group assigned as an authorization attribute in the ISP domain.
user-priority: Specifies the user priority assigned as an authorization attribute in the ISP domain.
user-profile: Specifies the user profile assigned as an authorization attribute in the ISP domain.
web-server: Specifies the redirect Web server parameters assigned as authorization attributes in the ISP domain. The parameters include the IP addresses and URLs of the Web server and the parameters included in the URLs.
Usage guidelines
This command takes effect only on IPoE users.
Use this command in an ISP domain to specify authorization attributes that will take effect on users that are assigned to this ISP domain from another ISP domain. This command is applicable to the following situations:
· Users are assigned to the recovery domain from the critical domain after a RADIUS authentication server in the users' original authentication domain becomes available.
For the users to obtain authorization attributes in the recovery domain, you must execute the dynamic-authorization effect-attribute command in the recovery domain to specify effective authorization attributes.
· A RADIUS server assigns a new ISP domain to a user through CoA messages when the services of the user change.
When RADIUS DAS is enabled on the device, the device listens to the specified UDP port for CoA requests from the specified RADIUS servers. When the device receives a CoA request message from a RADIUS server, it matches the message to a user and changes the authorization information of the user accordingly. If the RADIUS server assigns a new ISP domain to the user, you can execute the dynamic-authorization effect-attribute command in the new ISP domain to specify effective authorization attributes.
The effective authorization attributes specified in an ISP domain are from the attributes specified by using the following commands in the same ISP domain:
· authorization-attribute.
· web-server { ip | ipv6 }.
· web-server { url | ipv6-url }.
· web-server url-parameter.
If you do not specify any effective authorization attributes in an ISP domain for users assigned to this ISP domain from another ISP domain, the following conditions exist:
· If the users are assigned to the recovery domain from the critical domain, they cannot obtain any authorization attributes.
· If the users are assigned to a new ISP domain through CoA messages, they use the authorization attributes obtained in the original ISP domain.
If you specify effective authorization attributes for the new ISP domain assigned to a user through CoA messages, the final effective authorization attributes vary as follows:
· If the server does not assign an authorization attribute to the user through CoA messages, the authorization attribute configured in the new ISP domain takes effect. If the authorization attribute is not configured in the new ISP domain, the user uses the authorization attribute configured in the original ISP domain.
· If the server assigns an authorization attribute to the user through CoA messages, the authorization attribute always take effect.
For the user-group authorization attribute, the device assigns a user to a load sharing user group in the new ISP domain based on the NAT instance to which the user belongs.
· If the device finds a load sharing user group bound to the NAT instance in the new ISP domain, it assigns the user to that load sharing user group. If the device does not find such a load sharing user group, it does not perform user group assignment.
· If the user does not belong to a NAT instance, the device assigns the user to a load sharing user group specified in the new ISP domain. To specify a load sharing user group, use the load-sharing user-group command. If no load sharing user groups are specified in the new ISP domain, the authorization user group in that ISP domain applies.
Repeat the dynamic-authorization effective-attribute command to specify multiple effective authorization attributes. All the settings take effect.
Examples
# In ISP domain test, specify the authorization user group as the effective authorization attribute for users assigned to this ISP domain from another ISP domain.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] dynamic-authorization effective-attribute user-group
Related commands
authorization-attribute
display domain
web-server { ip | ipv6 }
web-server url
web-server url-parameter
ip-usage-warning
Use ip-usage-warning to set the alarm thresholds for authorization IPv4 address usage.
Use undo ip-usage-warning to cancel an alarm threshold setting for authorization IPv4 address usage.
Syntax
ip-usage-warning { high-threshold high-value | low-threshold low-value }
undo ip-usage-warning { high-threshold | low-threshold }
Default
No alarm thresholds are set for authorization IPv4 address usage. The system does not generate alarm notifications about authorization IPv4 address usage.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
high-threshold high-value: Specifies the high alarm threshold for authorization IPv4 address usage, in percentage. The value range for the high-value argument is 1 to 100. The high alarm threshold must be greater than the low alarm threshold.
low-threshold low-value: Specifies the low alarm threshold for authorization IPv4 address usage, in percentage. The value range for the low-value argument is 0 to 99.
Usage guidelines
Authorization IPv4 address usage refers to the usage of IPv4 addresses in the authorization IPv4 address pool or pool group. The IPv4 addresses are allocated by DHCP.
You can monitor authorization IPv4 address usage on an ISP domain basis if you have configured one of the following IPv4 address-related authorization attributes for ISP domains:
· Authorization IPv4 address pool configured by using the authorization-attribute ip-pool command.
· Authorization IPv4 address pool group configured by using the authorization-attribute ip-pool-group command.
To implement ISP domain-based authorization IPv4 address usage monitoring, you must perform the following tasks:
· Enable SNMP notifications for authorization IPv4 address usage in ISP domains by using the snmp-agent trap enable domain ip-pool-warning command.
· Set the alarm thresholds for authorization IPv4 address usage in the ISP domains by using the ip-usage-warning command.
Based on the IPv4 address usage periodically provided by the DHCP module, the device generates notifications as shown in Table 8. In addition, the device generates logs about authorization IPv4 address usage. For more information about the logs, see the system log message reference.
Table 8 Authorization IPv4 address usage alarm notifications and alarm-removed notifications
|
Notification |
Triggering condition |
Remarks |
|
Low alarm notification |
Authorization IPv4 address usage reaches or drops below the low alarm threshold for the first time. |
After generating and sending a low alarm notification, the system typically does not generate or send any additional low alarm notifications until the first low alarm is removed. |
|
Low alarm-removed notification |
Authorization IPv4 address usage reaches or exceeds the value calculated by using the following formula: Low alarm threshold + (high alarm threshold – low alarm threshold)*10%. |
If you cancel the low alarm threshold setting when the system is still in low alarm state, the system will automatically generate and send a notification to remove the low alarm. |
|
High alarm notification |
Authorization IPv4 address usage reaches or exceeds the high alarm threshold for the first time. |
After generating and sending a high alarm notification, the system typically does not generate or send any additional high alarm notifications until the first high alarm is removed. |
|
High alarm-removed notification |
Authorization IPv4 address usage drops below or reaches the value calculated by using the following formula: High alarm threshold – (high alarm threshold – low alarm threshold)*10%. |
If you cancel the high alarm threshold setting when the system is still in high alarm state, the system will automatically generate and send a notification to remove the high alarm. |
The system uses value 0 for the low alarm threshold and 100 for the high alarm threshold when no low or high alarm threshold is set.
If you change one of the following settings, the system determines whether to generate one notification only based on the new settings regardless of whether another notification of the same type has been generated:
· An alarm threshold setting for authorization IPv4 address usage in the ISP domain.
· The authorization IPv4 address pool or pool group specified for the ISP domain.
· The configuration in the authorization IPv4 address pool or IPv4 address pool group of the ISP domain.
Examples
# In ISP domain test, set the high alarm threshold and low alarm threshold for authorization IPv4 address usage to 70% and 20%, respectively.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] ip-usage-warning high-threshold 70
[Sysname-isp-test] ip-usage-warning low-threshold 20
Related commands
authorization-attribute (ISP domain view)
display domain
snmp-agent trap enable domain
ipv6 nd autoconfig managed-address-flag
Use ipv6 nd autoconfig managed-address-flag to set the managed address configuration flag (M) to 1 in RA advertisements to be sent.
Use undo ipv6 nd autoconfig managed-address-flag to restore the default.
Syntax
ipv6 nd autoconfig managed-address-flag
undo ipv6 nd autoconfig managed-address-flag
Default
The M flag is set to 0 in RA advertisements. Hosts receiving the advertisements will obtain IPv6 addresses through stateless autoconfiguration.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
The M flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain IPv6 addresses.
· If the M flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from an DHCPv6 server) to obtain IPv6 addresses.
· If the M flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration. Stateless autoconfiguration generates IPv6 addresses according to link-layer addresses and the prefix information in the RA advertisements.
This command is applicable only to PPP users.
For PPP users, you can execute this command in ISP domain view or in interface view. If you have executed this command in either of the views, the device will set the M flag to 1 in RA advertisements to be sent.
Examples
# In ISP domain test, set the M flag to 1 in RA advertisements to be sent.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] ipv6 nd autoconfig managed-address-flag
Related commands
ipv6 nd autoconfig managed-address-flag (Layer 3—IP Services Command Reference)
ipv6 nd autoconfig other-flag
Use ipv6 nd autoconfig other-flag to set the other stateful configuration flag (O) to 1 in RA advertisements to be sent.
Use undo ipv6 nd autoconfig other-flag to restore the default.
Syntax
ipv6 nd autoconfig other-flag
undo ipv6 nd autoconfig other-flag
Default
The O flag is set to 0 in RA advertisements. Hosts receiving the advertisements will acquire other information through stateless autoconfiguration.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
The O flag in RA advertisements determines whether receiving hosts use stateful autoconfiguration to obtain configuration information other than IPv6 addresses.
· If the O flag is set to 1 in RA advertisements, receiving hosts use stateful autoconfiguration (for example, from a DHCPv6 server) to obtain configuration information other than IPv6 addresses.
· If the O flag is set to 0 in RA advertisements, receiving hosts use stateless autoconfiguration to obtain configuration information other than IPv6 addresses.
This command is applicable only to PPP users.
For PPP users, you can execute this command in ISP domain view or in interface view. If you have executed this command in either of the views, the device will set the O flag to 1 in RA advertisements to be sent.
Examples
# In ISP domain test, set the O flag to 0 in RA advertisements to be sent.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] ipv6 nd autoconfig other-flag
Related commands
ipv6 nd autoconfig other-flag (Layer 3—IP Services Command Reference)
ipv6-usage-warning
Use ipv6-usage-warning to set the alarm thresholds for authorization IPv6 address or prefix usage.
Use undo ipv6-usage-warning to cancel an alarm threshold setting for authorization IPv6 address or prefix usage.
Syntax
ipv6-usage-warning { high-threshold high-value | low-threshold low-value }
undo ipv6-usage-warning { high-threshold | low-threshold }
Default
No alarm thresholds are set for authorization IPv6 address or prefix usage. The system does not generate alarm notifications about authorization IPv6 address or prefix usage.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
high-threshold high-value: Specifies the high alarm threshold for authorization IPv6 address or prefix usage, in percentage. The value range for the high-value argument is 1 to 100. The high alarm threshold must be greater than the low alarm threshold.
low-threshold low-value: Specifies the low alarm threshold for authorization IPv6 address or prefix usage, in percentage. The value range for the low-value argument is 0 to 99.
Usage guidelines
Authorization IPv6 address or prefix usage refers to the usage of IPv6 addresses or prefixes in the authorization IPv6 address pool or pool group or in the authorization ND prefix pool or pool group.
You can monitor authorization IPv6 address or prefix usage on an ISP domain basis if you have configured one of the following IPv6 address or prefix-related authorization attributes for ISP domains:
· Authorization IPv6 address pool configured by using the authorization-attribute ipv6-pool command.
· Authorization ND prefix pool configured by using the authorization-attribute ipv6-nd-prefix-pool command.
· Authorization IPv6 address pool group configured by using the authorization-attribute ipv6-pool-group command.
· Authorization ND prefix pool group configured by using the authorization-attribute ipv6-nd-prefix-pool-group command.
To implement ISP domain-based authorization IPv6 address or prefix usage monitoring, you must perform the following tasks:
· Enable SNMP notifications for authorization IPv6 address or prefix usage in ISP domains by using the snmp-agent trap enable domain ipv6-pool-warning command.
· Set the alarm thresholds for authorization IPv6 address or prefix usage in the ISP domains by using the ipv6-usage-warning command.
Based on the IPv6 address or prefix usage periodically provided by the DHCPv6 module, the device generates notifications as shown in Table 9. In addition, the device generates logs about authorization IPv6 address or prefix usage. For more information about the logs, see the system log message reference.
|
Notification |
Triggering condition |
Remarks |
|
Low alarm notification |
Authorization IPv6 address or prefix usage reaches or drops below the low alarm threshold for the first time. |
After generating and sending a low alarm notification, the system typically does not generate or send any additional low alarm notifications until the first low alarm is removed. |
|
Low alarm-removed notification |
Authorization IPv6 address or prefix usage reaches or exceeds the value calculated by using the following formula: Low alarm threshold + (high alarm threshold – low alarm threshold)*10%. |
If you cancel the low alarm threshold setting when the system is still in low alarm state, the system will automatically generate and send a notification to remove the low alarm. |
|
High alarm notification |
Authorization IPv6 address or prefix usage reaches or exceeds the high alarm threshold for the first time. |
After generating and sending a high alarm notification, the system typically does not generate or send any additional high alarm notifications until the first high alarm is removed. |
|
High alarm-removed notification |
Authorization IPv6 address or prefix usage drops below or reaches the value calculated by using the following formula: High alarm threshold – (high alarm threshold – low alarm threshold)*10%. |
If you cancel the high alarm threshold setting when the system is still in high alarm state, the system will automatically generate and send a notification to remove the high alarm. |
The system uses value 0 for the low alarm threshold and 100 for the high alarm threshold when no low or high alarm threshold is set.
If you change one of the following settings, the system determines whether to generate one notification only based on the new settings regardless of whether another notification of the same type has been generated:
· An alarm threshold setting for authorization IPv6 address or prefix usage in the ISP domain.
· The authorization IPv6 address pool, IPv6 address pool group, ND prefix pool, or ND prefix pool group specified for the ISP domain.
· The configuration in the authorization IPv6 address pool, authorization IPv6 address pool group, authorization ND prefix pool, or authorization ND prefix pool group of the ISP domain.
Examples
# In ISP domain test, set the high alarm threshold and low alarm threshold for authorization IPv6 address or prefix usage to 70% and 20%, respectively.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] ipv6-usage-warning high-threshold 70
[Sysname-isp-test] ipv6-usage-warning low-threshold 20
Related commands
authorization-attribute (ISP domain view)
display domain
snmp-agent trap enable domain
ipv6cp assign-interface-id
Use ipv6cp assign-interface-id to configure the device to forcibly assign interface IDs to PPP users in an ISP domain during IPv6CP negotiation.
Use undo ipv6cp assign-interface-id to restore the default.
Syntax
ipv6cp assign-interface-id
undo ipv6cp assign-interface-id
Default
The device accepts the non-zero and non-conflicted interface IDs carried in Configure-Request packets from PPP users in IPv6CP negotiation.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Use this command for centralized management of PPP users' interface IDs. This command enables the device to ignore the interface IDs carried in Configure-Request packets from PPP users and forcibly assign interface IDs to PPP users during IPv6CP negotiation. The device preferentially uses the interface IDs that the RADIUS server assigns to PPP users through the Framed-Interface-Id attribute. If the server does not assign interface IDs to PPP users, the device generates interface IDs and then assigns the IDs to the users.
Examples
# In ISP domain test, configure the device to forcibly assign interface IDs to PPP users during IPv6CP negotiation.
<Sysname> system-view
[System] domain name test
[System-isp-test] ipv6cp assign-interface-id
Related commands
display domain
ita-policy
Use ita-policy to apply an ITA policy to users in an ISP domain.
Use undo ita-policy to restore the default.
Syntax
ita-policy policy-name
undo ita-policy
Default
No ITA policy is applied in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an ITA policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The ITA policy assigned from a RADIUS server takes precedence over the ITA policy in an ISP domain. If an ISP domain user has been assigned an ITA policy from the RADIUS server, the ITA policy of the ISP domain does not take effect. The server-assigned ITA policy might not even exist on the device.
If the RADIUS server assigns EDSG policies but no ITA policy to the user, the ITA policy applied to the ISP domain does not take effect on the user.
Examples
# Apply ITA policy ita1 to users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] ita-policy ita1
Related commands
ita policy
l2tp-group
Use l2tp-group to specify an L2TP group for an ISP domain.
Use undo l2tp-group to restore the default.
Syntax
l2tp-group { group-name group-name | group-number group-number }
undo l2tp-group
Default
No L2TP group is specified for an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
group-name group-name: Specifies an L2TP group by its name, a case-insensitive string of 1 to 32 characters.
group-number group-number: Specifies an L2TP group by its number in the range of 1 to 65535.
Usage guidelines
This command is applicable only to PPP users.
When the forcible use of RADIUS server-authorized L2TP attributes is enabled, use this command to ensure L2TP tunnel establishment and simply L2TP configuration for L2TP users in multiple ISP domains.
For an authenticated PPP user to be processed as an L2TP user, the device selects one of the following items to initiate tunneling requests for the user in descending order:
1. L2TP group assigned by the RADIUS server through the H3C-Tunnel-Group-Name attribute (attribute 183).
2. L2TP group specified for the ISP domain to which the user belongs (configured by using the l2tp-group command).
3. L2TP group configured in system view that matches the username or domain name (configured by using the l2tp-group command).
4. Default L2TP group configured in system view (configured by using the l2tp-group command in system view or the default-lac-group enable command in L2TP group view).
You can specify only one L2TP group either by group name or by group ID for an ISP domain. If you execute this command multiple times, the most recent configuration takes effect.
Change to or removal of the L2TP group specified for an ISP domain does not affect existing L2TP tunnels established by using this group.
Examples
# Specify L2TP group 1 for ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] l2tp-group group-number 1
Related commands
display domain
l2tp-user radius-force
l2tp-user radius-force
Use l2tp-user radius-force to enable the forcible use of RADIUS server-authorized L2TP attributes.
Use undo l2tp-user radius-force to disable the forcible use of RADIUS server-authorized L2TP attributes.
Syntax
l2tp-user radius-force
undo l2tp-user radius-force
Default
The forcible use of RADIUS server-authorized L2TP attributes is disabled.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
This command is applicable only to PPP users.
Typically, whether the device processes an authenticated PPP user as an L2TP user depends on the local L2TP configuration or the L2TP attributes that the RADIUS server assigns to the user. The server-assigned L2TP attributes take precedence over the L2TP configuration on the device.
This command enables the device to decide whether to process an authenticated PPP user as an L2TP user only based on the server-assigned L2TP attributes.
· If the RADIUS server assigns the L2TP tunnel type to a PPP user through attribute 64, the device processes the PPP user as an L2TP user.
· If the RADIUS server does not assign the L2TP tunnel type to a PPP user through attribute 64, the device processes the PPP user as a common PPP user.
Use this command to implement centralized authorization to L2TP users and unified L2TP tunnel parameter management for L2TP users in multiple ISP domains.
For an authenticated PPP user to be processed as an L2TP user, the device selects one of the following items to initiate tunneling requests for the user in descending order:
1. L2TP tunnel attributes assigned by the RADIUS server. These attributes are selected only if they are sufficient for tunnel establishment.
2. L2TP group assigned by the RADIUS server through the Tunnel-Group-Name attribute (attribute 183).
3. L2TP group specified for the ISP domain to which the user belongs.
The L2TP user cannot come online if none of the above items can be used to initiate tunneling requests. For more information about L2TP users and L2TP tunnel attributes, see L2TP configuration in BRAS Services Configuration Guide.
When this command is not used but the device is enabled with L2TP, the device will process a PPP user as an L2TP user under any of the following situations:
· The RADIUS server assigns an L2TP group to the user.
· An L2TP group is specified for the ISP domain.
· The full username of the user or the name of the ISP domain matches the condition of initiating tunneling requests configured for an L2TP group.
For the PPP user to be processed as an L2TP user, the device selects one of the following items to initiate tunneling requests for the user in descending order:
1. L2TP tunnel attributes assigned by the RADIUS server. These attributes are used only they are sufficient for tunnel establishment.
2. L2TP group assigned by the RADIUS server through the Tunnel-Group-Name attribute (proprietary attribute 183).
3. L2TP group specified for the ISP domain to which the user belongs.
4. L2TP group of which the condition configured for initiating tunneling requests matches the username of the user or the name of the ISP domain.
Examples
# In ISP domain test, enable the forcible use of RADIUS server-authorized L2TP attributes.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] l2tp-user radius-force
Related commands
display domain
l2tp-group
load-sharing user-group
Use load-sharing user-group to configure a load-sharing user group.
Use undo load-sharing user-group to delete a load-sharing user group.
Syntax
load-sharing user-group group-name
undo load-sharing user-group [ group-name ]
Default
No load-sharing user groups are configured and the load sharing feature for users is disabled in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. You must specify an existing user group. If you do not specify a user group in the undo form of this command, all load-sharing user groups are deleted.
Usage guidelines
Use load-sharing user groups with service features to implement load sharing for user service traffic.
If load-sharing user groups are used in conjunction with NAT, they are applicable only to interface-based NAT.
If you configure a load-sharing user group in an ISP domain, the load sharing feature for users is enabled for the ISP domain. You can configure a maximum of 32 load-sharing user groups in an ISP domain. After a user in the ISP domain comes online, the device assigns the user to the load-sharing user group that has the smallest number of users. If multiple load-sharing user groups have the same smallest number of users, the user is assigned to the earliest configured group.
The user group to which the device finally assigns a user depends on the configuration. The device selects the user group to accommodate a user in an ISP domain in the following order:
1. The user group authorized by the server.
2. The load-sharing user group configured in the ISP domain.
3. The authorization user group specified in the ISP domain.
The load-sharing user-group and user-group bind nat-instance commands are mutually exclusive in an ISP domain. Before you use the load-sharing user-group command, remove the configuration of the user-group bind nat-instance command. In addition, make sure the ISP domain does not have users that came online before the user-group bind nat-instance command configuration is removed.
Examples
# In ISP domain test, configure load-sharing user groups g1 and g2.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] load-sharing user-group g1
[Sysname-isp-test] load-sharing user-group g2
Related commands
display domain
user-group
user-group bind nat-instance
local-server log change-password-prompt
Use local-server log change-password-prompt to enable password change prompt logging.
Use undo local-server log change-password-prompt to disable password change prompt logging.
Syntax
local-server log change-password-prompt
undo local-server log change-password-prompt
Default
Password change prompt logging is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this feature to enhance the protection of passwords for Telnet, SSH, NETCONF over SSH, and NETCONF over SOAP users and improve the system security.
This feature enables the device to generate logs to prompt users to change their weak passwords at an interval of 24 hours and at the users' login.
A password is a weak password if it does not meet the following requirements:
· Password composition restriction configured by using the password-control composition command.
· Minimum password length restriction set by using the password-control length command.
· Password complexity checking policy configured by using the password-control complexity command.
For a NETCONF over SSH or NETCONF over SOAP user, the device also generates a password change prompt log if any of the following conditions exists:
· The user logs in to the device for the first time or uses a new password to log in after global password control is enabled.
· The current password of the user has expired.
The device will no longer generate password change prompt logs for a user when one of the following conditions exists:
· The password change prompt logging feature is disabled.
· The user has changed the password and the new password meets the password control requirements.
· The enabling status of a related password control feature has changed so the current password of the user meets the password control requirements.
· The password composition policy or the minimum password length has changed.
You can use the display password-control command to display password control configuration. For more information about password control commands, see "Password control commands."
Examples
# Enable password change prompt logging.
<Sysname> system-view
[Sysname] local-server log change-password-prompt
Related commands
display password-control
password-control complexity
password-control composition
password-control length
nas-id
Use nas-id to set the NAS-ID in an ISP domain.
Use undo nas-id to delete the NAS-ID from an ISP domain.
Syntax
nas-id nas-identifier
undo nas-id
Default
No NAS-ID is set in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.
Usage guidelines
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
You can configure a NAS-ID in NAS-ID profile view, in interface view, or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID on an interface.
3. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
The NAS-ID on an interface is applicable only to PPP and IPoE users that access the network through the interface.
Examples
# Set the NAS-ID to test for ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] nas-id test
Related commands
aaa nas-id
aaa nas-id profile
nas-id bind
Use nas-id bind to configure a NAS-ID and VLAN binding.
Use undo nas-id bind to remove a NAS-ID and VLAN binding.
Syntax
nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }
undo nas-id nas-identifier bind { { c-vid vlan-id | s-vid vlan-id } * | vlan vlan-id }
Default
No NAS-ID and VLAN bindings exist.
Views
NAS-ID profile view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 253 characters.
c-vid vlan-id: Specifies an inner VLAN ID in the range of 1 to 4094.
s-vid vlan-id: Specifies an outer VLAN ID in the range of 1 to 4094.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
Usage guidelines
You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.
In a QinQ network, specify an inner VLAN ID, outer VLAN ID, or both in a binding as a best practice. In a non-QinQ network, you can specify only a VLAN ID in a binding by specifying the vlan vlan-id option.
If you specify an inner VLAN ID or outer VLAN ID in a binding of a NAS-ID profile, you can specify this profile only for an interface by using the aaa nas-id-profile command.
A NAS-ID can be bound with more than one VLAN or one combination of inner VLAN and outer VLAN. A VLAN or a combination of inner VLAN and outer VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.
The device selects a NAS-ID and VLAN binding for double-tagged packets in the following order:
1. NAS-ID with both matching outer VLAN ID and inner VLAN ID.
2. NAS-ID with a matching outer VLAN ID.
3. NAS-ID with a matching inner VLAN ID.
Examples
# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
Related commands
aaa nas-id profile
redirect active-time
Use redirect active-time to set the redirect URL active period during which all Web visit requests of a user are redirected to the redirect URL.
Use undo redirect active-time to restore the default.
Syntax
redirect active-time time
undo redirect active-time
Default
The redirect URL active period is not set.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
time: Sets the active period, in the range of 1 to 900 seconds.
Usage guidelines
If the server assigns a redirect URL to a user after it passes authentication, the device redirects the user to the redirect URL when the user accesses the network for the first time. The redirect URL might provide important information for the user (for example, advertisements, notices, and charge overdue notifications).
Some applications (for example, input software) initiate background Web visit requests to visit the network before the user actively accesses the network. As a result, the device might not redirect the active Web visit requests of the user to the redirect URL because the number of times that the device redirects the background requests has reached the maximum number of redirect times. In this case, the user does not obtain the information provided by the redirect URL.
To resolve this issue, use this command to set the redirect URL active period. In this period, all Web visit requests of a user are redirected to the redirect URL. The period starts for a user when the server or the device assigns a redirect URL to the user because the user comes online or the server performs a COA authorization.
This command takes effect only on PPP and IPoE users.
This command takes effect on a user in either of the following conditions:
· The server assigns the user a redirect URL and the attribute that sets the number of redirect times.
· The server does not assign the user a redirect URL. However, an authorization redirect URL has been configured for the ISP domain and the number of times that the device redirects the user to the redirect URL is not limited.
This command has higher priority than the maximum number of redirect times configured by using the authorization-attribute redirect-times command in ISP domain view. If limiting the maximum number of redirect times is required, do not use this command to set the active period.
Examples
# In ISP domain test, set the active period of the redirect URL to 60 seconds.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] redirect active-time 60
Related commands
authorization-attribute (ISP domain view)
display domain
redirect server
redirect move-temporarily enable
Use redirect move-temporarily enable to enable the temporary redirect feature.
Use undo redirect move-temporarily enable to disable the temporary redirect feature.
Syntax
redirect move-temporarily enable
undo redirect move-temporarily enable
Default
The temporary redirect feature is disabled.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Typically, the device carries the redirect URL coded in JavaScript in HTTP or HTTPS responses sent to users. The users obtain the redirect URL by parsing the JavaScript codes. If the endpoint of a user (application, for example) does not support JavaScript, the user will fail to be redirected.
To resolve this issue, enable the temporary redirect feature. This feature enables the device to send HTTP or HTTPS responses with status code 302 to users so that the users can obtain the redirect URL.
This feature is applicable only to PPP and IPoE users.
Examples
# In ISP domain test, enable the temporary redirect feature.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] redirect move-temporarily enable
Related commands
display domain
redirect server
Use redirect server to specify an IP address of the Web server that owns the redirect URL.
Use undo redirect server to remove an IP address of the Web server that owns the redirect URL.
Syntax
redirect server { ip ipv4-address | ipv6 ipv6-address }
undo redirect server { ip | ipv6 }
Default
No redirect server IP address is specified.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of the redirect server.
ipv6 ipv6-address: Specifies the IPv6 address of the redirect server.
Usage guidelines
To improve the efficiency and accuracy of Web redirections, use this command to specify an IP address of the Web server that owns the redirect URL. When the device redirects a Web visit request of a user, it first identifies whether the destination IP address of the request is the specified IP address of the Web server. If the IP addresses are the same one, the device allows the request to pass through. If the IP addresses are different, the device pushes the redirect URL assigned by the server to the user.
· If the redirect URL does not contain a redirect server IP address, the device uses the IP address specified by using this command as the redirect destination IP address. Make sure the specified IP address is the same as the IP address resolved from the URL.
· If the redirect URL contains a redirect server IP address but the IP address is different from the IP address specified by using this command, the device uses the IP address specified by using this command as the redirect destination IP address.
· If the redirect URL does not contain a redirect server IP address and no redirect server IP address is specified, redirection might fail due to lack of redirect server IP address.
This command takes effect only on PPP and IPoE users.
In an ISP domain, you can specify only one IPv4 address and one IPv6 address of the Web redirect server.
Examples
# In ISP domain test, specify the server at 5.1.1.1 as the redirect server.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] redirect server ip 5.1.1.1
Related commands
display domain
redirect aging-time
reset aaa abnormal-offline-record
Use reset aaa abnormal-offline-record to clear user abnormal offline records.
Syntax
reset aaa abnormal-offline-record
Views
User view
Predefined user roles
network-admin
Usage guidelines
The device saves user abnormal offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user abnormal offline records.
Use this command with caution. Cleared records cannot be recovered.
Examples
# Clear all user abnormal offline records.
<Sysname> reset aaa abnormal-offline-record
Related commands
display aaa abnormal-offline-record
reset aaa normal-offline-record
Use reset aaa normal-offline-record to clear user normal offline records.
Syntax
reset aaa normal-offline-record
Views
User view
Predefined user roles
network-admin
Usage guidelines
The device saves user normal offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user normal offline records.
Use this command with caution. Cleared records cannot be recovered.
Examples
# Clear all user normal offline records.
<Sysname> reset aaa normal-offline-record
Related commands
display aaa normal-offline-record
reset aaa offline-record
Use reset aaa offline-record to clear user offline records.
Syntax
reset aaa offline-record
Views
User view
Predefined user roles
network-admin
Usage guidelines
The device saves user offline records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user offline records.
Use this command with caution. Cleared records cannot be recovered.
Examples
# Clear all user offline records.
<Sysname> reset aaa offline-record
Related commands
display aaa offline-record
reset aaa online-fail-record
Use reset aaa online-fail-record to clear user online failure records.
Syntax
reset aaa online-fail-record
Views
User view
Predefined user roles
network-admin
Usage guidelines
The device saves user online failure records in memory and does not automatically clear the records unless the global active MPU reboots. To prevent the records from overusing the memory, use this command to clear all user online failure records.
Use this command with caution. Cleared records cannot be recovered.
Examples
# Clear all user online failure records.
<Sysname> reset aaa online-fail-record
Related commands
display aaa online-fail-record
secondary-web-server { ip | ipv6 }
Use secondary-web-server { ip | ipv6 } to specify an IP address of the secondary Web server.
Use undo secondary-web-server { ip | ipv6 } to remove an IP address of the secondary Web server.
Syntax
secondary-web-server [ secondary ] { ip ipv4-address | ipv6 ipv6-address }
undo secondary-web-server [ secondary ] { ip | ipv6 }
Default
No IP addresses of the secondary Web server are specified.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
secondary: Specifies an IP address as a backup IP address of the secondary Web server. If the Web server has two IP addresses, you can specify one IP address without this keyword and specify the other IP address with this keyword.
ip ipv4-address: Specifies an IPv4 address of the secondary Web server.
ipv6 ipv6-address: Specifies an IPv6 address of the secondary Web server.
Usage guidelines
If the secondary Web server is in use and the URL of a Web request carries one of the specified IP addresses, the Web request is directly forwarded to the Web server without redirection. This configuration avoids unnecessary redirection if the destination of user Web requests is one IP address of the secondary Web server when the secondary Web server is in use.
You can specify two IPv4 addresses and two IPv6 addresses for the secondary Web server.
Examples
# In ISP domain test, specify 192.168.1.1 as an IP address of the secondary Web server.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] secondary-web-server ip 192.168.1.1
Related commands
display domain
web-server { ip | ipv6 }
service rate-limit mode (ISP domain view)
Use service rate-limit mode to set the rate limit mode for EDSG services.
Use undo service rate-limit mode to restore the default.
Syntax
service rate-limit mode { merge | separate }
undo service rate-limit mode
Default
The out-band mode is used for EDSG services. The rate of EDSG traffic is limited within an independent bandwidth, and the bandwidth for the non-EDSG traffic is not affected.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
merge: Specifies the in-band mode. In this mode, the device limits the overall rates of both EDSG traffic and non-EDSG traffic for a user within the available basic bandwidth of the user. The bandwidth for the EDSG traffic is preferentially guaranteed.
separate: Specifies the out-band mode. In this mode, the device limits the rate of EDSG traffic within an independent bandwidth. The bandwidth for the non-EDSG traffic is not affected.
Usage guidelines
Assume that the available basic bandwidth for a user is 20 Mb and the available bandwidth for EDSG traffic of the user is 12 Mb.
· In in-band mode, the EDSG bandwidth is excluded from the basic bandwidth. The actual bandwidth for the user is 32 Mb, in which 12 Mb is exclusively used for EDSG services.
· In out-band mode, the EDSG bandwidth is included in the basic bandwidth. The actual bandwidth for the user is 20 Mb, in which 12 Mb is exclusively used for EDSG services, and the remaining 8 Mb is used for non-EDSG services.
The rate limit mode set in EDSG service policy view takes precedence over the rate limit mode set in ISP domain view.
Examples
# In ISP domain test, set the rate limit mode for EDSG services to in-band mode.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] service rate-limit mode merge
Related commands
service policy
service rate-limit mode (EDSG service policy view)
service-type (ISP domain view)
Use service-type to specify the service type for users in an ISP domain.
Use undo service-type to restore the default.
Syntax
service-type { hsi | stb | voip }
undo service-type
Default
The service type is hsi for users in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hsi: Specifies the High Speed Internet (HSI) service. This service is applicable to users that access the network through PPP and IPoE leased lines.
stb: Specifies the Set Top Box (STB) service. This service is applicable to users that access the network through STB.
voip: Specifies the Voice over IP (VoIP) service. This service is applicable to users that access the network through IP phones.
Usage guidelines
When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.
When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.
When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.
For IPoE leased line and non-PPPoE PPP users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.
You can configure only one service type for an ISP domain.
Examples
# Specify the STB service for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] service-type stb
session-time include-idle-time
Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.
Use undo session-time include-idle-time to restore the default.
Syntax
session-time include-idle-time
undo session-time include-idle-time
Default
The device excludes the idle timeout period from the user online duration sent to the server.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. The idle timeout period is assigned by the authorization server after users pass authentication.
If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
· If the session-time include-idle-time command is used, the device adds the idle timeout period. The online duration sent to the server is longer than the actual online duration of the user.
· If the undo session-time include-idle-time command is used, the device excludes the idle timeout period from the actual online duration. The online duration sent to the server is shorter than the actual online duration of the user.
Examples
# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] session-time include-idle-time
Related commands
display domain
snmp-agent trap enable aaa
Use snmp-agent trap enable aaa to enable SNMP notification for AAA.
Use undo snmp-agent trap enable aaa to disable SNMP notification for AAA.
Syntax
snmp-agent trap enable aaa [ login-failed-threshold ]
undo snmp-agent trap enable aaa [ login-failed-threshold ]
Default
SNMP notification for AAA is enabled.
Views
System view
Predefined user roles
network-admin
Parameters
login-failed-threshold: Specifies SNMP notification for user login failures.
Usage guidelines
With SNMP notification for user login failures configured, the system generates a user login failure alarm for a device management user when either of the following cases exist:
· The number of user login failures reaches the triggering threshold for the first time within an alarm period.
· The number of user login failures increases from a value below the clearing threshold to the triggering threshold within an alarm period.
When the number of user login failures drops from the triggering threshold or higher to the clearing threshold or lower within an alarm period, the systems generates an alarm removal message.
If you do not specify any keywords, the system enables or disables all AAA SNMP notification functions.
Examples
# Enable SNMP notification for user login failures.
<Sysname> system-view
[Sysname] snmp-agent trap enable aaa login-failed-threshold
Related commands
aaa login-failed alarm-threshold
snmp-agent trap enable domain
Use snmp-agent trap enable domain to enable SNMP notifications for ISP domains.
Use undo snmp-agent trap enable domain to disable SNMP notifications for ISP domains.
Syntax
snmp-agent trap enable domain { ip-usage-warning | ipv6-usage-warning | web-server-ipv6-url-warning | web-server-url-warning } *
undo snmp-agent trap enable domain { ip-usage-warning | ipv6-usage-warning | web-server-ipv6-url-warning | web-server-url-warning } *
Default
SNMP notifications are disabled for ISP domains.
Views
System view
Predefined user roles
network-admin
Parameters
ip-usage-warning: Enables SNMP notifications for authorization IPv4 address usage. The device generates a notification when the IPv4 address usage reaches or exceeds the high alarm threshold, drops below or reaches the low alarm threshold, or restores to the normal range.
ipv6-usage-warning: Enables SNMP notifications for authorization IPv6 address or prefix usage. The device generates a notification when the IPv6 address or prefix usage reaches or exceeds the high alarm threshold, drops below or reaches the low alarm threshold, or restores to the normal range.
web-server-url-ipv6-warning: Enables SNMP notifications for changes in reachability to the IPv6 URLs of the Web servers. The device generates a notification in the following situations:
· The IPv6 URL of a Web server changes from unreachable to reachable.
· The IPv6 URL of a Web server changes from reachable to unreachable.
· The IPv6 URL of a Web server in use changes.
web-server-url-warning: Enables SNMP notifications for changes in reachability to the IPv4 URLs of the Web servers. The device generates a notification in the following situations:
· The IPv4 URL of a Web server changes from unreachable to reachable.
· The IPv4 URL of a Web server changes from reachable to unreachable.
· The IPv4 URL of a Web server in use changes.
Usage guidelines
After you enable SNMP notifications for ISP domains, the device generates a notification if a specific event occurs in an ISP domain. For ISP domain event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
For the device to correctly generate notifications about authorization IPv4 address usage in ISP domains, set the alarm thresholds for authorization IPv4 address usage in the ISP domains.
For the device to correctly generate notifications about authorization IPv6 address or prefix usage in ISP domains, set the alarm thresholds for authorization IPv6 address or prefix usage in the ISP domains.
For this feature to take effect when the device acts as a DHCP or DHCPv6 relay agent, you must execute the network command in the relay address pool on the DHCP relay agent. Make sure the subnet specified in the network command is the same as the subnet specified for the DHCP address pool of the DHCP server.
As a best practice to make better use of SNMP notifications for changes in reachability to Web server URLs, associate the URLs with track entries when you specify the URLs. In addition, associate each of the track entries with an HTTP NQA operation. The URL-Track-NQA collaboration will detect the reachability and performance of the Web servers in time.
Examples
# Enable SNMP notifications for authorization IPv4 address usage in ISP domains.
<Sysname> system-view
[Sysname] snmp-agent trap enable domain ip-usage-warning
Related commands
ip-usage-warning
ipv6-usage-warning
network (BRAS Services Command Reference)
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block [ time-range ][ offline ]}
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services. This keyword takes effect on all types of users except the SSH users that perform public key authentication.
time-range: Places the ISP domain in blocked state based on time ranges. If you specify the block keyword but do not specify the time-range keyword, the ISP domain is always placed in blocked state.
offline: Logs off online users (including IPoE and PPP users) in the ISP domain when the state of the ISP domain changes to blocked. If you specify the block keyword but do not specify the offline keyword, the users in the ISP domain stay online when the state of the ISP domain changes to blocked.
Usage guidelines
To block an ISP domain based on time ranges, specify the time-range keyword in this command, and specify time ranges by using the state block time-range name command.
Examples
# Place ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] state block
Related commands
display domain
state block time-range name
state block time-range name
Use state block time-range name to specify time ranges during which an ISP domain is placed in blocked state.
Use undo state block time-range name to delete time ranges for placing an ISP domain in blocked state.
Syntax
state block time-range name time-range-name
undo state block time-range { all | name time-range-name }
Default
No time ranges are specified for placing an ISP domain in blocked state.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. The string must begin with a letter and cannot be all.
all: Specifies all time ranges.
Usage guidelines
The specified time ranges take effect only when the device is configured to block an ISP domain based on time ranges. To configure the device to block the ISP domain based on time ranges, use the state block time-range command.
You can repeat this command to specify multiple time ranges.
Examples
# Specify time ranges t1 and t2 for placing ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] state block time-range name t1
[Sysname-isp-test] state block time-range name t2
Related commands
state
time-range (ACL and QoS Command Reference)
strict-check access-interface vpn-instance
Use strict-check access-interface vpn-instance to enable strict check for VPN instances bound to the user access interfaces.
Use undo strict-check access-interface vpn-instance to disable strict check for VPN instances bound to the user access interfaces.
Syntax
strict-check access-interface vpn-instance
undo strict-check access-interface vpn-instance
Default
Strict check is disabled for VPN instances bound to the user access interfaces.
Views
ISP domain view
Predefined user roles
network-admin
Usage guidelines
This feature is available only for static IPoE users, including static individual users and static leased users.
Use this feature to allow a static IPoE user to come online only when the VPN instance bound to the access interface of the user is the same as the following VPN instances (if any):
· The VPN instance bound to the static IPoE session of the user.
· The VPN instance assigned by AAA to the user.
When this feature is disabled, the device assigns static IPoE users to different VPN instances when the users come online, depending on their VPN instance configuration and authorization information.
· If no VPN instance is bound to the static IPoE session of a user and AAA does not assign a VPN instance to the user, the user belongs to the VPN instance of its access interface when it comes online. If no VPN instance is bound to the interface, the user belongs to the public network.
· If a VPN instance is bound to the static IPoE session of a user or AAA assigns a VPN instance to the user, the user belongs to this VPN instance when it comes online. Whether a VPN instance is bound to the user access interface does not affect the VPN instance assignment.
· If a VPN instance is bound to the static IPoE session of a user and AAA assigns the same VPN instance to the user, the user belongs to that VPN instance when it comes online. If the VPN instances are different, the user cannot come online.
When this feature is enabled, the device examines whether the VPN instance settings are consistent for a static IPoE user when the user comes online in the ISP domain. Depending on the examination result, the device controls whether to assign the user to a VPN instance or the public network or deny the user from coming online.
· If no VPN instance is bound to the static session of the user or AAA does not assign a VPN instance to the user, the user belongs to the VPN instance bound to its access interface after it comes online. If no VPN instance is bound to the access interface, the user belongs to the public network after it comes online.
· If a VPN instance is bound to the static session of the user or AAA assigns a VPN instance to the user, the VPN instance must be the same as the VPN instance bound to the user's access interface. The user belongs to the VPN instance after it comes online. If the VPN instances are different, the user cannot come online.
· If a VPN instance is bound to the static session of the user and AAA assigns a VPN instance to the user, the VPN instances must be the same as the VPN instance bound to the user's access interface. The user belongs to the VPN instance after it comes online. If the three VPN instances are different, the user cannot come online.
Examples
# Enable strict check for VPN instances bound to the access interfaces of IPoE users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] strict-check access-interface vpn-instance
Related commands
display domain
ip subscriber session static (BRAS Services Command Reference)
user-address-type
Use user-address-type to specify the user address type in the ISP domain.
Use undo user-address-type to restore the default.
Syntax
user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }
undo user-address-type
Default
No user address type is specified for the ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ds-lite: Specifies the DS-Lite address type.
ipv6: Specifies the IPv6 address type.
nat64: Specifies the NAT64 address type.
private-ds: Specifies the private-DS address type.
private-ipv4: Specifies the private IPv4 address type.
public-ds: Specifies the public-DS address type.
public-ipv4: Specifies the public IPv4 address type.
Usage guidelines
Specify the address type for users in an ISP domain according to the actual customer network environment and address assignment policies for the users.
On a CGN network, specify the private address type used by users to come online in an ISP domain if the users use private IP addresses. With the configuration, the device can cooperate with NAT444 to do public IP address assignment, port block assignment, and user tracking after the users pass authentication. If you do not specify the private address type used by users in the ISP domain, you can assign a NAT instance to the users for the device to cooperate with NAT444. For more information about assigning a NAT instance to users, see the user-group bind nat-instance command.
Any change to the user address type does not affect online users.
Examples
# Specify the private IPv4 address type for users in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] user-address-type private-ipv4
Related commands
display domain
user-group bind nat-instance
Use user-group bind nat-instance to bind a user group to a NAT instance.
Use undo user-group to remove user group-to-NAT instance bindings.
Syntax
user-group name group-name bind nat-instance instance-name
undo user-group [ name group-name ]
Default
No user group is bound to any NAT instance and the load sharing feature is disabled in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters. The user group must already exist.
instance-name: Specifies a NAT instance by its name, a case-sensitive string of 1 to 31 characters. If the NAT instance name contains spaces, you must enclose the name into double quotation marks (for example, "xxx xxx"). Make sure the specified NAT instance takes effect.
Usage guidelines
In a NAT and BRAS unification scenario, the load sharing feature in an ISP domain is enabled after you bind a user group in that domain to a NAT instance. Users groups bound to NAT instances are load-sharing user groups.
The device assigns an authenticated user to a load-sharing user group and uses the NAT instance associated with that user group to process the NAT service of the user. The rules are as follows:
· If the AAA server assigns a user group to the user, the device identifies whether the user group has been bound to a NAT instance in the ISP domain.
¡ If the user group has been bound to a NAT instance, the device will use the NAT instance to process the NAT service of the user.
¡ If the user group is not bound to a NAT instance, the user cannot come online.
· If the AAA server does not assign a user group to the user, the device selects a user group for the user from the user groups that have been bound to NAT instances in the ISP domain. The selection order is as follows:
a. The user group that has the fewest number of online users.
b. The user group that is configured most recently.
The device will use the NAT instance associated with the selected group to process the NAT service of the user.
· If the AAA server does not assign a user group to the user and no load-sharing user group is configured in the ISP domain, no NAT instance is available for the user.
¡ If the ISP domain is configured with user-address-type private-ipv4, the user cannot come online.
¡ If the ISP is not configured with user-address-type private-ipv4, the user comes online as a non-CGN user.
For more information about NAT and NAT instances, see NAT Configuration Guide.
If you do not specify the name group-name option, the undo user-group command removes all user group-to-NAT instance bindings and disables the load sharing feature in the ISP domain.
The system supports multiple user group-to-NAT instance bindings. The following rules apply:
· An ISP domain supports a maximum of 32 user group-to-NAT instance bindings.
· A user group can be bound to only one NAT instance. If you have bound a user group to a NAT instance in an ISP domain, you cannot bind this user group to other NAT instances in this ISP domain. Additionally, you cannot bind this user group to this NAT instance in any other ISP domain.
· Multiple user groups can be bound to the same NAT instance.
To modify a user group-to-NAT instance binding, you must first use the undo user-group name group-name command to remove the original binding. A change to the user group-to-NAT instance binding does not affect users that have been online before the change.
The user-group bind nat-instance and load-sharing user-group commands are mutually exclusive in an ISP domain. Before you use the user-group bind nat-instance command, remove the configuration of the load-sharing user-group command. In addition, make sure the ISP domain does not have users that came online before the load-sharing user-group command configuration is removed.
Examples
# In ISP domain test, bind user group g1 to NAT instance cp1 for load sharing of users.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] user-group name g1 bind nat-instance cp1
Related commands
display domain
load-sharing user-group
user-group
users-per-account
Use users-per-account to set the maximum number of concurrent logins for a user account.
Use undo users-per-account to restore the default.
Syntax
users-per-account max-user-number [ case-insensitive ]
undo users-per-account
Default
Users in an ISP domain do not share user accounts. The traffic of each user is limited by the traffic policing parameters authorized to the user.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins for a user account, in the range of 1 to 512.
case-insensitive: Does not use capitalization to differentiate usernames. To use capitalization to differentiate usernames, do not specify this keyword.
Usage guidelines
Use this command to limit the number of concurrent logins (or shared-account users) for a user account. The shared-account users for a user account use the same username and belong to the same ISP domain (server-assigned or authentication domain). They share the bandwidth allocated to the user account. In other words, the total traffic of the shared-account users is limited to the authorization traffic policing settings of the user account.
This command is applicable only to PPPoE, IPoE, and L2TP users.
For shared-account users, the ISP domain assigned by the server has a higher priority than the authentication ISP domain.
The idle-cut feature does not take effect on shared-account users.
The maximum number of shared-account users assigned by the server through the Port-Limit attribute (attribute 62) takes precedence over the value set by using the users-per-account command. If the server-assigned value is greater than 512, the effective value is 512.
As a best practice, set the maximum number of concurrent logins to 16 for a user account.
Examples
# In ISP domain test, set the maximum number of concurrent logins to 5 for a user account, and configure the device not to use capitalization to differentiate usernames in user accounts.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] users-per-account 5 case-insensitive
Related commands
display domain
web-server { ip | ipv6 }
Use web-server { ip | ipv6 } to specify an IP address of the Web server.
Use undo web-server { ip | ipv6 } to remove an IP address of the Web server.
Syntax
web-server { ip ipv4-address | ipv6 ipv6-address } [ secondary ]
undo web-server { ip | ipv6 } [ secondary ]
Default
No IP addresses are specified for the Web server.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address of the Web server.
ipv6-address: Specifies an IPv6 address of the Web server.
secondary: Specifies the IP address as a backup IP address of the Web server. If the Web server has two IP addresses, you can specify one IP address without this keyword and specify the other IP address with this keyword.
Usage guidelines
If the URL of a Web request carries one of the specified IP addresses, the Web request is directly forwarded to the Web server without redirection. This configuration avoids unnecessary redirection if the destination of user Web requests is one IP address of the Web server.
You can specify two IPv4 addresses and two IPv6 addresses for the Web server.
Examples
# Specify 192.168.1.1 as an IP address of the Web server in ISP domain test.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] web-server ip 192.168.1.1
Related commands
display domain
web-server { url | ipv6-url }
Use web-server { url | ipv6-url } to specify a Web server URL.
Use undo web-server { url | ipv6-url } to remove the specified Web server URL.
Syntax
web-server { url ipv4-url-string | ipv6-url ipv6-url-string } [ secondary ] [ track track-entry-number ]
undo web-server { url | ipv6-url } [ secondary ]
Default
No Web server URLs are specified.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4-url-string: Specifies the IPv4 URL of a Web server. The URL is a case-sensitive string of 1 to 255 characters and cannot start with a question mark (?). If the specified URL does not start with http:// or https://, the system determines that the URL starts with http://.
ipv6-url-string: Specifies the IPv6 URL of a Web server. The URL is a case-sensitive string of 1 to 255 characters and cannot start with a question mark (?). If the specified URL does not start with http:// or https://, the system determines that the URL starts with http://.
secondary: Specifies the URL as the URL of the secondary Web server. If you do not specify this keyword, the specified URL is the URL of the primary Web server.
track track-entry-number: Specifies a track entry by its ID in the range of 1 to 1024. If you do not specify a track entry, the specified URL is not associated with a track entry.
Usage guidelines
Application scenarios
Specify IPv4, IPv6, or both types of Web server URLs depending on the network environment.
If you specify an IPv4 Web server URL in an IPoE preauthentication domain, the device redirects the IPv4 HTTP requests with destination port 80 or the HTTPS requests with destination port 443 from unauthenticated IPoE users to that URL for authentication. For high availability, you can specify the IPv4 URLs of the primary and secondary Web servers.
If you specify an IPv6 Web server URL in the preauthentication domain of IPoE users, the device redirects the IPv6 HTTP and HTTPS requests from users to that URL for authentication. If no IPv6 Web server URLs are specified, the device redirects the IPv6 HTTP and HTTPS requests from users to the available IPv4 URL (if any). To ensure compatibility with existing configurations, you can also use web-server url to specify an IPv6 Web server URL in a pure IPv6 environment.
Recommended configuration
You can associate a track entry with a URL. The AAA module determines whether the Web server providing the URL is reachable, depending on the status of the track entry. If the server providing the URL is unreachable, the device can redirect HTTP requests to another URL.
As a best practice, configure the track entry associated with a Web server URL to collaborate with an HTTP NQA operation. The URL-Track-NQA collaboration can detect the reachability and performance of the Web server in time. For more information about Track, see High Availability Configuration Guide. For more information about NQA, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
The device selects a Web server URL as follows:
· If both the primary and secondary URLs are configured and the URLs are not associated with track entries, the primary URL takes effect.
· If only the primary or secondary URL is configured and the URL is not associated with a track entry, the configured URL takes effect.
· The primary URL always takes effect if it is not associated with a track entry or the track entry associated with the URL is in Positive or NotReady state.
· If the primary URL is not configured or the state of the track entry associated with the primary URL changes to Negative, the device checks the secondary URL.
¡ The secondary URL takes effect if it is not associated with a track entry or its associated track entry is in Positive or NotReady state.
¡ No URL is available if no secondary URL is configured or the track entry associated with the secondary URL is in Negative state.
With both primary and backup redirect URLs configured and associated with a Track item, after an IPoE user comes online in the preauthentication domain, the system cannot immediately authorize the backup URL to the user if the primary URL is unreachable. In this case, force the IPoE user to go offline as a best practice. When the user comes online again, the user is able to access the backup redirect URL if primary/backup switchover has been triggered by Track detection.
Examples
# Configure the Web server in ISP domain test to provide services at IPv4 URL http://1.2.3.4 and IPv6 URL http://[10:110::1:2].
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] web-server url http://1.2.3.4
[Sysname-isp-test] web-server ipv6-url http://[10:110::1:2]
Related commands
display domain
ip subscriber pre-auth domain (BRAS Services Command Reference)
web-server url-parameter
web-server url-parameter
Use web-server url-parameter to add a parameter to the Web server URL.
Use undo web-server url-parameter to remove a parameter from the Web server URL.
Syntax
web-server url-parameter param-name { nas-id | nas-port-id | original-url | remote-id | source-address | source-mac [ encryption { aes | des } key { cipher | simple } string ] [ section { 1 | { 3 | 6 } [ separator separator-character ] } { lowercase | uppercase } ] | ssid | user-location | value expression }
undo web-server url-parameter param-name
Default
No parameters are added to the URL of the Web server.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Contents of the parameter are determined by the keywords or options following the param-name argument.
nas-id: Specifies the NAS-ID.
nas-port-id: Specifies the NAS-Port-Id attribute value.
original-url: Specifies the URL of the webpage that a user requests.
remote-id: Specifies the Remote ID obtained from user DHCP packets.
source-address: Specifies the user IP address.
source-mac: Specifies the user MAC address.
encryption: Specifies an encryption algorithm to encrypt the user MAC address. If you do not specify this keyword, the device adds the user MAC address in plaintext form to the Web server URL.
aes: Specifies the AES algorithm.
des: Specifies the DES algorithm.
key: Specifies a key for encryption.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies a case-sensitive key string. The string length varies by the selected encryption algorithm:
· If des cipher is specified, the string length is 41 characters.
· If des simple is specified, the string length is 8 characters.
· If aes cipher is specified, the string length is 1 to 73 characters.
· If aes simple is specified, the string length is 1 to 31 characters.
section: Specifies the number of sections that a MAC address contains. If you do not specify this keyword, the MAC address is in the three-section format with uppercase letters, for example, XXXX-XXXX-XXXX.
· 1: Specifies the one-section format XXXXXXXXXXXX.
· 3: Specifies the three-section format XXXX-XXXX-XXXX.
· 6: Specifies the six-section format XX-XX-XX-XX-XX-XX.
· separator separator-character: Specifies the delimiter to separate the MAC address into multiple sections, a case-sensitive character. If you do not specify a delimiter, the system uses hyphen (-) as the delimiter.
· lowercase: Specifies the letters in a MAC address to be in lower case.
· uppercase: Specifies the letters in a MAC address to be in upper case.
ssid: Specifies the SSID.
user-location: Specifies the user access location, in the format of port:vlan1.vlan2.
· The port argument represents the interface type and number (for example, eth/6/0/4). If the access interface is an aggregate interface, the interface type is ethtrunk. For example, ethtrunk/44 represents an aggregate interface.
· The vlan1 and vlan2 arguments represent the outer VLAN ID and inner VLAN ID, respectively. If only information of a single VLAN is available, 0 is used as the value for the vlan2 argument (for example, eth/6/0/4:10.0). If no VLAN information is available, 0 is used as the value for both the arguments (for example, eth/6/0/4:0.0).
value expression: Specifies a custom case-sensitive string of 1 to 255 characters.
Usage guidelines
You can repeat this command to add multiple parameters to the Web server URL. For example, to attach the user IP address and a custom string of http://www.abc.com/welcome to the Web server URL http://1.2.3.4/, perform the following tasks:
· Execute this command with the userip source-address parameter.
· Execute this command with the userurl value http://www.abc.com/welcome parameter.
The device will redirect Web requests from IP address 1.1.1.1 to the URL at http://1.2.3.4/?userip=1.1.1.1&userurl=http%3a%2f%2fwww%2eabc%2ecom%2fwelcome.
In the custom strings of the Web server URL, all characters except letters, digits, equal signs (=), and ampersand signs (&) are encoded in the % + character codes format. This ensures that the custom strings can be correctly parsed by all kinds of browsers.
For the Web server URL that carries parameters to take effect, make sure the URL ends with a forward slash (/).
Make sure names of the specified parameters are the same as those supported by the Web server. Names of supported parameters vary by Web server type. For example, the IMC server supports parameters original-url, source-address, and source-mac, and names of the parameters are userurl, userip, and usermac, respectively. To add the user IP address to the Web server URL, you must configure the param-name argument as userip and specify the source-address keyword.
To carry a user SSID in the Web server URL, you must set the SSID on the user access interface by using the aaa ssid command.
If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.
Examples
# In ISP domain test, add the user IP address and a custom string of http://www.abc.com/welcome to the Web server URL.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] web-server url-parameter userip source-address
[Sysname-isp-test] web-server url-parameter userurl value http://www.abc.com/welcome
# In ISP domain test, add the user MAC address encrypted by using the DES algorithm to the Web server URL.
<Sysname> system-view
[Sysname] domain name test
[Sysname-isp-test] web-server url-parameter usermac source-mac encryption des key simple 12345678
Related commands
aaa ssid
display domain
web-server url
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. The users do not support accounting.
For this command to take effect on a network access user, you also need to configure the accounting start-fail offline command in the ISP domain view.
Examples
# Set the maximum number of concurrent logins to 5 for the local user account named abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
accounting start-fail offline
display local-user
authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minutes | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | netstream-sampler sampler-name [ inbound | outbound ] | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-group-profile session-group-profile-name | session-timeout minutes | subscriber-id subscriber-id | url url-string | user-profile user-profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | netstream-sampler | { primary-dns | secondary-dns } { ip | ipv6 } | session-group-profile | session-timeout | subscriber-id | url | user-profile | user-role role-name | vlan | vpn-instance | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user are assigned the network-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. The device processes the traffic that matches the rules in the authorization ACL based on the permit or deny statement in the rules.
callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.
idle-cut minutes: Sets an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if the user's idle period exceeds the specified idle timeout period.
ip ipv4-address: Assigns a static IPv4 address to the user after it passes authentication. This attribute is configurable only in local user view. You cannot configure it in user group view.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6 ipv6-address: Assigns a static IPv6 address to the user after it passes authentication. This attribute is configurable only in local user view. You cannot configure it in user group view.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for the user. The value range for the prefix-length argument is 1 to 128.
netstream-sampler sampler-name: Assigns a sampler to the user for NetStream sampling. The sampler-name argument represents the name of the sampler, a case-insensitive string of 1 to 31 characters. For more information about samplers, see Network Management and Monitoring Configuration Guide. If you do not specify the inbound or outbound keyword after this option, the device performs NetStream sampling on both the inbound and outbound user traffic. This attribute is configurable only in network access user view. You cannot configure it in device management user view or user group view.
inbound: Specifies the user traffic in inbound direction.
outbound: Specifies the user traffic in outbound direction.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for the user.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for the user.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for the user.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for the user.
session-group-profile session-group-profile-name: Specifies a session group profile for the user. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters. For more information about session group profiles, see BRAS Services Configuration Guide.
session-timeout minutes: Sets the session timeout timer for the user, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.
subscriber-id subscriber-id: Specifies a subscriber ID for the user, in the range of 1 to 4095. Subscriber IDs are used with session group profiles to implement QoS traffic control on a per-group basis. For more information about QoS and HQoS, see ACL and QoS Configuration Guide.
url url-string: Specifies the PADM URL to which the user is redirected after it passes authentication. The url-string argument is a case-sensitive string of 1 to 255 characters and must begin with http:// or https://. This option is applicable only to PPPoE users. You must specify a URL that uses port number 80 or 8080.
user-profile user-profile-name: Specifies an authorization user profile by its name. The user-profile-name argument is a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, underscores (_), minus signs (-), and dots (.). The string can begin with a letter or digit, but it cannot be all digits. The user profile restricts the behavior of authenticated users. For more information, see BRAS Services Configuration Guide.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the user belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. After passing authentication, the user has permission to access the network resources in the specified VPN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ipv6, ip-pool, ipv6-pool, ipv6-prefix, netstream-sampler, primary-dns, secondary-dns, session-group-profile, session-timeout, subscriber-id, url, user-profile, and vpn-instance.
For IPoE users, only the following authorization attributes take effect: idle-cut, ipv6, ip-pool, ipv6-pool, ipv6-prefix, netstream-sampler, primary-dns, secondary-dns, session-group-profile, session-timeout, subscriber-id, user-profile, and vpn-instance. If the IPoE users access the network through leased lines, the vpn-instance authorization attribute does not take effect.
For LAN users, only the following authorization attributes take effect: acl, session-timeout, user-profile, and vlan.
For SSH, Telnet, and terminal users, only the following authorization attributes take effect: idle-cut and user-role.
For HTTP and HTTPS users, only the user-role authorization attribute takes effect.
For FTP users, only the following authorization attributes take effect: user-role and work-directory.
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
When you specify an authorization ACL, the authorization ACL is invalid if it does not exist or does not contain rules.
To make sure FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify slot information for the working directory.
To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only user that has the security-audit user role.
The security-audit user role is mutually exclusive with other user roles.
· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.
· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.
Examples
# Configure the authorized VLAN of network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
# Assign the security-audit user role to device management user xyz as the authorized user role.
<Sysname> system-view
[Sysname] local-user xyz class manage
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit
This operation will delete all other roles of the user. Are you sure? [Y/N]:y
Related commands
display local-user
display user-group
bind-attribute
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | location | mac | vlan } *
Default
No binding attributes are configured for a local user.
Views
Local user view
Predefined user roles
network-admin
Parameters
call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to IPoE, LAN, and PPP users.
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to LAN, PPP, and IPoE users.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to IPoE, LAN, and PPP users.
Usage guidelines
To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.
Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet.
Examples
# Bind MAC address 0001-0002-0003 with network access user abc.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] bind-attribute mac 0001-0002-0003
Related commands
display local-user
company
Use company to specify the company of a local guest.
Use undo company to restore the default.
Syntax
company company-name
undo company
Default
No company is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify company yyy for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] company yyy
Related commands
display local-user
description
Use description to configure a description for a local guest.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
text: Configures a description, case-sensitive string of 1 to 255 characters.
Examples
# Configure a description for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] description Manager of MSC company
Related commands
display local-user
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { ftp | http | https | ipoe | lan-access | ppp | ssh | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
class: Specifies the local user type.
manage: Device management user.
network: Network access user.
guest: Guest user account.
idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.
service-type: Specifies the local users that use a specific type of service.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ipoe: IPoE users that access the network through Layer 2 or Layer 3 leased lines or STBs.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
ppp: PPP users.
ssh: SSH users.
telnet: Telnet users.
terminal: Terminal users that log in through console ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.
Usage guidelines
If you do not specify any parameters, this command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Total 3 local users matched.
Device management user root:
State: Active
Service type: SSH/Telnet/Terminal
Access limit: Enabled Max access number: 3
Current access number: 1
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-admin
Password control configurations:
Password aging: 3 days
Password remaining lifetime: 2 days 12 hours 30 minutes 30 seconds
Password history was last reset: 0 days ago
Validity period:
Start date and time: 2022/03/08-11:11:11
Expiration date and time: 2022/03/08-12:00:00
Network access user jj:
State: Active
Service type: LAN access
User group: system
Bind attributes:
Location bound: Ten-GigabitEthernet3/1/1
MAC address: 0001-0001-0001
VLAN ID: 2
Authorization attributes:
Idle timeout: 33 minutes
ACL number: 2000
User profile: pp
Network access guest user user1:
State: Active
Service type: LAN access
User group: guest1
Full name: Jack
Company: cc
Email: Jack@cc.com
Phone: 131129237
Description: A guest from company cc
Sponsor full name: Sam
Sponsor department: security
Sponsor email: Sam@aa.com
Period of validity:
Start date and time: 2019/04/01-08:00:00
Expiration date and time:2019/04/03-18:00:00
Table 10 Command output
|
Field |
Description |
|
State |
Status of the local user: active or blocked. |
|
Service type |
Service types that the local user can use. |
|
Access limit |
Whether the concurrent login limit is enabled. |
|
Max access number |
Maximum number of concurrent logins using the local user name. |
|
Current access number |
Current number of concurrent logins using the local user name. |
|
User group |
Group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. |
|
IP address |
IP address of the local user. |
|
Location bound |
Binding port of the local user. |
|
MAC address |
MAC address of the local user. |
|
VLAN ID |
Binding VLAN of the local user. |
|
Calling number |
This field is not supported in the current software version. Calling number of the ISDN user. |
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle timeout |
Idle timeout period of the user, in minutes. |
|
Session-timeout |
Session timeout timer of the user, in minutes. |
|
Callback number |
Authorized PPP callback number of the local user. |
|
Work directory |
Directory that the FTP, SFTP, or SCP user can access. |
|
ACL number |
Authorization ACL of the local user. |
|
VLAN ID |
Authorized VLAN of the local user. |
|
User profile |
Authorization user profile of the local user. |
|
User role list |
Authorized roles of the local user. |
|
IP pool |
IPv4 address pool authorized to the local user. |
|
NetStream sampler |
Authorized sampler of the user and the traffic directions specified for NetStream sampling. |
|
IP address |
IPv4 address authorized to the local user. |
|
IPv6 address |
IPv6 address authorized to the local user. |
|
IPv6 prefix |
IPv6 address prefix authorized to the local user. |
|
IPv6 pool |
IPv6 address pool authorized to the local user. |
|
Primary DNS server |
IPv4 address of the primary DNS server for the local user. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server for the local user. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server for the local user. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server for the local user. |
|
URL |
PADM URL of the local user. |
|
VPN instance |
Authorization VPN instance of the local user. |
|
Subscriber ID |
Subscriber ID of the local user. |
|
Session group profile |
Session group profile of the local user. |
|
Password control configurations |
Password control attributes that are configured for the local user. |
|
Password aging |
Password expiration time. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
|
Password remaining lifetime |
Remaining lifetime of the user's password. |
|
Password history was last reset |
The most recent time that the password records were cleared. |
|
Validity period |
Validity period of the device management user. |
|
Start date and time |
Date and time from which the device management user begins to take effect. |
|
Expiration date and time |
Date and time at which the device management user expires. |
|
Full name |
Name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Description |
Description of the local guest. |
|
Sponsor full name |
Name of the guest sponsor. |
|
Sponsor department |
Department of the guest sponsor. |
|
Sponsor email |
Email address of the guest sponsor. |
|
Period of validity |
Validity period of the local guest. |
|
Start date and time |
Date and time from which the local guest begins to take effect. |
|
Expiration date and time |
Date and time at which the local guest expires. |
display user-group
Use display user-group to display user group configuration.
Syntax
display user-group { all | name group-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all user groups.
name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group all
Total 2 user groups matched.
User group: system
Authorization attributes:
Work directory: flash:
User group: jj
Authorization attributes:
Idle timeout: 2 minutes
Callback number: 2:2
Work directory: flash:/
ACL number: 2000
VLAN ID: 2
User profile: pp
PPPoE agency authentication domain: dm1
Forwarding policies for PPPoE agency dialup:
IPv4 ACL: 3000 (private)
IPv6 ACL: testacl (public)
Password control configurations:
Password aging: 2 days
Table 11 Command output
|
Field |
Description |
|
Authorization attributes |
Authorization attributes of the user group. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Session-timeout |
Session timeout timer, in minutes. |
|
Callback number |
Authorized PPP callback number. |
|
Work directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
|
ACL number |
Authorization ACL. |
|
VLAN ID |
Authorized VLAN. |
|
User profile |
Authorization user profile. |
|
IP pool |
IPv4 address pool authorized to the user group. |
|
IPv6 prefix |
IPv6 address prefix authorized to the user group. |
|
IPv6 pool |
IPv6 address pool authorized to the user group. |
|
Primary DNS server |
IPv4 address of the primary DNS server authorized to the user group. |
|
Secondary DNS server |
IPv4 address of the secondary DNS server authorized to the user group. |
|
Primary DNSV6 server |
IPv6 address of the primary DNS server authorized to the user group. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server authorized to the user group. |
|
URL |
PADM URL for the user group. |
|
Subscriber ID |
Subscriber ID for the user group. |
|
Session group profile |
Session group profile for the user group. |
|
VPN instance |
Authorization VPN instance for the user group. |
|
PPPoE agency authentication domain |
Authentication domain of PPPoEA users. This field is not displayed if the authentication domain is not configured. |
|
Forwarding policies for PPPoE agency dialup |
PPPoE agency dialup forwarding policy. This field is not displayed if no policy is configured. |
|
IPv4 ACL |
Number or name of the IPv4 ACL for user traffic filtering and the traffic type. Traffic type: · private—Internal network traffic. PPPoE agency dialup forwarding is not required. · public—External network traffic. PPPoE agency dialup forwarding is required. |
|
IPv6 ACL |
Number or name of the IPv6 ACL for user traffic filtering and the traffic type. Traffic type: · private—Internal network traffic. PPPoE agency dialup forwarding is not required. · public—External network traffic. PPPoE agency dialup forwarding is required. |
|
Password control configurations |
Password control attributes that are configured for the user group. |
|
Password aging |
Password expiration time. |
|
Password length |
Minimum number of characters that a password must contain. |
|
Password composition |
Password composition policy: · Minimum number of character types that a password must contain. · Minimum number of characters from each type in a password. |
|
Password complexity |
Password complexity checking policy: · Reject a password that contains the username or the reverse of the username. · Reject a password that contains any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
display user-group identity-active
Use display user-group identity-active to display active identity groups.
Syntax
display user-group identity-active
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
An identity group is active if it is used by a security feature (for example, object policy) and the identity group application configuration takes effect on the security feature. Only active identity groups can be used for identity-based access control.
Examples
# Display active identity groups.
<Sysname> display user-group identity-active
Total 2 user groups matched.
Group ID Group name
0x1 group1
0x567 group2
Use email to configure an email address for a local guest.
Use undo email to restore the default.
Syntax
email email-string
undo email
Default
No email address is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.
Usage guidelines
The local guest uses the email address to receive notifications from the device.
Examples
# Configure the email address as abc@yyy.com for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] email abc@yyy.com
Related commands
display local-user
full-name
Use full-name to configure the name of a local guest.
Use undo full-name to restore the default.
Syntax
full-name name-string
undo full-name
Default
No name is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the name as abc Snow for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] full-name abc Snow
Related commands
display local-user
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to user group system.
Views
Local user view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-guest auto-delete enable
Use local-guest auto-delete enable to enable the guest auto-delete feature.
Use undo local-guest auto-delete enable to restore the default.
Syntax
local-guest auto-delete enable
undo local-guest auto-delete enable
Default
The guest auto-delete feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to automatically delete the local guest accounts when they expire.
Examples
# Enable the guest auto-delete feature.
<Sysname> system-view
[Sysname] local-guest auto-delete enable
Related commands
validity-datetime
local-guest email format
Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
Syntax
local-guest email format to { guest | sponsor } { body body-string | subject sub-string }
undo local-guest email format to { guest | sponsor } { body | subject }
Default
No subject or body is configured for the email notifications of local guest information.
Views
System view
Predefined user roles
network-admin
Parameters
to: Specifies the email recipient.
guest: Specifies the local guest.
sponsor: Specifies the guest sponsor.
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
Use this command to configure the subject and body for the email notifications to be sent by the device.
You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.
You must configure both the subject and body for each recipient.
Examples
# Configure the subject and body for the email notifications to send to the local guest.
<Sysname> system-view
[Sysname] local-guest email format to guest subject Guest account information
[Sysname] local-guest email format to guest body A guest account has been created for you. The username, password, and validity period of the account are given below.
Related commands
local-guest email sender
local-guest email smtp-server
local-guest send-email
local-guest email sender
Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.
Use undo local-guest email sender to restore the default.
Syntax
local-guest email sender email-address
undo local-guest email sender
Default
No email sender address is configured for the email notifications of local guests sent by the device.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters.
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications.
The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as abc@yyy.com for email notifications of local guests.
<Sysname> system-view
[Sysname] local-guest email sender abc@yyy.com
Related commands
local-guest email format
local-guest email smtp-server
local-guest send-email
local-guest email smtp-server
Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.
Use undo local-guest email smtp-server to restore the default.
Syntax
local-guest email smtp-server url-string
undo local-guest email smtp-server
Default
No SMTP server is specified to send email notifications of local guests.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.test.com/smtp to send local guest email notifications.
<Sysname> system-view
[Sysname] local-guest email smtp-server smtp://www.test.com/smtp
Related commands
local-guest email format
local-guest email sender
local-guest send-email
local-guest generate
Use local-guest generate to create local guests in batch.
Syntax
local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time
Views
System view
Predefined user roles
network-admin
Parameters
username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 70 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device randomly generates passwords for the local guests.
suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.
group group-name: Specifies a user group by the name. The group-name argument is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group system.
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.
validity-datetime: Specifies the validity period of the local guests.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.
The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.
Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.
If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.
Examples
# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2019/05/01 00:00:00 to 2019/05/02 12:00:00.
<Sysname> system-view
[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2019/05/01 00:00:00 to 2019/05/02 12:00:00
Related commands
local-user
display local-user
local-guest send-email
Use local-guest send-email to send emails to a local guest or guest sponsor.
Syntax
local-guest send-email user-name user-name to { guest | sponsor }
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by the username, a string of 1 to 80 characters. The username of the specified guest can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
to: Specifies the email recipient.
guest: Specifies the local guest.
sponsor: Specifies the guest sponsor.
Usage guidelines
Guest managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.
Examples
# Send an email to notify local guest abc of the guest password and validity period information.
<Sysname> local-guest send-email user-name abc to guest
sponsor-email
local-user
Use local-user to add a local user and enter its view, or enter the view of an existing local user.
Use undo local-user to delete local users.
Syntax
local-user user-name [ class { manage | network [ guest ] } ]
undo local-user { user-name class { manage | network [ guest ] } | all [ service-type ftp | http | https | ipoe | lan-access | ppp | ssh | telnet | terminal } | class { manage | network [ guest ] } ] }
Default
No local users exist.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies the username of a local user, a string of 1 to 80 characters. The specified username can be a pure username or contain a domain name (in the format of pure-username@domain-name).
· The pure username is a case-sensitive string and must meet the following requirements:
¡ Cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
¡ Cannot be a, al, or all.
· The domain name is a case-insensitive string and cannot contain an at sign (@).
class: Specifies the local user type. If you do not specify this keyword, the command adds a device management user.
manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, and terminal services.
network: Network access user that accesses network resources through the device. Network access users can use IPoE and LAN access services.
guest: Guest that can access network resources through the device during a specific validity period. Guests can use LAN services.
all: Specifies all users.
service-type: Specifies the local users that use a specific type of service.
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ipoe: IPoE users that access the network through Layer 2 or Layer 3 leased lines or STBs.
lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
ppp: PPP users.
ssh: SSH users.
telnet: Telnet users.
terminal: Terminal users that log in through console ports.
Usage guidelines
The device supports multiple local users. The maximum number of device management users is 1024. The maximum number of network access users is 1024.
If the local username contains Chinese characters, make sure the endpoint software used at device login uses the same character set encoding format as the encoding format (GB18030) used by the device to save local user configuration. If they use different encoding formats, the username cannot be correctly decoded on the device, which might cause local authentication failure.
Examples
# Add a device management user named user1 and enter local user view.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
# Add a network access user named user2 and enter local user view.
<Sysname> system-view
[Sysname] local-user user2 class network
[Sysname-luser-network-user2]
# Add a local guest named user3 and enter local guest view.
<Sysname> system-view
[Sysname] local-user user3 class network guest
[Sysname-luser-network(guest)-user3]
Related commands
display local-user
service-type
local-user-export
Use local-user-export to export local guest account information to a .csv file in the specified path.
Syntax
local-user-export class network guest url url-string
Views
System view
Predefined user roles
network-admin
Parameters
class: Specifies the local user type.
network: Specifies the network access user.
guest: Specifies the local guest.
url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can import the user account information back to the device or to other devices that support the local-user-import command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import."
The device supports TFTP and FTP file transfer modes. Table 12 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server. The server argument represents the IP address or host name of the TFTP server and the path argument represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server. The server argument represents the IP address or host name of the FTP server and the path argument represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Export local guest account information to the guest.csv file in the ftp://1.1.1.1/user/ path.
<Sysname> system-view
[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv
Related commands
local-user-import
local-user-import
Use local-user-import to import local guest account information from a .csv file in the specified path to the device to create local guests based on the imported information.
Syntax
local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
Parameters
class: Specifies the local user type.
network: Specifies the network access user.
guest: Specifies the local guest.
url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.
validity-datetime: Specifies the guest validity period of the local guests.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group system.
override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.
start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.
Usage guidelines
The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:
· Username—User name of the guest account. The user name cannot be empty.
· Password—Password of the guest account in plaintext form. If the password is empty, the device generates a random password in encrypted form for the guest.
· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group system.
· Guest full name—Name of the guest.
· Guest company—Company of the guest.
· Guest email—Email address of the guest.
· Guest phone—Phone number of the guest.
· Guest description—Description of the guest.
· Sponsor full name—Name of the guest sponsor.
· Sponsor department—Department of the guest sponsor.
· Sponsor email—Email address of the guest sponsor.
The value of each parameter in the file must meet the requirements of the local user attributes on the device. Any violation results in account import failure and interruption. The system displays the number of the line where the account import is interrupted.
Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,
Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com
The device supports TFTP and FTP file transfer modes. Table 13 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server. The server argument represents the IP address or host name of the TFTP server and the path argument represents the relative path of the TFTP working directory. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server. The server argument represents the IP address or host name of the FTP server and the path argument represents the relative path of the FTP working directory. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.
<Sysname> system-view
[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2019/05/01 00:00:00 to 2019/05/02 12:00:00
Related commands
display local-user
local-user-export
password (device management user view)
Use password to configure a password for a device management user.
Use undo password to restore the default.
Syntax
password [ { hash | simple } string ]
undo password
Default
A device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Device management user view
Predefined user roles
network-admin
Parameters
hash: Specifies a password encrypted by the hash algorithm.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. This argument is case sensitive. The hashed form of the password is a string of 1 to 110 characters. The plaintext form of the password is a string of 1 to 63 characters. For more information about the password control commands, see Security Command Reference.
Usage guidelines
If you do not specify any parameters, you enter the interactive mode to set a plaintext password.
A device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.
Examples
# Set the password to 123456TESTplat&! in plaintext form for device management user user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Configure the password in interactive mode for device management user test.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
Confirm :
Related commands
display local-user
password (network access user view)
Use password to configure a password for a network access user.
Use undo password to restore the default.
Syntax
password [ { cipher | simple } string ]
undo password
Default
A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Network access user view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies a password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
As a best practice to enhance security, configure a password for each network access user.
Examples
# Set the password to 123456TESTuser&! in plaintext form for network access user user1.
<Sysname> system-view
[Sysname] local-user user1 class network
[Sysname-luser-network-user1] password simple 123456TESTuser&!
Related commands
display local-user
phone
Use phone to specify the phone number of a local guest.
Use undo phone to restore the default.
Syntax
phone phone-number
undo phone
Default
No phone number is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
phone-number: Specifies the phone number, a string of 1 to 32 characters.
Examples
# Specify the phone number as 13813723920 for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] phone 13813723920
display local-user
service-type (local user view)
Use service-type to specify the service types that a local user can use.
Use undo service-type to remove service types configured for a local user.
Syntax
service-type { ftp | ipoe | lan-access | { http | https | ssh | telnet | terminal } * | ppp }
undo service-type { ftp | ipoe | lan-access | { http | https | ssh | telnet | terminal } * | ppp }
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
Parameters
ftp: Authorizes the user to use the FTP service. To specify the directory accessible to the authorized FTP user, use the authorization-attribute work-directory command. If you do not specify a directory, the user can access the root directory of the device by default.
http: Authorizes the user to use the HTTP service.
https: Authorizes the user to use the HTTPS service.
ipoe: Authorizes the user to use the IPoE service.
lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a console port.
ppp: Authorizes the user to use the PPP service.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
snmp-agent trap enable user-group
Use snmp-agent trap enable user-group to enable SNMP notification for user group.
Use undo snmp-agent trap enable user-group to disable SNMP notification for user group.
Syntax
snmp-agent trap enable user-group [ max-count-threshold ]
undo snmp-agent trap enable user-group [ max-count-threshold ]
Default
SNMP notification for user group is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
max-count-threshold: Specifies SNMP notification for user group quantity.
Usage guidelines
With SNMP notification for user group quantity enabled, the system generates an upper limit reaching threshold when the number of user groups configured on the device reaches the upper limit. When the user group quantity drops below the 90% of the upper limit, the system generates an alarm removal message.
If you do not specify any keywords, the command enables or disables all the user group SNMP notification functions.
Examples
# Enable SNMP notification for user group quantity.
<Sysname> system-view
[Sysname] snmp-agent trap enable user-group max-count-threshold
Related commands
user-group
sponsor-department
Use sponsor-department to specify the department of the guest sponsor for a local guest.
Use undo sponsor-department to restore the default.
Syntax
sponsor-department department-string
undo sponsor-department
Default
No department is specified for the guest sponsor of a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.
Examples
# Specify the department as test for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-department test
display local-user
sponsor-email
Use sponsor-email to specify the email address of the guest sponsor for a local guest.
Use undo sponsor-email to restore the default.
Syntax
sponsor-email email-string
undo sponsor-email
Default
No email address is specified for the guest sponsor.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.
Examples
# Specify the email address as Sam@a.com for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com
display local-user
sponsor-full-name
Use sponsor-full-name to specify the guest sponsor name for a local guest.
Use undo sponsor-full-name to restore the default.
Syntax
sponsor-full-name name-string
undo sponsor-full-name
Default
No guest sponsor name is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the guest sponsor name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify the guest sponsor name as Sam Li for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local guest view
Local user view
Predefined user roles
network-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Examples
# Place device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group (system view)
Use user-group to create a user group and enter its view, or enter the view of an existing user group.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
A system-defined user group exists. The group name is system.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
A user group that has local users cannot be deleted.
You can modify settings for the system-defined user group system, but you cannot delete the user group.
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
validity-datetime (local guest view)
Use validity-datetime to specify the validity period for a local guest.
Use undo validity-datetime to restore the default.
Syntax
validity-datetime start-date start-time to expiration-date expiration-time
undo validity-datetime
Default
The validity period for a local guest does not expire.
Views
Local guest view
Predefined user roles
network-admin
Parameters
start-date: Specifies the date on which the local guest becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the time on the day when the local guest becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the expiration date and time for the local guest.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
The expiration date and time must be later than the start date and time.
Expired local guest accounts cannot be used for authentication.
Examples
# Specify the validity period for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] validity-datetime 2019/05/01 00:00:00 to 2019/05/02 12:00:00
display local-user
validity-datetime (device management user view)
Use validity-datetime to specify the validity period for a device management user.
Use undo validity-datetime to restore the default.
Syntax
validity-datetime { from start-date start-time to expiration-date expiration-time | from start-date start-time | to expiration-date expiration-time }
undo validity-datetime
Default
The validity period for a device management user does not expire.
Views
Device management user view
Predefined user roles
network-admin
Parameters
from: Specifies the validity start date and time for the user.
start-date: Specifies the date on which the user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the time on the day when the user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the expiration date and time for the user.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
The expiration date and time must be later than the start date and time.
Expired device management user accounts cannot be used for authentication.
Examples
# Specify the validity period for device management user abc.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] validity-datetime 2022/03/01 00:00:00 to 2022/05/02 12:00:00
Related commands
display local-user
RADIUS commands
aaa device-id
Use aaa device-id to configure the device ID.
Use undo aaa device-id to restore the default.
Syntax
aaa device-id device-id
undo aaa device-id
Default
The device ID is 0.
Views
System view
Predefined user roles
network-admin
Parameters
device-id: Specifies a device ID in the range of 1 to 255.
Usage guidelines
RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value for each online user based on the system time, random digits, and device ID.
If you modify the device ID, the new device ID does not take effect on users that have been online during the change.
Examples
# Configure the device ID as 1.
<Sysname> system-view
[Sysname] aaa device-id 1
aaa nas-port-id vlanid uppercase
Use aaa nas-port-id vlanid uppercase to configure the device to use uppercase string VLANID in the RADIUS NAS-Port-Id attribute instead of lowercase string vlanid.
Use undo aaa nas-port-id vlanid uppercase to restore the default.
Syntax
aaa nas-port-id vlanid uppercase
undo aaa nas-port-id vlanid uppercase
Default
The device uses lowercase string vlanid in the RADIUS NAS-Port-Id attribute.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command if the RADIUS server requires that the vlanid string in the RADIUS NAS-Port-Id attribute be in upper case. For example, if the default format of the NAS-Port-Id attribute is slot=xx;subslot=xx;port=xx;vlanid=xx, the execution of this command changes the attribute format to slot=xx;subslot=xx;port=xx;VLANID=xx.
Examples
# Configure the device to use uppercase string VLANID in the RADIUS NAS-Port-Id attribute.
<Sysname> system-view
[Sysname] aaa nas-port-id vlanid uppercase
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to disable the accounting-on feature.
Syntax
accounting-on enable [ interval interval | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Execute the save command to ensure that the accounting-on enable command takes effect at the next device reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set by using the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
accounting-on extended
Use accounting-on extended to enable the extended accounting-on feature.
Use undo accounting-on extended to disable the extended accounting-on feature.
Syntax
accounting-on extended
undo accounting-on extended
Default
The extended accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
network-operator
Usage guidelines
The extended accounting-on feature enhances the accounting-on feature by applying to a distributed architecture. For the extended accounting-on feature to take effect, the RADIUS server must run on IMC and the accounting-on feature must be enabled.
The extended accounting-on feature is applicable to LAN users. The user data is saved to the cards through which the users access the device.
When the extended accounting-on feature is enabled, the device automatically sends an accounting-on packet to the RADIUS server after a card reboots (device not reboot). The packet contains the card identifier. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the device through the card. If no users have come online through the card, the device does not send an accounting-on packet to the RADIUS server after the card reboots.
The device uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.
Execute the save command to ensure that the accounting-on extended command takes effect at the next card reboot. For information about the save command, see Fundamentals Command Reference.
Examples
# Enable the extended accounting-on feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on extended
Related commands
accounting-on enable
display radius scheme
attribute 5 format
Use attribute 5 format to configure the format of the RADIUS NAS-Port attribute (attribute 5).
Use undo attribute 5 format to restore the default.
Syntax
attribute 5 format qinq
undo attribute 5 format
Default
The RADIUS NAS-Port attribute uses the single-VLAN encapsulation format: SlotIDSubslotIDIfIndexVlanID.
· SlotID—8-bit slot number.
· SubslotID—4-bit sub slot ID.
· IfIndex—8-bit interface number.
· VlanID—2-bit VLAN ID.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
qinq: Specifies the QinQ encapsulation format: SlotIDSubslotIDIfIndexSVlanIDCVlanID.
· SlotID—3-bit slot number.
· SubslotID—1-bit sub slot ID.
· IfIndex—4-bit interface number.
· SVlanID—12-bit SVLAN ID.
· CVlanID—12-bit CVLAN ID.
Usage guidelines
As a best practice, use the QinQ encapsulation format for the RADIUS NAS-Port attribute in a QinQ network.
If the QinQ encapsulation format is configured in a non-QinQ network, the device pads the SVlanID part in this attribute with 0s.
Examples
# In RADIUS scheme rad, configure the format of the RADIUS NAS-Port attribute as the QinQ encapsulation format.
<Sysname> system-view
[Sysname] radius scheme rad
[Sysname-radius-rad] attribute 5 format qinq
Related commands
display radius scheme
attribute 6 value
Use attribute 6 value to set the value of the RADIUS Service-Type attribute (attribute 6).
Use undo attribute 6 value to restore the default.
Syntax
attribute 6 value outbound user-type ipoe [ value-added-service ]
undo attribute 6 value outbound user-type ipoe
Default
The value of the RADIUS Service-Type attribute in outgoing RADIUS packets varies by user type.
· For device management users, the value is 1 (Login).
· For the other types of users, the value is 2 (Framed).
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
outbound: Specifies the attribute value as 5 (Outbound). In the current software version, only this value is supported.
user-type ipoe: Specifies the type of access users as IPoE. In the current software version, only this type of access users can be specified.
value-added-service: Applies the configured value to RADIUS packets of value-added services (including ITA and EDSG services). If you do not specify this keyword, the attribute value applies only to RADIUS packets of non-value-added services.
Usage guidelines
Set the value of the RADIUS Service-Type attribute in outgoing RADIUS packets to meet the requirements of RADIUS servers.
If the service provider requires that the Service-Type attribute in authentication and accounting requests for IPoE users uses value 5 (Outbound), execute the attribute 6 value outbound user-type ipoe command. If the service provider has the same requirements for authentication and accounting requests of IPoE users' value-added services, execute the attribute 6 value outbound user-type ipoe value-added-service command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In RADIUS scheme radius1, set the Service-Type attribute value to 5 (Outbound) in outgoing RADIUS packets for IPoE users' non-value-added and value-added services.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 6 value outbound user-type ipoe value-added-service
Related commands
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
loose: Matches standard Login-Service attribute values.
strict: Matches extended Login-Service attribute values.
Usage guidelines
This command applies to only FTP, SSH, and terminal users.
Use the loose check method only when the server does not support extended Login-Service attribute values. For more information about standard and extended values for the Login-Service attribute, see AAA configuration in Security Configuration Guide.
Examples
# Configure the Login-Service attribute check method as loose in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
attribute 25 car
Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use undo attribute 25 car to restore the default.
Syntax
attribute 25 car
undo attribute 25 car
Default
The RADIUS class attribute is not interpreted as CAR parameters.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.
The device can interpret the RADIUS class attribute only in the format of string1string2string3string4 as CAR parameters. Each string contains eight characters and each character must be a digit from 0 to 9.
After the device interprets the RADIUS class attribute sent by a RADIUS server as CAR parameters, it carries the interpreted CAR parameters in the subsequent accounting packets sent to that server besides carrying the original class attribute.
Examples
# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
Related commands
display radius scheme
attribute 31 mac-format
Use attribute 31 mac-format to configure the MAC address format of RADIUS attribute 31.
Use undo attribute 31 mac-format to restore the default.
Syntax
attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }
undo attribute 31 mac-format
Default
A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
section: Specifies the number of sections that a MAC address contains.
six: Specifies the six-section format HH-HH-HH-HH-HH-HH.
three: Specifies the three-section format HHHH-HHHH-HHHH.
separator separator-character: Specifies a case-sensitive character that separates the sections.
lowercase: Specifies the letters in a MAC address to be in lower case.
uppercase: Specifies the letters in a MAC address to be in upper case.
Usage guidelines
Configure the MAC address format of RADIUS attribute 31 to meet the requirements of the RADIUS servers.
Examples
# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase
Related commands
display radius scheme
attribute 85 preferred
Use attribute 85 preferred to configure the device to prefer the real-time accounting interval assigned by the RADIUS server through the RADIUS Acct-Interim-Interval attribute (attribute 85).
Use undo attribute 85 preferred to restore the default.
Syntax
attribute 85 preferred
undo attribute 85 preferred
Default
The real-time accounting interval set in RADIUS scheme view takes precedence over the real-time accounting interval assigned by the server through the RADIUS Acct-Interim-Interval attribute.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
The real-time accounting interval can be set by the timer realtime-accounting command in RADIUS scheme view or assigned by the server through the RADIUS Acct-Interim-Interval attribute. By default, a non-zero interval set in RADIUS scheme view takes precedence over the server-assigned interval. To configure the device to prefer the server-assigned interval, execute the attribute 85 preferred command.
Examples
# In RADIUS scheme radius1, configure the device to prefer the real-time accounting interval assigned by the server through the RADIUS Acct-Interim-Interval attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 85 preferred
Related commands
display radius scheme
timer realtime-accounting
attribute 87 format
Use attribute 87 format to configure the format of RADIUS attribute 87.
Use undo attribute 87 format to restore the default.
Syntax
attribute 87 format { custom { c-vid [ delimiter ] | interface-type [ delimiter ] | port [ delimiter ] | s-vid [ delimiter ] | slot [ delimiter ] | string string [ delimiter ] | subslot [ delimiter ] | vxlan-id [ delimiter ] } * | vendor vendor-id }
undo attribute 87 format
Default
No format is configured for RADIUS attribute 87, and the attribute uses the format defined by each access module.
· For IPoE and PPP authentication, the format is slot=xx;subslot=xx;port=xx;vlanid=xx;vlanid2=xx.
· For login authentication, this attribute is empty.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
custom: Specifies a custom format.
c-vid: Includes the inner VLAN ID of user packets.
interface-type: Includes the interface type of the access node.
port: Includes the port number of the access node.
s-vid: Includes the outer VLAN ID of user packets.
slot: Includes the slot number of the access node.
string string: Includes a custom string, a case-sensitive string of 1 to 63 characters.
subslot: Includes the subslot number of the access node.
vxlan-id: Includes the ID of the VXLAN to which a user belongs.
delimiter: Specifies a delimiter to separate attribute fields. The delimiter can be any character except a question mark (?). If you do not specify a delimiter, attribute fields are not separated.
vendor vendor-id: Specifies the format of RADIUS attribute 87 defined by a vendor. The vendor-id argument represents the ID of a vendor. The value can be 9 (Cisco) or 2636 (Juniper).
Usage guidelines
RADIUS attribute 87 is the NAS-Port-Id attribute. RADIUS servers of different types might have different requirements for the NAS-Port-Id attribute format. Configure the format of RADIUS attribute 87 to meet the requirements of the RADIUS servers.
If you specify the format of a vendor, the device constructs the NAS-Port-Id attribute as required by the vendor.
Table 14 Formats of the NAS-Port-Id attribute defined by different vendors
|
Vendor |
Interface type |
Format |
Field description |
|
2636 (Juniper) |
ATM |
atm slot/port.subinterface:vpi.vci |
· slot—Slot number. · port—Interface index. · subinterface—Subinterface number. · vpi—PVC VPI value. · vci—PVC VCI value. |
|
2636 (Juniper) |
Ethernet Aggregate |
For double-VLAN tagging: |
· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number. · vpi—Outer VLAN ID. · vci—Inner VLAN ID. The vci field preceding the colon (:) must be padded with 0s to be a string of four bits. For example, The value for the vci field is 0001 for inner VLAN 1. |
|
For single-VLAN tagging: |
· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number. · subinterface—Subinterface number. This field is invalid in RADIUS packets on an L2TP network. · vlan—VLAN ID. |
||
|
For no-VLAN tagging: |
· interface-type—Interface type, which can be fastEthernet, gigabitEthernet, ethernet, or trunk (aggregate). · slot—Slot number. · port—Interface number. |
||
|
9 (Cisco) |
Ethernet Aggregate ATM |
interface-type slot/subslot/port (for example, ethernet 2/0/5) |
· interface-type—Interface type, ethernet, trunk (aggregate), or atm. · slot—Slot number. · subslot—Subslot number. · port—Interface number. |
If you specify a custom format, the device includes the specified attribute fields in the NAS-Port-Id attribute in the sequence that the fields are specified. If you specify a delimiter in the custom format, the device uses the delimiter to separate the attribute fields.
When you configure a custom format, consider the network environment and the type of the device to avoid specifying an invalid attribute field.
The format of the NAS-Port-Id attribute configured by using this command takes precedence over the format defined by the access module.
Examples
# In RADIUS scheme rad, configure the RADIUS attribute 87 format as the format defined by Cisco.
<Sysname> system-view
[Sysname] radius scheme rad
[Sysname-radius-rad] attribute 87 format vendor 9
# In RADIUS scheme rad2, configure a custom format for RADIUS attribute 87. The attribute contains the inner VLAN ID and interface type fields in sequence and uses a semicolon (;) as the delimiter.
<Sysname> system-view
[Sysname] radius scheme rad2
[Sysname-radius-rad2] attribute 87 format custom c-vid ; interface-type ;
Related commands
display radius scheme
attribute convert (RADIUS DAS view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the Connect-Info attribute.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute convert Hw-Server-String to Connect-Info received
Related commands
attribute translate
attribute convert (RADIUS scheme view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute of received RADIUS packets with the User-Address-Type attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute convert Hw-Server-String to User-Address-Type received
Related commands
attribute translate
display radius scheme
attribute reject (RADIUS DAS view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute reject Connect-Info sent
Related commands
attribute translate
attribute reject (RADIUS scheme view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute reject Connect-Info sent
Related commands
attribute translate
attribute remanent-volume
Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.
Use undo attribute remanent-volume to restore the default.
Syntax
attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }
undo attribute remanent-volume unit
Default
The data measurement unit is kilobyte for the Remanent_Volume attribute.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
Usage guidelines
Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.
Examples
# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte
Related commands
display radius scheme
attribute translate
Use attribute translate to enable the RADIUS attribute translation feature.
Use undo attribute translate to disable the RADIUS attribute translation feature.
Syntax
attribute translate
undo attribute translate
Default
The RADIUS attribute translation feature is disabled.
Views
RADIUS DAS view
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
To cooperate with RADIUS servers of different vendors, enable the RADIUS attribute translation feature. Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides.
Examples
# Enable the RADIUS attribute translation feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute translate
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
Use attribute vendor-id 2011 version to specify the version of the RADIUS servers with a vendor ID of 2011.
Use undo attribute vendor-id 2011 version to restore the default.
Syntax
attribute vendor-id 2011 version { 1.0 | 1.1 }
undo attribute vendor-id 2011 version
Default
The version is 1.0.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
1.0: Specifies version 1.0.
1.1: Specifies version 1.1.
Usage guidelines
For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version the same as the actual version of the RADIUS servers.
The following table shows the differences in the way that the device interprets the vendor-specific RADIUS attributes assigned by different versions of RADIUS servers with vendor ID 2011.
|
RADIUS attribute |
RADIUS server with version 1.0 |
RADIUS server with version 1.1 |
|
HW_ARRT_26_1 |
Upstream peak rate |
Upstream burst size |
|
HW_ARRT_26_2 |
Upstream average rate |
Upstream average rate |
|
HW_ARRT_26_3 |
N/A |
Upstream peak rate |
|
HW_ARRT_26_4 |
Downstream peak rate |
Downstream burst size |
|
HW_ARRT_26_5 |
Downstream average rate |
Downstream average rate |
|
HW_ARRT_26_6 |
N/A |
Downstream peak rate |
Examples
# In RADIUS scheme radius1, specify the version of the RADIUS servers with a vendor ID of 2011 as version 1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute vendor-id 2011 version 1.1
Related commands
client
client
Use client to specify a RADIUS DAC.
Use undo client to remove a RADIUS DAC.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vendor-id 2011 version { 1.0 | 1.1 } | vpn-instance vpn-instance-name ] *
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS DACs are specified.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a DAC by its IPv4 address.
ipv6 ipv6-address: Specifies a DAC by its IPv6 address.
key: Specifies the shared key for secure communication between the RADIUS DAC and DAS. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vendor-id 2011: Specifies the vendor-ID of the DAC as 2011.
version: Specifies the version of the DAC.
1.0: Specifies the DAC version as version 1.0.
1.1: Specifies the DAC version as version 1.1.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
With the RADIUS DAS feature, the device listens to the default or specified UDP port to receive DAE requests from the specified DACs. The device processes the requests and sends DAE responses to the DACs.
The device discards any DAE packets sent from DACs that are not specified for the DAS.
You can execute the client command multiple times to specify multiple DACs for the DAS.
To work with a DAC with vendor-ID 2011 and version 1.0, you do not need to specify the vendor-ID or version attribute. To work with a DAC with vendor-ID 2011 and version 1.1, you must specify the vendor-id 2011 version 1.1 keywords.
Examples
# Specify the DAC as 10.110.1.2. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456
Related commands
attribute vendor-id 2011 version
radius dynamic-author server
port
dae-loose-check enable
Use dae-loose-check enable to enable DAE loose check.
Use undo dae-loose-check enable to disable DAE loose check.
Syntax
dae-loose-check enable
undo dae-loose-check enable
Default
DAE loose check is disabled. The device checks both the user identification information and device identification information in DAE requests.
Views
RADIUS DAS view
Predefined user roles
network-admin
Usage guidelines
The DAE loose check feature requires the DAS to check only part of the user identification information in a DAE request and not to check the device identification information.
As a best practice to avoid unnecessary drop of DAE requests, enable this feature when the user and device identification information on DACs are inconsistent with those on the DAS.
Examples
# Enable DAE loose check.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] dae-loose-check enable
Related commands
radius dynamic-author server
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
data: Specifies the unit for data flows.
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
packet: Specifies the unit for data packets.
giga-packet: Specifies the unit as giga-packet.
kilo-packet: Specifies the unit as kilo-packet.
mega-packet: Specifies the unit as mega-packet.
one-packet: Specifies the unit as one-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display RADIUS scheme configuration.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.
Usage guidelines
When displaying configuration only for one scheme, this command also displays the active state duration for each active server and the most recent five state changes for all servers in the scheme.
When displaying configuration for all schemes, this command also displays the active state duration for each active server and the most recent blocking period for all servers in all schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: radius1
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 1812
VPN : vpn1
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent blocked period: 2021/08/15 20:33:45 –2021/08/15 20:38:45
Test profile: 132
Probe username: test
Probe interval: 60 seconds
Weight: 40
Primary accounting server:
IP : 1.1.1.1 Port: 1813
VPN : Not configured
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent blocked period: 2021/08/15 20:33:45 - 2021/08/15 20:38:45
Weight: 40
Second authentication server:
IP : 3.3.3.3 Port: 1812
VPN : Not configured
State: Blocked
Most recent blocked period: 2021/08/15 20:33:45 - now
Test profile: Not configured
Weight: 40
Second accounting server:
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Blocked (mandatory)
Most recent blocked period: 2021/08/15 20:33:45 - now
Weight: 0
Accounting-On function : Enabled
extended function : Disabled
retransmission times : 5
retransmission interval(seconds) : 2
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 22
Stop-accounting packets buffering : Enabled
Retransmission times : 500
NAS IP Address : 1.1.1.1
Source IP address : Not configured
VPN : Not configured
Username format : with-domain
Data flow unit : Megabyte
Packet unit : One
Attribute 5 format : QinQ
Attribute 6:
IPoE : Outbound (value-added services included)
Attribute 15 check-mode : Strict
Attribute 25 : CAR
Remanent-Volume threshold : 1024
Attribute Remanent-Volume unit : Mega
Server-load-sharing : Disabled
Server-load-sharing mode : Session-based
Attribute 31 MAC format : hh:hh:hh:hh:hh:hh
Stop-accounting-packet send-force : Disabled
RADIUS server version (vendor ID 2011) : 1.0
Attribute 85 preferred : Enabled
Attribute 87 format customized : c-vid@interface-type/s-vid
Authentication response pending limit : Not configured
Accounting response pending limit : Not configured
Username authorization : Not applied
All-server-block action : Attempt the top-priority server
------------------------------------------------------------------
# Display the configuration of RADIUS scheme radius1.
<Sysname> display radius scheme radius1
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name: radius1
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 1812
VPN : vpn1
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent state changes:
2021/08/15 20:38:45 Changed to active state
2021/08/15 20:33:45 Changed to blocked state
2021/08/15 20:31:19 Changed to active state
2021/08/15 20:26:19 Changed to blocked state
2021/08/15 20:26:00 Changed to active state
Test profile: 132
Probe username: test
Probe interval: 60 seconds
Weight: 40
Primary accounting server:
IP : 1.1.1.1 Port: 1813
VPN : Not configured
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent state changes:
2021/08/15 20:38:45 Changed to active state
2021/08/15 20:33:45 Changed to blocked state
2021/08/15 20:31:19 Changed to active state
2021/08/15 20:26:19 Changed to blocked state
2021/08/15 20:26:00 Changed to active state
Weight: 40
Second authentication server:
IP: 3.3.3.3 Port: 1812
VPN : Not configured
State: Blocked
Most recent state changes:
2021/08/15 20:56:22 Changed to blocked state
2021/08/15 20:48:45 Changed to active state
2021/08/15 20:43:45 Changed to blocked state
2021/08/15 20:41:19 Changed to active state
2021/08/15 20:46:19 Changed to blocked state
Test profile: Not configured
Weight: 40
Second accounting server:
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Blocked (mandatory)
2021/08/15 20:56:22 Changed to blocked state
2021/08/15 20:48:45 Changed to active state
2021/08/15 20:43:45 Changed to blocked state
2021/08/15 20:41:19 Changed to active state
2021/08/15 20:46:19 Changed to blocked state
Most recent blocked period: 2021/08/15 20:33:45 - now
Weight: 0
Accounting-On function : Enabled
extended function : Disabled
retransmission times : 5
retransmission interval(seconds) : 2
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 22
Stop-accounting packets buffering : Enabled
Retransmission times : 500
NAS IP Address : 1.1.1.1
Source IP address : Not configured
VPN : Not configured
Username format : with-domain
Data flow unit : Megabyte
Packet unit : One
Attribute 5 format : QinQ
Attribute 6:
IPoE : Outbound (value-added services included)
Attribute 15 check-mode : Strict
Attribute 25 : CAR
Remanent-Volume threshold : 1024
Attribute Remanent-Volume unit : Mega
Server-load-sharing : Disabled
Server-load-sharing mode : Session-based
Attribute 31 MAC format : hh:hh:hh:hh:hh:hh
Stop-accounting-packet send-force : Disabled
RADIUS server version (vendor ID 2011) : 1.0
Attribute 85 preferred : Enabled
Attribute 87 format customized : c-vid@interface-type/s-vid
Authentication response pending limit : Not configured
Accounting response pending limit : Not configured
Username authorization : Not applied
All-server-block action : Attempt the top-priority server
------------------------------------------------------------------
Table 15 Command output
|
Field |
Description |
|
Index |
Index number of the RADIUS scheme. |
|
Primary authentication server |
Information about the primary authentication server. |
|
Primary accounting server |
Information about the primary accounting server. |
|
Second authentication server |
Information about the secondary authentication server. |
|
Second accounting server |
Information about the secondary accounting server. |
|
IP |
IP address of the server. If no server is configured, this field displays Not configured. |
|
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN |
MPLS L3VPN instance to which the server belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
State |
Status of the server: · Active—The server is in active state. · Blocked—The server is changed to blocked state automatically. · Blocked (mandatory)—The server is set to blocked state manually. |
|
duration |
The duration of the current active state for the server. This field is displayed only when the server is in active state. |
|
Most recent blocked period |
Most recent blocking start time and end time when the server stayed in blocked state. If the server still remains in blocked state, now is displayed for the end time. |
|
Most recent state changes |
Most recent five state changes of the server. |
|
Test profile |
Test profile used for RADIUS server status detection. |
|
Probe username |
Username used for RADIUS server status detection. |
|
Probe interval |
Server status detection interval, in seconds. |
|
Weight |
Weight value of the RADIUS server. |
|
Accounting-On function |
Whether the accounting-on feature is enabled. |
|
extended function |
Whether the extended accounting-on feature is enabled. |
|
retransmission times |
Number of accounting-on packet transmission attempts. |
|
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
|
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
|
Retransmission times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
|
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
|
Realtime Accounting Interval(seconds) |
Interval for sending real-time accounting updates, in seconds. |
|
Stop-accounting packets buffering |
Whether buffering of nonresponded RADIUS stop-accounting requests is enabled. |
|
Retransmission times |
Maximum number of transmission attempts for individual RADIUS stop-accounting requests. |
|
NAS IP Address |
NAS IP address of RADIUS packets. If no NAS IP addresses are specified, this field displays Not configured. |
|
Source IP address |
Source IP address for outgoing RADIUS packets. If no source IP addresses are specified, this field displays Not configured. |
|
VPN |
MPLS L3VPN instance to which the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
Username format |
Format for the usernames sent to the RADIUS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flow. |
|
Packet unit |
Measurement unit for packets. |
|
Attribute 5 format |
Format for the RADIUS NAS-Port attribute (attribute 5): · QinQ. · Default. |
|
Attribute 6 |
Value of the RADIUS Service-Type attribute in outgoing RADIUS packets for IPoE users. · Outbound (value-added services included)—The attribute value is 5 (Outbound) in authentication and accounting requests for IPoE users and this value applies to both value-added and non-value-added services. · Outbound (value-added services excluded)—The attribute value is 5 (Outbound) in authentication and accounting requests for IPoE users, but this value does not apply to value-added services. |
|
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
|
Attribute 25 |
RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters. |
|
Remanent-Volume threshold |
Available data threshold. The unit for the threshold is the same as the data measurement unit for the RADIUS Remanent_Volume attribute. |
|
Attribute Remanent-Volume unit |
Data measurement unit for the RADIUS Remanent_Volume attribute. |
|
Server-load-sharing |
Status of the RADIUS server load sharing feature: · Disabled—The feature is disabled. The device forwards traffic to the server selected based on primary and secondary server roles. · Enabled—The feature is enabled. The device distributes traffic among multiple servers for load sharing. |
|
Server-load-sharing mode |
RADIUS authentication server load sharing mode: · Session-based. · Packet-based. |
|
Attribute 31 MAC format |
MAC address format for RADIUS attribute 31. |
|
Stop-accounting-packet send-force |
Whether the device is enabled to forcibly send stop-accounting packets when users for which no start-accounting packets are sent go offline. |
|
RADIUS server version (vendor ID 2011) |
Version of the RADIUS servers with a vendor ID of 2011. |
|
Attribute 85 preferred |
Whether the device prefers the real-time accounting interval assigned by the server through the RADIUS Acct-Interim-Interval attribute to the real-time accounting interval configured in the RADIUS scheme. · Enabled—Yes. · Disabled—No. |
|
Attribute 87 format vendor-specific |
ID of the vendor of which the RADIUS attribute 87 format is used. |
|
Attribute 87 format customized |
Custom format for RADIUS attribute 87. |
|
Authentication response pending limit |
Maximum number of pending authentication requests (requests for which no responses are received from the authentication server). If the maximum number of pending authentication requests is not set, this field displays Not configured. |
|
Accounting response pending limit |
Maximum number of pending accounting requests (requests for which no responses are received from the accounting server). If the maximum number of pending accounting requests is not set, this field displays Not configured. |
|
Username authorization |
Whether to allow the device to use the server-assigned usernames for AAA processes subsequent to authentication: · Applied—The device uses the server-assigned usernames for AAA processes subsequent to authentication. · Not applied—The device uses the usernames used in authentication for AAA processes subsequent to authentication. |
|
All-server-block action |
Action to take for AAA requests when all servers in the scheme are blocked: · Attempt the top-priority server. · Skip all servers in the scheme. |
display radius server-load statistics
Use display radius server-load statistics to display authentication and accounting load statistics for all RADIUS servers.
Syntax
display radius server-load statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command displays the following statistics:
· Last-5-second statistics—Total number of authentication or accounting requests sent to each RADIUS server in the last 5 seconds. From the device sends the first authentication or accounting request to a RADIUS server, it updates the number of authentication or accounting requests sent to that server every 5 seconds.
· History statistics—Total number of authentication or accounting requests sent to each RADIUS server since the device starts up. The device increases the history statistics for a RADIUS server by 1 each time it sends an authentication or accounting request to that server. The device does not decrease the history statistics even though users go offline or the server fails to respond to a request within the timeout time.
Based on the statistics, you can adjust the load on RADIUS servers by changing the sequence in which the servers are configured or the weight values of the servers.
This command displays statistics only for RADIUS servers whose IP addresses are available or can be resolved from their host names.
The device deletes all statistics for a RADIUS server if that server is removed from a RADIUS scheme or the server's IP address, VPN instance, or service port number changes.
If an active/standby switchover occurs, the last-5-second statistics are deleted. However, the history statistics are not deleted. The history statistics might be inaccurate.
If the device reboots, both the last-5-seconds statistics and the history statistics are deleted.
Examples
# Display authentication and accounting load statistics for all RADIUS servers.
<Sysname> display radius server-load statistics
Authentication servers: 2
IP VPN Port Last 5 sec History
1.1.1.1 N/A 1812 20 100
1::1 ABC 1812 0 20
Accounting servers: 2
IP VPN Port Last 5 sec History
1.1.1.1 N/A 1813 20 100
1::1 ABC 1813 0 20
Table 16 Command output
|
Field |
Description |
|
Authentication servers |
Total number of RADIUS authentication servers. |
|
Accounting servers |
Total number of RADIUS accounting servers. |
|
IP |
IP address of a RADIUS server. |
|
VPN |
MPLS L3VPN instance to which the RADIUS server belongs. This field displays N/A if no VPN instance is specified for the server. |
|
Port |
Service port number of the RADIUS server. |
|
Last 5 sec |
Total number of RADIUS authentication or accounting requests sent to the RADIUS server within the last 5 seconds. |
|
History |
Total number of RADIUS authentication or accounting requests sent to the RADIUS server since the device starts up. |
Related commands
reset radius server-load statistics
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics [ server { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] { accounting | authentication } ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
server: Specifies a RADIUS server.
ip ipv4-address: Specifies the IPv4 address of the RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the RADIUS server.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
port port-number: Specifies the service port number of the RADIUS server. The value range for the UDP port number is 1 to 65535. The default authentication port number is 1812 and the default accounting port number is 1813.
accounting: Specifies the RADIUS accounting packet statistics.
authentication: Specifies the RADIUS authentication packet statistics.
Usage guidelines
Use this command to display statistics about RADIUS packets exchanged between the device and RADIUS servers, including authentication packets, accounting packets, DAE packets, session-control, and PPPoE agency dialup packets.
If you do not specify any parameters, this command displays statistics about all types of RADIUS packets exchanged between the device and all RADIUS servers. If you specify a RADIUS server, this command displays statistics about RADIUS authentication or accounting packets exchanged between the device and the specified RADIUS server.
Examples
# Display RADIUS packet statistics for all RADIUS servers.
<Sysname> display radius statistics
Authentication packets:
Requests : 8 Retransmissions : 0
Pending requests : 0 Packet timeouts : 0
Request failures : 0 Challenge packets : 0
Packets without responses : 0 Packets with responses : 0
Accept responses : 8 Reject responses : 0
Unknown-type responses : 0 Malformed responses : 0
Bad authenticators : 0 Dropped responses : 0
Invalid server addresses : 0
Accounting packets:
Requests : 16 Retransmissions : 0
Start requests : 8 Realtime requests : 0
Stop requests : 8 Pending requests : 0
Packet timeouts : 0 Request failures : 0
Packets without responses : 0 Packets with responses : 0
Unknown-type responses : 0 Malformed responses : 0
Bad authenticators : 0 Dropped responses : 0
Invalid server addresses : 0
DAE packets:
DM:
Requests : 0 Request retransmissions: 0
ACKs : 0 NAKs : 0
Timeouts : 0 Malformed requests : 0
Bad authenticators : 0 Dropped requests : 0
CoA:
Requests : 0 Request retransmissions: 0
ACKs : 0 NAKs : 0
Timeouts : 0 Malformed requests : 0
Bad authenticators : 0 Dropped requests : 0
Unknown-type requests : 0
Session-control packets:
Terminate:
Requests : 0 Successes : 0
Failures : 0 Timeouts : 0
Set-policy:
Requests : 0 Successes : 0
Failures : 0 Timeouts : 0
Unknown-type requests : 0 Malformed requests : 0
Bad authenticators : 0 Dropped requests : 0
PPPoEA packets:
COA requests : 0 COA responses : 0
PPPoE agent responses:
Successes : 0 Failures : 0
Offlines : 0
DM requests : 0 DM responses : 0
Authentication servers: 1
IP: 1.1.1.1 Port: 1812
VPN:
Authentication packets:
Requests : 8 Retransmissions : 0
Pending requests : 0 Packet timeouts : 0
Request failures : 0 Challenge packets : 0
Accept responses : 8 Reject responses : 0
Unknown-type responses : 0 Malformed responses : 0
Bad authenticators : 0 Dropped responses : 0
Accounting servers: 1
IP: 1.1.1.1 Port: 1813
VPN:
Accounting packets:
Requests : 16 Retransmissions : 0
Start requests : 8 Realtime requests : 0
Stop requests : 8 Pending requests : 0
Packet timeouts : 0 Request failures : 0
Unknown-type responses : 0 Malformed responses : 0
Bad authenticators : 0 Dropped responses : 0
Accept responses : 16
# Display RADIUS authentication packet statistics for the RADIUS server at 1.1.1.1 with authentication port 1812.
<Sysname> display radius statistics server ip 1.1.1.1 port 1812 authentication
Requests : 8 Retransmissions : 0
Pending requests : 0 Packet timeouts : 0
Request failures : 0 Challenge packets : 0
Accept responses : 8 Reject responses : 0
Unknown-type responses : 0 Malformed responses : 0
Bad authenticators : 0 Dropped responses : 0
Table 17 Command output
|
Field |
Description |
|
Authentication packets |
Statistics for authentication packets. |
|
Accounting packets |
Statistics for accounting packets. |
|
Requests |
Number of authentication or accounting request packets. The statistics in this field does not include retransmissions. If the statistics of the pending requests increases, the statistics in this field also increases. |
|
Retransmissions |
Number of times that authentication or accounting request packets were retransmitted. The statistics of this field is not included in the statistics of the Requests field. |
|
Start requests |
Number of start-accounting request packets. |
|
Realtime requests |
Number of real-time accounting request packets. |
|
Stop requests |
Number of stop-accounting request packets. |
|
Pending requests |
Number of authentication or accounting request packets waiting for responses. The packets have not timed out. |
|
Packet timeouts |
Number of authentication or accounting request packets that have timed out. |
|
Request failures |
Number of authentication or accounting request packets that the device failed to send. |
|
Challenge packets |
Number of authentication challenge packets. |
|
Packets without responses |
Number of authentication or accounting request packets for which no responses were received. The statistics in this field increases by 1 only after all servers fail to respond to an authentication or accounting request. If this field displays a hyphen (-) for a type of RADIUS packets, the device does not count statistics for that type of RADIUS packets. |
|
Packets with responses |
Number of authentication or accounting packets for which responses were received. If this field displays a hyphen (-) for a type of RADIUS packets, the device does not count statistics for that type of RADIUS packets. |
|
Accept responses |
Number of Access-Accept packets in authentication packet statistics or number of accounting responses in accounting packet statistics. |
|
Reject responses |
Number of Access-Reject packets. |
|
Unknown-type responses |
Number of unknown-type authentication or accounting response packets. |
|
Malformed responses |
Number of authentication or accounting response packets whose length is invalid. |
|
Bad authenticators |
Number of authentication or accounting response packets whose shared secret is incorrect. |
|
Dropped responses |
Number of authentication or accounting response packets dropped because of a reason other than Unknown-type, Malformed, and Bad authenticators. |
|
Invalid server addresses |
Number of packets that contain an invalid server address. |
|
DAE packets |
Statistics of DAE packets. |
|
DM |
Statistics of DM packets. |
|
CoA |
Statistics of CoA packets. |
|
Requests |
Number of DAE request packets. The statistics in this field does not include retransmissions. |
|
Request retransmissions |
Number of times that DAE request packets were retransmitted. |
|
ACKs |
Number of DAE ACKs. |
|
NAKs |
Number of DAE NAKs. |
|
Session-control packets |
Statistics of session-control packets. |
|
Terminate |
Number of packets for logging out users forcibly. |
|
Set-policy |
Number of packets for updating user authorization information. |
|
Requests |
Number of session-control request packets. |
|
Successes |
Number of session-control request packets that have been accepted and processed. |
|
Failures |
Number of session-control request packets that have been denied. |
|
Timeouts |
Number of DAE or session-control request packets that have timed out. |
|
Unknown-type requests |
Number of unknown-type DAE or session-control request packets. |
|
Malformed requests |
Number of DAE or session-control request packets whose length is invalid. |
|
Bad authenticators |
Number of DAE or session-control request packets whose shared secret is incorrect. |
|
Dropped requests |
Number of dropped DAE or session-control request packets. |
|
PPPoEA packets |
PPPoE agency dialup packet statistics. |
|
COA requests |
Number of received agency dialup requests in CoA messages from the server. |
|
COA responses |
Number of sent agency dialup responses in CoA messages to the server. |
|
PPPoE agent responses |
Number of received PPPoE agency dialup responses. |
|
Successes |
Number of PPPoE agency dialup online success messages. |
|
Failures |
Number of PPPoE agency dialup online failure messages. |
|
Offlines |
Number of PPPoE agency dialup offline messages. |
|
DM requests |
Number of received PPPoEA user-logoff DM requests from the server. |
|
DM responses |
Number of sent DM responses that carry the PPPoEA user-logoff result to the server. |
|
Authentication servers |
Number of authentication servers. |
|
Accounting servers |
Number of accounting servers. |
|
IP |
IP address of the server. |
|
Port |
Service port number of the server. |
|
VPN |
MPLS L3VPN instance to which the server belongs. If the server belongs to the public network, this field does not display anything. |
|
Authentication packets |
Statistics of authentication packets. |
|
Accounting packets |
Statistics of accounting packets. |
Related commands
reset radius statistics
display stop-accounting-buffer (for RADIUS)
Use display stop-accounting-buffer to display information about buffered RADIUS stop-accounting requests to which no responses have been received.
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user by its name, a case-sensitive string of 1 to 255 characters. Whether the user-name argument should include the domain name depends on the setting configured by using the user-name-format command for the RADIUS scheme.
Examples
# Display information about nonresponded RADIUS stop-accounting requests buffered for user abc.
<Sysname> display stop-accounting-buffer user-name abc
Total entries: 2
Scheme Session ID Username First sending time Attempts
rad1 1000326232325010 abc 23:27:16-08/31/2019 19
aaa 1000326232326010 abc 23:33:01-08/31/2019 20
Table 18 Command output
|
Field |
Description |
|
Session ID |
Session ID, which is the Acct-Session-Id attribute value. |
|
First sending time |
Time when the stop-accounting request was first sent. |
|
Attempts |
Number of attempts that were made to send the stop-accounting request. |
Related commands
reset stop-accounting-buffer (for RADIUS)
retry
retry stop-accounting (RADIUS scheme view)
stop-accounting-buffer enable (RADIUS scheme view)
user-name-format (RADIUS scheme view)
exclude
Use exclude to exclude an attribute from RADIUS requests.
Use undo exclude to cancel the configuration of excluding an attribute from RADIUS requests.
Syntax
exclude { accounting | authentication } name attribute-name
undo exclude { accounting | authentication } name attribute-name
Default
No attributes are configured to be excluded from RADIUS requests.
Views
RADIUS attribute test group view
Predefined user roles
network-admin
Parameters
accounting: Specifies RADIUS accounting requests.
authentication: Specifies RADIUS authentication requests.
name attribute-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The specified attribute must be an attribute that RADIUS requests carry by default. Available attributes that you can specify for RADIUS authentication requests include Service-Type, Framed-Protocol, NAS-Identifier, Acct-Session-Id, and NAS-Port-Type. Available attributes that you can specify for RADIUS accounting requests include NAS-Identifier, Acct-Delay-Time, Acct-Session-Id, and Acct-Terminate-Cause.
Usage guidelines
Use this command to exclude an attribute from RADIUS requests sent during an AAA test to help troubleshoot authentication or accounting failures.
Before you exclude an attribute that is already configured to be included in RADIUS requests, you must cancel the inclusion configuration by using the undo include command.
Examples
# In RADIUS attribute test group t1, exclude Service-Type attribute from RADIUS authentication requests.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1] exclude authentication name Service-Type
Related commands
include
test-aaa
include
Use include to include an attribute in RADIUS requests.
Use undo include to cancel the configuration of including an attribute in RADIUS requests.
Syntax
include { accounting | authentication } { name attribute-name | [ vendor vendor-id ] code attribute-code } type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string } value attribute-value
undo include { accounting | authentication} { name attribute-name | [ vendor vendor-id ] code attribute-code }
Default
No attributes are configured to be included in RADIUS authentication or accounting requests.
Views
RADIUS attribute test group view
Predefined user roles
network-admin
Parameters
accounting: Specifies RADIUS accounting requests.
authentication: Specifies RADIUS authentication requests.
name attribute-name: Specifies a standard RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters.
vendor vendor-id: Specifies a vendor by its ID in the range of 1 to 65535. If you do not specify a vendor, this command includes a standard attribute in RADIUS requests. Table 19 shows the vendor IDs of supported vendors.
Table 19 Supported vendors and vendor IDs
|
Vendor |
Vendor ID |
Vendor |
Vendor ID |
Vendor |
Vendor ID |
|
HUAWEI |
2011 |
H3C |
25506 |
Microsoft |
311 |
|
3COM |
43 |
DSL Forum |
3561 |
China Telecom |
20942 |
|
Wi-Fi Alliance |
40808 |
Juniper |
2636 |
CMCC |
28357 |
|
Cisco |
9 |
|
|
|
|
code attribute-code: Specifies a RADIUS attribute by its code in the range of 1 to 255.
type: Specifies a data type for the attribute content.
binary: Binary type.
date: Date type.
integer: Integer type.
interface-id: Interface ID type.
ip: IPv4 address type.
ipv6: IPv6 address type.
ipv6-prefix: IPv6 address prefix type.
octets: Octet type.
string: String type.
value attribute-value: Specifies the value for the attribute of the data type. The value range of the attribute-value argument varies by data type.
· For the binary type, the value is a string of 1 to 256 hexadecimal characters, which represents a binary number with a maximum of 128 bytes.
· For the date type, the value range is 0 to 4294967295.
· For the integer type, the value range is 0 to 4294967295.
· For the interface ID type, the value range is 1 to ffffffffffffffff.
· For the IPv6 address prefix type, the value is in the format of prefix/prefix-length.
· For the octet type, the value is a string of 1 to 256 hexadecimal characters, which represents an octet number with a maximum of 128 bytes.
· For the string type, the value of this argument is a string of 1 to 253 characters.
Usage guidelines
RADIUS requests carry some attributes by default. For these attributes, you can use the include command to change its value or use the undo include command to restore its value to the default. Table 20 shows the attributes that RADIUS requests carry by default.
Table 20 Attributes that RADIUS requests carry by default
|
Packet type |
Attributes that the type of packets carry by default |
|
RADIUS authentication request |
User-Name CHAP-Password (or User-Password) CHAP-Challenge NAS-IP-Address (or NAS-IPv6-Address) Service-Type Framed-Protocol NAS-Identifier NAS-Port-Type Acct-Session-Id |
|
RADIUS accounting request |
User-Name Acct-Status-Type NAS-IP-Address (or NAS-IPv6-Address) NAS-Identifier Acct-Session-Id Acct-Delay-Time Acct-Terminate-Cause |
For the accuracy of AAA tests, the value of an attribute must be of the data type specified for that attribute.
The attribute names of standard attributes saved in the configuration file will be converted to attribute codes.
Before you include an attribute that is already configured to be excluded from RADIUS requests, you must cancel the exclusion configuration by using the undo exclude command.
You can include multiple attributes in RADIUS requests. The device adds the included attributes to RADIUS packets in the order they are configured. If the length of a RADIUS request reaches 4096 bytes, the device will not add the remaining attributes to the request. As a best practice, include a reasonable number of attributes in RADIUS requests.
Examples
# In RADIUS attribute test group t1, include Calling-Station-Id attribute with value 08-00-27-00-34-D8 in RADIUS authentication requests.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1] include authentication name Calling-Station-Id type string value 08-00-27-00-34-d8
Related commands
exclude
test-aaa
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS authentication or accounting communication.
Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured for secure RADIUS authentication or accounting communication.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure RADIUS accounting communication.
authentication: Specifies the shared key for secure RADIUS authentication communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
Usage guidelines
The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
Examples
# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
Related commands
display radius scheme
nas-ip (RADIUS scheme view)
Use nas-ip to specify a NAS IP address for RADIUS packets.
Use undo nas-ip to remove the NAS IP address of the specified type for RADIUS packets.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip [ ipv6 ]
Default
The NAS IP address of a RADIUS packet is that specified by using the radius nas-ip command in system view.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address and cannot be a loopback address or a link-local address.
Usage guidelines
Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.
The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.
You can specify the NAS IP address in interface view, RADIUS scheme view, and system view.
· The NAS IP address specified by using the aaa nas-ip command in interface view applies only to users that access the network through the interface.
· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.
The priority order is as follows:
1. The NAS IP address specified in interface view.
2. The NAS IP address specified in RADIUS scheme view.
3. The NAS IP address specified in system view.
A RADIUS scheme can have only one NAS IPv4 address and one NAS IPv6 address for RADIUS packets.
If you do not specify the ipv6 keyword for the undo nas-ip command, the command removes the configured NAS IPv4 address for RADIUS packets.
Examples
# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the NAS IPv4 address of RADIUS packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
Related commands
aaa nas-ip
display radius scheme
radius nas-ip
port
Use port to specify the RADIUS DAS port.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The RADIUS DAS port number is 3799.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.
Examples
# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] port 3790
Related commands
client
radius dynamic-author server
pppoe-agency reply-port
Use pppoe-agency reply-port to specify the destination port to which the server listens for agency dialup responses in PPPoE agency dialup.
Use undo pppoe-agency reply-port to restore the default.
Syntax
pppoe-agency reply-port port-number
undo pppoe-agency reply-port
Default
The server listens to port 3799 for agency dialup responses in PPPoE agency dialup.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
In PPPoE agency dialup, the device sends DAE requests to the RADIUS server to notify the AAA server of the agency dialup result. Possible result include:
· PPPoEA user comes online successfully.
· PPPoEA user fails to come online.
· PPPoEA user goes offline.
The destination port of the requests must be the port to which the AAA server listens for DAE requests.
Examples
# Configure the server to listen to port 3790 for agency dialup responses in PPPoE agency dialup.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] pppoe-agency reply-port 3790
Related commands
radius dynamic-author proxy (Security Command Reference)
primary accounting (RADIUS scheme view)
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *
undo primary accounting
Default
The primary RADIUS accounting server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the primary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out.
· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.
· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.
Examples
# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!
Related commands
display radius scheme
key (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
server-load-sharing enable
vpn-instance (RADIUS scheme view)
primary authentication (RADIUS scheme view)
Use primary authentication to specify the primary RADIUS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *
undo primary authentication
Default
The primary RADIUS authentication server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.
port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the primary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process authentication requests.
Usage guidelines
Make sure the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
The server status detection is triggered for the server if the specified test profile exists on the device.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out.
· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.
· When the RADIUS server load sharing feature is enabled, the device performs the following operations:
a. Checks the weight value and number of currently served users for each active server.
b. Determines the most appropriate server in performance to receive an AAA request.
Examples
# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
display radius scheme
key (RADIUS scheme view)
radius-server test-profile
secondary authentication (RADIUS scheme view)
server-load-sharing enable
vpn-instance (RADIUS scheme view)
radius attribute extended
Use radius attribute extended to define an extended RADIUS attribute.
Use undo radius attribute extended to delete user-defined extended RADIUS attributes.
Syntax
radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
undo radius attribute extended [ attribute-name ]
Default
No user-defined extended RADIUS attributes exist.
Views
System view
Predefined user roles
network-admin
Parameters
attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.
vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute. Table 21 shows the vendor IDs of supported vendors.
Table 21 Supported vendors and vendor IDs
|
Vendor |
Vendor ID |
Vendor |
Vendor ID |
Vendor |
Vendor ID |
|
HUAWEI |
2011 |
H3C |
25506 |
Microsoft |
311 |
|
3COM |
43 |
DSL Forum |
3561 |
China Telecom |
20942 |
|
Wi-Fi Alliance |
40808 |
Juniper |
2636 |
CMCC |
28357 |
|
Cisco |
9 |
|
|
|
|
code attribute-code: Specifies the ID of the RADIUS attribute in the attribute set. The value range for the attribute-code argument is 1 to 255.
type: Specifies a data type for the attribute content.
binary: Binary type.
date: Date type.
integer: Integer type.
interface-id: Interface ID type.
ip: IPv4 address type.
ipv6: IPv6 address type.
ipv6-prefix: IPv6 address prefix type.
octets: Octet type.
string: String type.
Usage guidelines
To support the proprietary RADIUS attributes of other vendors, perform the following tasks:
1. Use this command to define the attributes as extended RADIUS attributes.
2. Use the attribute convert command to map the extended RADIUS attributes to attributes supported by the system.
3. Use the attribute translate command to enable the RADIUS attribute translation feature for the mappings to take effect.
To cooperate with RADIUS servers of a third-party vendor, map attributes that cannot be identified by the server to server-supported attributes.
Two RADIUS attributes cannot have the same combination of attribute name, vendor ID, and attribute ID.
If you do not specify a RADIUS attribute name, the undo radius attribute extended command deletes all user-defined extended RADIUS attributes.
Examples
# Define a string-type extended RADIUS attribute with the name Owner-Password, vendor ID 122, and attribute ID 80.
<Sysname> system-view
[Sysname] radius attribute extended Owner-Password vendor 122 code 80 type string
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute translate
radius attribute-test-group
Use radius attribute-test-group to create a RADIUS attribute test group and enter its view, or enter the view of an existing RADIUS attribute test group.
Use undo radius attribute-test-group to remove a RADIUS attribute test group.
Syntax
radius attribute-test-group attr-test-group-name
undo radius attribute-test-group attr-test-group-name
Default
No RADIUS attribute test groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
attr-test-group-name: Specifies the name of a RADIUS attribute test group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A RADIUS attribute test group is a collection of RADIUS attributes that will be included in or excluded from RADIUS requests.
The system can have multiple RADIUS attribute test groups.
Examples
# Create a RADIUS attribute test group named t1 and enter its view.
<Sysname> system-view
[Sysname] radius attribute-test-group t1
[Sysname-radius-attr-test-grp-t1]
Related commands
exclude
include
test-aaa
radius authentication-request first
Use radius authentication-request first to preferentially process RADIUS authentication requests
Use undo radius authentication-request first to restore the default.
Syntax
radius authentication-request first
undo radius authentication-request first
Default
The device processes RADIUS requests in the sequence that the requests are initiated.
Views
System view
Predefined user roles
network-admin
Usage guidelines
RADIUS requests include RADIUS authentication requests, RADIUS accounting-start requests, RADIUS accounting-update requests, and RADIUS accounting-stop requests.
When a large number of users go offline and then try to come online immediately, authentication might fail for these users because of authentication request timeout. To resolve this issue, configure the device to preferentially process authentication requests.
Do not perform this task if the RADIUS server identifies users by the username and does not allow repeated authentication for the same username. A violation might cause authentication failure for users that try to come online immediately after going offline.
As a best practice, do not perform this task when the device has online users.
Examples
# Configure the device to preferentially process RADIUS authentication requests.
<Sysname> system-view
[Sysname] radius authentication-request first
radius dscp
Use radius dscp to change the DSCP priority of RADIUS packets.
Use undo radius dscp to restore the default.
Syntax
radius [ ipv6 ] dscp dscp-value
undo radius [ ipv6 ] dscp
Default
The DSCP priority of RADIUS packets is 0.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.
dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.
Usage guidelines
Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmission priority.
Examples
# Set the DSCP priority of IPv4 RADIUS packets to 10.
<Sysname> system-view
[Sysname] radius dscp 10
radius dynamic-author server
Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.
Use undo radius dynamic-author server to disable the RADIUS DAS feature.
Syntax
radius dynamic-author server
undo radius dynamic-author server
Default
The RADIUS DAS feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable the RADIUS DAS feature, the device listens to the RADIUS DAS port to receive DAE packets from specified DACs.
Examples
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server]
Related commands
client
port
radius nas-ip
Use radius nas-ip to specify a NAS IP address for RADIUS packets.
Use undo radius nas-ip to remove the NAS IP address of the specified type for RADIUS packets.
Syntax
radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
The NAS IP address of RADIUS packets is the primary IPv4 address or the IPv6 address of the packet outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the NAS IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network NAS IP address, do not specify this option.
Usage guidelines
Use this command to specify a NAS IP address for the NAS to carry in the NAS-IP-Address or NAS-IPv6-Address attribute in outgoing RADIUS packets. The NAS IP address must be unique for a RADIUS server to identify the NAS.
The NAS can also use the NAS IP address to match incoming RADIUS packets. For example, if the NAS receives a DAE request that contains a NAS IP address, it compares the NAS IP address in the request with the local NAS IP address. The NAS can process this request only when its NAS IP address is the same as the NAS IP address in the request.
You can specify the NAS IP address in interface view, RADIUS scheme view, and system view.
· The NAS IP address specified by using the aaa nas-ip command in interface view applies only to users that access the network through the interface.
· The NAS IP address specified by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The NAS IP address specified by using the radius nas-ip command in system view applies to all RADIUS schemes.
The priority order is as follows:
1. The NAS IP address specified in interface view.
2. The NAS IP address specified in RADIUS scheme view.
3. The NAS IP address specified in system view.
You can specify a maximum of 16 NAS IP addresses in system view, including:
· Zero or one public-network NAS IPv4 address.
· Zero or one public-network NAS IPv6 address.
· Private-network NAS IP addresses.
Each VPN instance can have only one private-network NAS IPv4 address and one private-network NAS IPv6 address in system view.
Examples
# Specify IP address 129.10.10.1 as the NAS IPv4 address of RADIUS packets.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
Related commands
aaa nas-ip
nas-ip (RADIUS scheme view)
radius offline-reason-convert user-type ppp
Use radius offline-reason-convert user-type ppp to enable offline reason conversion for PPP users.
Use undo radius offline-reason-convert user-type ppp to disable offline reason conversion for PPP users.
Syntax
radius offline-reason-convert user-type ppp
undo radius offline-reason-convert user-type ppp
Default
Offline reason conversion is disabled for PPP users.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command is applicable only to PPP users. It enables the device to convert user offline reason Lost Carrier (handshake failure) to User Request in RADIUS packets sent to the RADIUS server.
Use this command only to meet the definitions and requirements of user offline reasons determined by the RADIUS server.
This command does not change the user offline reasons in user offline records displayed on the device.
Examples
# Enable offline reason conversion for PPP users.
<Sysname> system-view
[Sysname] radius offline-reason-convert user-type ppp
radius scheme
Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be used by more than one ISP domain at the same time.
The device supports a maximum of 16 RADIUS schemes.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
Related commands
display radius scheme
radius session-control client
Use radius session-control client to specify a RADIUS session-control client.
Use undo radius session-control client to remove the specified RADIUS session-control clients.
Syntax
radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
No RADIUS session-control clients are specified.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a session-control client by its IPv4 address.
ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.
key: Specifies the shared key for secure communication with the session-control client.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the client is on the public network, do not specify this option.
all: Specifies all session-control clients.
Usage guidelines
To verify the session-control packets sent from a RADIUS server running on IMC, specify the RADIUS server as a session-control client to the device. The device matches a session-control packet to a session-control client based on the IP address and VPN instance, and then uses the shared key of the matched client to validate the packet.
The device searches the session-control client settings prior to searching all RADIUS scheme settings for a server with matching settings. This process narrows the search scope for finding the matched RADIUS server.
The session-control client settings take effect only when the RADIUS session-control feature is enabled.
The session-control client settings for a RADIUS server must be the same as the corresponding settings on that RADIUS server.
You can specify multiple session-control clients on the device.
Examples
# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.
<Sysname> system-view
[Sysname] radius session-control client ip 10.110.1.2 key simple 12345
Related commands
radius session-control enable
radius session-control enable
Use radius session-control enable to enable the RADIUS session-control feature.
Use undo radius session-control enable to disable the RADIUS session-control feature.
Syntax
radius session-control enable
undo radius session-control enable
Default
The RADIUS session-control feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
An H3C IMC RADIUS server uses session-control packets to deliver dynamic authorization change requests or disconnection requests to the device. The session-control feature enables the device to receive the RADIUS session-control packets on UDP port 1812.
This feature must work with H3C IMC servers.
Examples
# Enable the RADIUS session-control feature.
<Sysname> system-view
[Sysname] radius session-control enable
radius source-ip
Use radius source-ip to specify a source IP address for outgoing RADIUS packets.
Use undo radius source-ip to remove the source IP address of the specified type for outgoing RADIUS packets.
Syntax
radius source-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo radius source-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No IP address is specified as the source IP address of outgoing RADIUS packets.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks the source IP address of the packet.
· If the source IP address belongs to a managed NAS, the server processes the packet.
· If the source IP address does not belong to a managed NAS, the server drops the packet.
As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing RADIUS packets.
The device selects a source IP address for outgoing RADIUS packets in the following order:
1. The source IP address specified by using the source-ip command in RADIUS scheme view.
2. The source IP address specified by using the radius source-ip command in system view.
3. The NAS IP address specified by using the nas-ip command in RADIUS scheme view.
4. The NAS IP address specified by using the radius nas-ip command in system view.
5. The IP address of the outbound interface for the outgoing RADIUS packets.
The source IP address specified in system view applies to all RADIUS schemes.
You can specify a maximum of 16 source IP addresses in system view, including:
· Zero or one public-network source IPv4 address.
· Zero or one public-network source IPv6 address.
· Private-network source IP addresses.
Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address in system view.
Examples
# Specify IP address 129.10.10.1 as the source IPv4 address of outgoing RADIUS packets.
<Sysname> system-view
[Sysname] radius source-ip 129.10.10.1
Related commands
nas-ip (RADIUS scheme view)
radius nas-ip
source-ip (RADIUS scheme view)
radius stop-accounting-buffer cache
Use radius stop-accounting-buffer cache to set the maximum number of RADIUS stop-accounting packets that can be buffered.
Use undo radius stop-accounting-buffer cache to restore the default.
Syntax
radius stop-accounting-buffer cache max-packet-number
undo radius stop-accounting-buffer cache
Default
The device can buffer a maximum of 256000 stop-accounting packets.
Views
System view
Predefined user roles
network-admin
Parameters
max-packet-number: Sets the maximum number of RADIUS stop-accounting packets that can be buffered, in the range of 256 to 2147483647.
Usage guidelines
To reduce resource consumption caused by buffered RADIUS stop-accounting requests, use this command to limit the number of RADIUS stop-accounting requests that can be buffered.
On an unstable network where users might go offline concurrently within a short time, use this command as a best practice.
If the value you set is smaller than the number of buffered stop-accounting requests, this command will fail. In this case, you can manually clear buffered stop-accounting requests by using the reset stop-accounting-buffer command and try again. To display information about buffered RADIUS stop-accounting requests, use the display stop-accounting-buffer command.
Examples
# Set the maximum number to 9000 for RADIUS stop-accounting packets that can be buffered by the device.
<Sysname> system-view
[Sysname] radius stop-accounting-buffer cache 9000
Related commands
display stop-accounting-buffer (for RADIUS)
reset stop-accounting-buffer (for RADIUS)
stop-accounting-buffer enable (RADIUS scheme view)
radius stop-accounting-buffer overwrite-oldest
Use radius stop-accounting-buffer overwrite-oldest to configure the device to use a new stop-accounting request to overwrite the oldest one when the number of buffered stop-accounting requests reaches the upper limit or a minor memory alarm is generated.
Use undo radius stop-accounting-buffer overwrite-oldest to restore the default.
Syntax
radius stop-accounting-buffer { exceed | memory-minor-threshold } overwrite-oldest
undo radius stop-accounting-buffer { exceed | memory-minor-threshold } overwrite-oldest
Default
When the number of buffered stop-accounting requests reaches the upper limit, the device stops buffering new stop-accounting requests.
Views
System view
Predefined user roles
network-admin
Parameters
exceed: Overwrites the oldest buffered request when the number of buffered stop-accounting requests reaches the upper limit.
memory-minor-threshold: Overwrites the oldest buffered request when a minor memory alarm is generated.
Usage guidelines
When the number of buffered stop-accounting requests reaches the upper limit or a minor memory alarm is generated, the device processes new stop-accounting requests in one of the following ways:
· Default mode—Stop buffering new stop-accounting requests. This method provides accurate accounting for users that go offline earlier.
· Overwrite mode—Use a new stop-accounting request to overwrite the oldest one. This method provides accurate accounting for users that go offline later.
You can execute this command twice to enable the overwrite mode for both the upper limit exceeding and minor alarm generation events.
The maximum number of stop-accounting requests that can be buffered is configured by using the radius stop-accounting-buffer cache command. To view the memory alarm triggering and clearing thresholds, use the display memory-threshold command.
Examples
# Configure the device to use a new stop-accounting request to overwrite the oldest one when the number of buffered stop-accounting requests reaches the upper limit.
<Sysname> system-view
[Sysname] radius stop-accounting-buffer exceed overwrite-oldest
# Configure the device to use a new stop-accounting request to overwrite the oldest one when a minor memory alarm is generated.
<Sysname> system-view
[Sysname] radius stop-accounting-buffer memory-minor-threshold overwrite-oldest
Related commands
display memory-threshold (Fundamentals Command Reference)
radius stop-accounting-buffer cache
radius stop-accounting-buffer warning-threshold
Use radius stop-accounting-buffer warning-threshold to set the alarm triggering and clearing thresholds for stop-accounting request buffering.
Use undo radius stop-accounting-buffer warning-threshold to restore the default.
Syntax
radius stop-accounting-buffer warning-threshold upper upper-threshold lower lower-threshold
undo radius stop-accounting-buffer warning-threshold
Default
No threshold is configured for stop-accounting request buffering.
Views
System view
Predefined user roles
network-admin
Parameters
upper upper-threshold: Specifies the alarm triggering threshold in the range of 1 to 100 in percent.
lower lower-threshold: Specifies the alarm clearing threshold in the range of 0 to 99 in percent. If you set the threshold to 0, the system generates a memory alarm clearing threshold when no stop-accounting request is buffered.
Usage guidelines
Application scenarios
With the maximum number of stop-accounting requests that can be buffered specified, you can use this command for the system to send an alarm if the buffered requests are approaching the upper limit. If such an alarm is generated, verify the connectivity between the device and the RADIUS server.
Operating mechanism
After you enable SNMP notifications for RADIUS (snmp-agent trap enable radius), the system generates an alarm if the number of buffered stop-accounting requests reaches a certain percent of the maximum number:
· If the alarm triggering threshold is reached for the first time or the proportion increases from a value below the alarm clearing threshold to the alarm triggering threshold (upper-threshold) or higher, a threshold exceeding alarm is generated.
· If the proportion drops below the alarm clearing threshold (lower-threshold) from a value higher than the alarm triggering threshold, an alarm removal notification is generated.
Recommended configuration
As a best practice, set the clearing threshold to a value 30 points lower than the triggering threshold.
Examples
# Set the alarm triggering threshold to 90 and the alarm clearing threshold to 50.
<Sysname> system-view
[Sysname] radius stop-accounting-buffer warning-threshold upper 90 lower 50
Related commands
snmp-agent trap enable radius
radius trap-version
Use radius trap-version to set the version of RADIUS server status change MIB nodes.
Use undo radius trap-version to restore the default.
Syntax
radius trap-version { v1 | v2 } [ accounting-server-down | accounting-server-up | authentication-server-down | authentication-server-up ] *
undo radius trap-version { v1 | v2 } [ accounting-server-down | accounting-server-up | authentication-server-down | authentication-server-up ] *
Default
The device sends notifications about RADIUS server status change MIB nodes over SNMPv1.
Views
System view
Predefined user roles
network-admin
Parameters
v1: Specifies SNMPv1.
v2: Specifies SNMPv2.
accounting-server-down: Specifies the MIB node of RADIUS accounting server down notifications.
accounting-server-up: Specifies the MIB node of RADIUS accounting server up notifications.
authentication-server-down: Specifies the MIB node of RADIUS authentication server down notifications.
authentication-server-up: Specifies the MIB node of RADIUS authentication server up notifications.
Usage guidelines
Make sure the RADIUS server status change notifications sent by the device can be recognized by the NMS. Choose a MIB node version depending on the NMS requirements.
Table 22 RADIUS server status change MIB nodes (SNMPv1)
|
MIB node |
OID |
|
hh3cRadiusAuthServerUpTrap |
1.3.6.1.4.1.25506.2.13.3.0.1 |
|
hh3cRadiusAccServerUpTrap |
1.3.6.1.4.1.25506.2.13.3.0.2 |
|
hh3cRadiusAuthServerDownTrap |
1.3.6.1.4.1.25506.2.13.3.1 |
|
hh3cRadiusAccServerDownTrap |
1.3.6.1.4.1.25506.2.13.3.2 |
Table 23 RADIUS server status change MIB nodes (SNMPv2)
|
MIB node |
OID |
|
hh3cRadiusAuthenticationServerUpTrap |
1.3.6.1.4.1.25506.2.13.3.0.4 |
|
hh3cRadiusAccountingServerUpTrap |
1.3.6.1.4.1.25506.2.13.3.0.5 |
|
hh3cRadiusAuthenticationServerDownTrap |
1.3.6.1.4.1.25506.2.13.3.0.6 |
|
hh3cRadiusAccountingServerDownTrap |
1.3.6.1.4.1.25506.2.13.3.0.7 |
If you do not specify any RADIUS server status change MIB nodes, this command sets a version for all types of RADIUS server status change MIB nodes.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the MIB node version to SNMPv2 for the MIB node of RADIUS accounting server down notifications.
<Sysname> system-view
[Sysname] radius trap-version v2 accounting-server-down
Related commands
snmp-agent trap enable radius
radius-server authen-state-check interval
Use radius-server authen-state-check interval to set the interval at which the device detects the status of RADIUS authentication servers.
Use undo radius-server authen-state-check interval to restore the default.
Syntax
radius-server authen-state-check interval interval
undo radius-server authen-state-check interval
Default
The device detects the status of RADIUS authentication servers at intervals of 10 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Sets the detection interval, in minutes. The value range is 1 to 120.
Usage guidelines
This command takes effect only on IPoE and PPPoE users.
The device detects the status of RADIUS authentication servers in each RADIUS scheme at intervals as configured. It notifies access modules to remove users that use a RADIUS scheme from the critical domain when that RADIUS scheme has reachable RADIUS servers.
If the device cannot detect the status changes of RADIUS authentication servers in time, it cannot timely change server status or handle users. The following situations exist:
· When RADIUS server status detection is enabled, a too long detection interval might cause the device to falsely record a RADIUS server active after the server becomes unavailable. However, users are assigned to the critical domain.
· When RADIUS server status detection is disabled, the device assigns a user to the critical domain if it has not received any responses from a RADIUS server for the user before the server response timeout time expires. However, if the device has received authentication responses from that server for other users during the server response timeout period, the device does not set the state of that server to blocked. If the server is always available for subsequent users, the device always records that server active.
In the above situations, the device cannot remove users in the critical domain from the critical domain after the RADIUS server becomes available. To resolve the issue, use this command to set an appropriate interval for the device to detect the status of RADIUS authentication servers.
A too short detection interval consumes too many system resources for access services. A too long detection interval cannot detect server status changes in time.
As a best practice, consider the processing efficiency for access services and the accuracy for fail-permit and recovery when a large number of users come online in a short time.
Examples
# Configure the device to detect the status of RADIUS authentication servers at intervals of 2 minutes.
<Sysname> system-view
[Sysname] radius-server authen-state-check interval 2
Related commands
authen-radius-unavailable online domain
radius-server test-profile
Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.
Use undo radius-server test-profile to delete a RADIUS test profile.
Syntax
radius-server test-profile profile-name username name [ interval [ second ] interval ]
undo radius-server test-profile profile-name
Default
No RADIUS test profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.
username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.
interval: Specifies the server status detection interval. The default value is 60 minutes.
second: Uses second as the unit of the server status detection interval. If you do not specify this keyword, minute is used as the interval unit.
interval: Specifies the server status detection interval. If the interval unit is minute, the value range for this argument is 1 to 3600. If the interval unit is second, the value range for this argument is 10 to 216000.
Usage guidelines
You can execute this command multiple times to configure multiple test profiles.
If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.
When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
Examples
# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.
<Sysname> system-view
[Sysname] radius-server test-profile abc username admin interval 10
Related commands
primary authentication (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
reset radius server-load statistics
Use reset radius server-load statistics to clear history authentication and accounting load statistics for all RADIUS servers.
Syntax
reset radius server-load statistics
Views
User view
Predefined user roles
network-admin
Usage guidelines
This command does not clear authentication and accounting load statistics in the last 5 seconds.
Examples
# Clear history authentication and accounting load statistics for all RADIUS servers.
<Sysname> reset radius server-load statistics
Related commands
display radius server-load statistics
reset radius statistics
Use reset radius statistics to clear RADIUS packet statistics.
Syntax
reset radius statistics [ server { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] { accounting | authentication } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a RADIUS server.
ip ipv4-address: Specifies the IPv4 address of the RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the RADIUS server.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
port port-number: Specifies the service port number of the RADIUS server. The value range for the UDP port number is 1 to 65535. The default authentication port number is 1812 and the default accounting port number is 1813.
accounting: Specifies the RADIUS accounting packet statistics.
authentication: Specifies the RADIUS authentication packet statistics.
Usage guidelines
Use this command to clear statistics about RADIUS packets exchanged between the device and RADIUS servers, including authentication packets, accounting packets, DAE packets, and session-control packets.
If you do not specify any parameters, this command clears statistics about all types of RADIUS packets exchanged between the device and all RADIUS servers.
To obtain RADIUS packet statistics in a period, first use the reset radius statistics command to clear RADIUS packet statistics. After a period of time, use the display radius statistics command to display RADIUS packet statistics.
If you specify a RADIUS server, this command clears statistics about RADIUS authentication or accounting packets exchanged between the device and the specified RADIUS server. However, the clear operation does not reduce the overall statistics in the output from the display radius statistics command.
Examples
# Clear all RADIUS packet statistics.
<Sysname> reset radius statistics
# Clear RADIUS accounting packet statistics for the RADIUS server at 1.1.1.1 with accounting port 1813.
<Sysname> reset radius statistics server ip 1.1.1.1 port 1813 accounting
Related commands
display radius statistics
reset stop-accounting-buffer (for RADIUS)
Use reset stop-accounting-buffer to clear buffered RADIUS stop-accounting requests to which no responses have been received.
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time end-time | user-name user-name }
Views
User view
Predefined user roles
network-admin
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
session-id session-id: Specifies a session by its ID. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online user for a RADIUS scheme.
time-range start-time end-time: Specifies a time range. The start time and end time must be in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.
user-name user-name: Specifies a user by its name, a case-sensitive string of 1 to 255 characters. Whether the user-name argument should include the domain name depends on the setting configured by using the user-name-format command for the RADIUS scheme.
Examples
# Clear nonresponded RADIUS stop-accounting requests buffered for user user0001@test.
<Sysname> reset stop-accounting-buffer user-name user0001@test
# Clear nonresponded RADIUS stop-accounting requests buffered from 0:0:0 to 23:59:59 on May 31, 2019.
<Sysname> reset stop-accounting-buffer time-range 00:00:00-05/31/2019 23:59:59-05/31/2019
Related commands
display stop-accounting-buffer (for RADIUS)
stop-accounting-buffer enable (RADIUS scheme view)
response-pending-limit
Use response-pending-limit to set the maximum number of pending RADIUS requests (requests for which no responses are received from the RADIUS server).
Use undo response-pending-limit to cancel the maximum number configuration for the specified type of pending RADIUS requests.
Syntax
response-pending-limit { accounting | authentication } max-number
undo response-pending-limit { accounting | authentication }
Default
The number of pending RADIUS requests is not restricted.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies pending RADIUS accounting requests.
authentication: Specifies pending RADIUS authentication requests.
max-number: Specifies the maximum number of pending RADIUS requests, in the range of 1 to 255.
Usage guidelines
This command controls the rate of RADIUS requests that are sent to the RADIUS server. Use this command if the RADIUS server has a limited performance and cannot concurrently process too many RADIUS requests.
The device has two types of pending packet counters, one for the RADIUS authentication server and the other for the RADIUS accounting server. A pending packet counter is used to record the number of sent RADIUS requests for which no responses are received from the RADIUS server. The maximum value of a pending packet counter is determined by this command.
If you set the maximum number of pending authentication or accounting requests, a pending packet counter will be started for the RADIUS authentication or accounting server.
1. The device starts a pending packet counter for a RADIUS authentication or accounting server after sending the first authentication or accounting request to the server.
2. The device keeps sending the corresponding type of requests to the server before the counter reaches the maximum value. The number of requests that can be sent to the server is the difference between the counter value and the maximum number.
The counter increases by 1 each time the device sends a corresponding request.
The counter decreases by 1 each time the device receives a respond from the server or the respond timeout timer for a request expires.
3. The device buffers the subsequent requests when the counter reaches the maximum value.
If the value of the counter falls below the maximum value, the device sends the buffered requests in the sequence the requests are buffered.
If you cancel this configuration, the number of pending RADIUS authentication or accounting requests is not restricted.
The device can control the access rate only for PPP, IPoE, and LAN users.
The user data is saved to the cards through which the users access the device. This configuration takes effect on a card basis.
Examples
# In RADIUS scheme radius1, set the maximum number of pending RADIUS authentication requests to 100.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] response-pending-limit authentication 100
Related commands
display radius scheme
retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
Syntax
retry retries
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
If the device does not receive a response to its request from the RADIUS server within the response timeout period, the device retransmits the RADIUS request. To set the response timeout period, use the timer response-timeout command.
If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS authentication servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
Related commands
radius scheme
timer response-timeout (RADIUS scheme view)
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retries
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server considers the accounting attempt a failure and then decides whether to cut the user connection based on the accounting update failure policy (configured by using accounting update-fail).
To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
For example, for a LAN user, the following conditions exist:
· The RADIUS server response timeout period is 3 seconds (set by using the timer response-timeout command).
· The maximum number of RADIUS packet transmission attempts is 3 (set by using the retry command).
· The real-time accounting interval is 12 minutes (set by using the timer realtime-accounting command).
· The maximum number of accounting attempts is 5 (set by using the retry realtime-accounting command).
In the above case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device considers that the accounting attempt failed.
Examples
# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
Related commands
accounting update-fail
retry
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
retry stop-accounting (RADIUS scheme view)
Use retry stop-accounting to set the maximum number of transmission attempts for individual RADIUS stop-accounting requests.
Use undo retry stop-accounting to restore the default.
Syntax
retry stop-accounting retries
undo retry stop-accounting
Default
The maximum number of transmission attempts is 500 for individual RADIUS stop-accounting requests.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of transmission attempts. The value range is 10 to 65535.
Usage guidelines
The maximum number of stop-accounting request transmission attempts controls the transmission of stop-accounting requests together with the following parameters:
· RADIUS server response timeout timer (set by using the timer response-timeout command).
· Maximum number of times to transmit a RADIUS packet per round (set by using the retry command).
For example, the following settings exist:
· The RADIUS server response timeout timer is 3 seconds.
· The maximum number of times to transmit a RADIUS packet per round is five.
· The maximum number of stop-accounting request transmission attempts is 20.
A stop-accounting request is retransmitted if the device does not receive a response within 3 seconds. When all five transmission attempts in this round are used, the device buffers the request and starts another round of retransmission. If 20 consecutive rounds of attempts fail, the device discards the request.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry stop-accounting 1000
Related commands
display stop-accounting-buffer (for RADIUS)
retry
timer response-timeout (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
Use secondary accounting to specify a secondary RADIUS accounting server.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name | weight weight-value ] *
undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS accounting servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process accounting requests.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out.
· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for accounting.
· When the RADIUS server load sharing feature is enabled, the device returns an accounting failure message rather than searching for another active accounting server.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.
Examples
# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
# In RADIUS scheme radius2, specify two secondary accounting servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813
Related commands
display radius scheme
key (RADIUS scheme view)
primary accounting (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication server.
Use undo secondary authentication to remove a secondary RADIUS authentication server.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name | weight weight-value ] *
undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS authentication servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.
port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
weight weight-value: Specifies a weight value for the RADIUS server. The value range for the weight-value argument is 0 to 100, and the default value is 0. The value 0 indicates that the RADIUS server will not be used for load sharing. This option takes effect only when the RADIUS server load sharing feature is enabled for the RADIUS scheme. A larger weight value represents a higher capacity to process authentication requests.
Usage guidelines
Make sure the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
The server status detection is triggered for a server if the specified test profile exists on the device.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out.
· When the RADIUS server load sharing feature is disabled, the device tries to communicate with an active server that has the highest priority for authentication.
· When the RADIUS server load sharing feature is enabled, the device performs the following operations:
a. Checks the weight value and number of currently served users for each active server.
b. Determines the most appropriate server in performance to receive an AAA request.
Examples
# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# In RADIUS scheme radius2, specify two secondary authentication servers with IP addresses 10.110.1.1 and 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
display radius scheme
key (RADIUS scheme view)
primary authentication (RADIUS scheme view)
radius-server test-profile
vpn-instance (RADIUS scheme view)
server-block-action
Use server-block-action to specify the action to take for AAA requests if all servers in a RADIUS scheme are blocked.
Use undo server-block-action to restore the default.
Syntax
server-block-action { attempt | skip }
undo server-block-action
Default
The device attempts to connect to the server with the highest priority in a RADIUS scheme upon receiving AAA requests if all servers in the scheme are blocked.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
attempt: Attempts to connect to a server (except for servers set in block state manually) in the scheme.
skip: Skips all servers in the scheme and turns to the backup method.
Usage guidelines
The attempt action gives the device a chance to use the scheme in case the server with the highest priority in the scheme might be available. However, the attempt to communicate with an unavailable server increases the response time for AAA requests. As a best practice, specify the skip action in scenarios that require quick responses to AAA requests.
When processing an AAA request, the device does not turn back to a skipped scheme even though the state of the servers in the scheme changes from blocked to active.
Examples
# In RADIUS scheme radius1, configure the device to skip all servers in the scheme upon receiving AAA requests if all servers in the scheme are blocked.
<Sysname> system-view
[Sysname] radius scheme hwt1
[Sysname-radius-radius1] server-block-action skip
Related commands
display radius scheme
retry
timer response-timeout (RADIUS scheme view)
server-load-sharing enable
Use server-load-sharing enable to enable the RADIUS server load sharing feature.
Use undo server-load-sharing enable to disable the RADIUS server load sharing feature.
Syntax
server-load-sharing enable
undo server-load-sharing enable
Default
The RADIUS server load sharing feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Use the RADIUS server load sharing feature to dynamically distribute the workload over multiple servers regardless of their server roles. The device forwards an AAA request to the most appropriate server of all active servers in the scheme after it compares the weight values and number of currently served users. Specify a weight value for each RADIUS server based on the AAA capacity of the server. A larger weight value indicates a higher AAA capacity.
In RADIUS server load sharing, once the device sends a start-accounting request to a server for a user, it forwards all subsequent accounting requests of the user to the same server. If the accounting server is unreachable, the device returns an accounting failure message rather than searching for another active accounting server.
Examples
# Enable the RADIUS server load sharing feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-load-sharing enable
Related commands
display radius server-load statistics
primary authentication (RADIUS scheme view)
primary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
server-load-sharing mode
server-load-sharing mode
Use server-load-sharing mode to specify the RADIUS authentication server load sharing mode.
Use undo server-load-sharing mode to restore the default.
Syntax
server-load-sharing mode { packet-based | session-based }
undo server-load-sharing mode
Default
The RADIUS authentication server load sharing mode is session-based.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
packet-based: Specifies the packet-based mode.
session-based: Specifies the session-based mode.
Usage guidelines
The RADIUS authentication server load sharing mode controls the workload distribution only for RADIUS authentication servers.
This command takes effect only when the RADIUS server load sharing feature is enabled.
When the RADIUS server load sharing feature is enabled for a RADIUS scheme, the device supports the following modes to distribute workload to authentication servers in the scheme:
· Session-based mode—The device forwards a RADIUS authentication request to the most appropriate server among all active servers in the scheme after it compares their weights and number of concurrent active sessions.
Each time the device sends an authentication request to a server, the number of concurrent sessions to that server increases by one. Each time the device receives an authentication response from a server, the number of concurrent sessions to that server decreases by one.
This mode is applicable if the number of concurrent sessions on the network is large and the servers have similar performance.
· Packet-based mode—The device forwards a RADIUS authentication request to the most appropriate server among all active servers in the scheme after it compares their weights and number of received authentication requests.
Each time the device sends an authentication request to a server, the number of received packets to that server increases by one.
To evenly distribute authentication requests to all active servers in the scheme, specify the packet-based RADIUS server load sharing mode.
Examples
# Specify the packet-based RADIUS authentication server load sharing mode for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-load-sharing mode packet-based
Related commands
server-load-sharing enable
snmp-agent trap enable radius
Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Syntax
snmp-agent trap enable radius [ accounting-cache-discard | accounting-cache-lower-threshold | accounting-cache-upper-threshold | accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
undo snmp-agent trap enable radius [ accounting-cache-discard | accounting-cache-lower-threshold | accounting-cache-upper-threshold | accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
Default
All RADIUS SNMP notifications are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
accounting-cache-discard: Sends notifications when the device generates a minor memory threshold and discards stop-accounting requests.
accounting-cache-lower-threshold: Sends alarms when the proportion of buffered stop-accounting requests reaches the alarm clearing threshold.
accounting-cache-upper-threshold: Sends alarms when the proportion of buffered stop-accounting requests reaches the alarm triggering threshold.
accounting-server-down: Sends notifications when the RADIUS accounting server becomes unreachable.
accounting-server-up: Sends notifications when the RADIUS accounting server becomes reachable.
authentication-error-threshold: Sends notifications when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends notifications when the RADIUS authentication server becomes unreachable.
authentication-server-up: Sends notifications the RADIUS authentication server becomes reachable.
Usage guidelines
If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.
When SNMP notifications for RADIUS are enabled, the device supports the following notifications generated by RADIUS:
· Minor memory alarm notification—A minor memory alarm is generated and the system starts to discard buffered stop-accounting requests or requests to be buffered.
· Notification for approaching of the stop-accounting request buffer upper limit—The number of buffered stop-accounting requests reaches a certain percent of the maximum number. The alarm triggering threshold and alarm clearing threshold are configured by using the radius accounting cache-warning-threshold command.
· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
· Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Examples
# Enable the device to send RADIUS accounting server unreachable notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enable radius accounting-server-down
Related commands
radius accounting cache-warning-threshold
source-ip
Use source-ip to specify a source IP address for outgoing RADIUS packets.
Use undo source-ip to remove the source IP address of the specified type for outgoing RADIUS packets.
Syntax
source-ip { ipv4-address | ipv6 ipv6-address }
undo source-ip [ ipv6 ]
Default
The source IP address of an outgoing RADIUS packet is that specified by using the radius source-ip command in system view.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks the source IP address of the packet.
· If the source IP address belongs to a managed NAS, the server processes the packet.
· If the source IP address does not belong to a managed NAS, the server drops the packet.
As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing RADIUS packets.
The device selects a source IP address for outgoing RADIUS packets in the following order:
1. The source IP address specified by using the source-ip command in RADIUS scheme view.
2. The source IP address specified by using the radius source-ip command in system view.
3. The NAS IP address specified by using the nas-ip command in RADIUS scheme view.
4. The NAS IP address specified by using the radius nas-ip command in system view.
5. The IP address of the outbound interface for the outgoing RADIUS packets.
A RADIUS scheme can have only one source IPv4 address and one source IPv6 address for outgoing RADIUS packets.
If you do not specify the ipv6 keyword for the undo source-ip command, the command removes the configured source IPv4 address for outgoing RADIUS packets.
Examples
# In RADIUS scheme radius1, specify IP address 10.1.1.1 as the source IPv4 address of outgoing RADIUS packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] source-ip 10.1.1.1
Related commands
display radius scheme
nas-ip (RADIUS scheme view)
radius nas-ip
radius source-ip
state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
A primary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the primary RADIUS accounting server.
authentication: Specifies the primary RADIUS authentication server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
When the RADIUS server load sharing feature is disabled, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:
· Changes the status of the primary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with a secondary server in active state.
When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.
When the RADIUS server load sharing feature is enabled and active servers exist, the device checks the workload on each active server, and then selects the most appropriate server in performance for communication.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set the status of the primary authentication server to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
Related commands
display radius scheme
radius-server test-profile
server-load-sharing enable
state secondary
state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Default
A secondary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies a secondary RADIUS accounting server.
authentication: Specifies a secondary RADIUS authentication server.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.
port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
If the device finds that a secondary server in active state is unreachable, the device performs the following operations:
· Changes the status of the secondary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with another secondary server in active state.
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
When the RADIUS server load sharing feature is enabled and active servers exist, the device checks the workload on each active server, and then selects the most appropriate server in performance for communication.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set the status of all the secondary authentication servers to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
Related commands
display radius scheme
radius-server test-profile
server-load-sharing enable
state primary
stop-accounting-buffer enable (RADIUS scheme view)
Use stop-accounting-buffer enable to enable buffering of RADIUS stop-accounting requests to which no responses have been received.
Use undo stop-accounting-buffer enable to disable the buffering feature.
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
Default
The device buffers the RADIUS stop-accounting requests to which no responses have been received.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to buffer a RADIUS stop-accounting request that has no response after the maximum transmission attempts (set by using the retry command) have been made. The device resends the buffered request until it receives a server response or when the number of stop-accounting request transmission attempts reaches the upper limit. If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.
Examples
# Enable buffering of RADIUS stop-accounting requests to which no responses have been received.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-buffer enable
Related commands
display stop-accounting-buffer (for RADIUS)
reset stop-accounting-buffer (for RADIUS)
stop-accounting-packet send-force
Use stop-accounting-packet send-force to enable forcibly sending RADIUS stop-accounting packets. The device will send RADIUS stop-accounting packets when users for which no RADIUS start-accounting packets are sent go offline.
Use undo stop-accounting-packet send-force to disable forcibly sending RADIUS stop-accounting packets.
Syntax
stop-accounting-packet send-force
undo stop-accounting-packet send-force
Default
Forcibly sending RADIUS stop-accounting packets is disabled. The device does not send RADIUS stop-accounting packets when users for which no RADIUS start-accounting packets are sent go offline.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
Typically, if the device does not send a RADIUS start-accounting packet to the RADIUS server for an authenticated user, it does not send a RADIUS stop-accounting packet when the user goes offline. If the server has generated a user entry for the user without RADIUS start-accounting packets, it does not release the user entry when the user goes offline. This feature forces the device to send RADIUS stop-accounting packets to the RADIUS server when the user goes offline for timely releasing the user entry on the server.
Examples
# In RADIUS scheme radius1, enable forcibly sending RADIUS stop-accounting packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-packet send-force
Related commands
display radius scheme
test-aaa
Use test-aaa to perform an AAA test.
Syntax
test-aaa user user-name password password radius-scheme radius-scheme-name [ radius-server { ipv4-address | ipv6 ipv6-address } port-number [ vpn-instance vpn-instance-name ] ] [ chap | pap ] [ attribute-test-group attr-test-group-name ] [ trace ]
Views
User view
Predefined user roles
network-admin
Parameters
user user-name: Specifies the test username, a string of 1 to 80 characters. The username can be a pure username or contain a domain name. The format for a username containing a domain name is pure-username@domain-name. The pure username is case sensitive and the domain name is case insensitive.
password password: Specifies the password of the test user, a case-sensitive string of 1 to 63 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-server: Specifies a RADIUS server.
ipv4-address: Specifies the IPv4 address of the RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the RADIUS server.
port-number: Specifies the UDP port number of the RADIUS server, in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
chap: Specifies the CHAP authentication method (the default).
pap: Specifies the PAP authentication method.
attribute-test-group attr-test-group-name: Specifies a RADIUS attribute test group by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a RADIUS attribute test group or the specified RADIUS attribute test group does not exist, the device does not change the attributes carried in authentication or accounting requests.
trace: Displays detailed information about RADIUS packets exchanged during the AAA test. If you do not specify this keyword, the command displays brief information about the AAA test, including the sent and received packets and the test result.
Usage guidelines
Use this command to identify the reasons for the failure of interaction between the device and the AAA servers.
The device might communicate with the AAA servers incorrectly during an AAA test. Make sure no users come online or go offline during an AAA text.
If the configuration of the specified RADIUS scheme changes, the new configuration does not affect the current AAA test. The modification will take effect in the next test.
The system can have only one AAA test at a time. Another AAA test can be performed only after the current test finishes.
Examples
# Perform an AAA test and display detailed information about the test. The test uses username user1, password 123456, the CHAP authentication method, and RADIUS scheme test.
<Sysname> test-aaa user user1 password 123456 radius-scheme test chap trace
Sent a RADIUS authentication request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1812
Packet type : Authentication request
Packet length: 118 bytes
Packet ID : 0
Attribute list:
[User-Name(1)] [6] [user1]
[CHAP-Password(3)] [19] [******]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[Service-Type(6)] [6] [2] [Framed]
[Framed-Protocol(7)] [6] [1] [PPP]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
[CHAP-Challenge(60)] [18] [******]
[NAS-Port-Type(61)] [6] [15] [Ethernet]
Received a RADIUS authentication response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1812
Packet type : Access-Reject
Packet length: 20 bytes
Packet ID : 0
Reply-Message: "E63032: Incorrect password. You can retry 9 times."
Sent a RADIUS start-accounting request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Start-accounting request
Packet length: 63 bytes
Packet ID : 1
Attribute list:
[User-Name(1)] [6] [user1]
[Acct-Status-Type(40)] [6] [1] [Start]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
Received a RADIUS start-accounting response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Start-accounting response
Packet length: 20 bytes
Packet ID : 1
Sent a RADIUS stop-accounting request.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Stop-accounting request
Packet length: 91 bytes
Packet ID : 1
Attribute list:
[User-Name(1)] [6] [user1]
[Acct-Status-Type(40)] [6] [2] [Stop]
[NAS-IP-Address(4)] [6] [192.168.1.166]
[NAS-Identifier(32)] [5] [Sysname]
[Acct-Delay-Time(41)] [6] [0]
[Acct-Session-Id(44)] [40] [00000008201707241008280000000c16100171]
[Acct-Terminate-Cause(49)] [6] [1] [User Request]
Received a RADIUS stop-accounting response.
Server IP : 192.168.1.110
Source IP : 192.168.1.166
VPN instance : N/A
Server port : 1813
Packet type : Stop-accounting response
Packet length: 20 bytes
Packet ID : 1
Test result: Failed
# Perform an AAA test and display brief information about the test. The test uses username user1, password 123456 and the CHAP authentication method to test RADIUS server at 192.168.1.110 in RADIUS scheme test.
<Sysname> test-aaa user user1 password 123456 radius-scheme test radius-server 192.168.1.110 1812
Sent a RADIUS authentication request.
Received a RADIUS authentication response.
Test result: Successful
Table 24 Command output
|
Field |
Description |
|
Server IP |
IP address of the server. |
|
Source IP |
Source IP address of the RADIUS packet. |
|
VPN instance |
MPLS L3VPN instance to which the server belongs. This field displays N/A if the server belongs to the public network. |
|
Server port |
UDP port number of the server. |
|
Packet type |
Type of the RADIUS packet: · Authentication request. · Access-Accept. · Access-Reject. · Start-accounting request. · Start-accounting response. · Stop-accounting request. · Stop-accounting response. |
|
Packet length |
Total length of the RADIUS packet, in bytes. |
|
Packet ID |
ID of the RADIUS packet. This field is used to identity a pair of request and response packets. |
|
[attribute-name (code)] [length] [value] [description] |
Information about a RADIUS attribute: · attribute-name—Name of the attribute. · code—Code of the attribute. · length—Length of the attribute, in bytes. · value—Value of the attribute. · description—Description of the attribute. |
|
Reply-Message: |
The RADIUS server rejected the authentication request and replied a message. |
|
Test result |
Result of the AAA test: · Successful—The test has succeeded. · Failed—The test has failed. If any request is rejected, the test fails. |
Related commands
radius attribute-test-group
radius scheme
threshold remanent-volume
Use threshold remanent-volume to set the available data threshold.
Use undo threshold remanent-volume to restore the default.
Syntax
threshold remanent-volume threshold-value
undo threshold remanent-volume
Default
The available data threshold is 0.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the available data threshold, in the range of 0 to 4294967295. The unit is set by using the attribute remanent-volume unit command.
Usage guidelines
Use this command if the RADIUS server divides the total data quota of an authenticated user into multiple equal portions and assigns one portion to the user each time. When the user's available data on the device reaches the threshold, the device sends a realtime accounting request to the RADIUS server to apply for a new portion. This process continues till the user uses up the total data quota.
Examples
# In RADIUS scheme radius1, set the available data threshold to 2048 MB.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] threshold remanent-volume 2048
[Sysname-radius-radius1] attribute remanent-volume unit mega-byte
Related commands
attribute remanent-volume unit
display radius scheme
timer quiet (RADIUS scheme view)
Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in a RADIUS scheme.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
Make sure the server quiet timer is set correctly.
A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.
A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Examples
# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
Related commands
display radius scheme
timer realtime-accounting (RADIUS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting interval [ second ]
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval: Specifies the real-time accounting interval in the range of 0 to 71582.
second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.
Usage guidelines
When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.
If a user uses RADIUS accounting but not RADIUS authentication and authorization, the device performs real-time accounting for that user only based on the real-time accounting interval set in the user's RADIUS accounting scheme. The real-time accounting interval assigned by the RADIUS accounting server does not take effect.
A short interval helps improve accounting precision but requires many system resources. As a best practice, set the interval to a value greater than the product of the maximum RADIUS packet transmission attempts and the RADIUS server response timeout timer.
Table 25 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
When you modify the real-time accounting interval, the following rules apply to users that have been online before the modification:
· If you modify the real-time accounting interval from a non-zero value to zero or from zero to a non-zero value, the modification does not take effect on these users. These users still use the old real-time accounting interval.
· If you modify the real-time accounting interval from a non-zero value to another non-zero value, the modification takes effect immediately on these users.
The device sends a start-accounting packet for a dual-stack user after the user obtains an IP address of one stack. No matter how long the real-time accounting interval is, the device sends an update-accounting packet for the user immediately after the user obtains an IP address of another stack.
Examples
# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
Related commands
retry
retry realtime-accounting
timer response-timeout (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
Related commands
display radius scheme
retry
trust ip
Use trust ip to configure a trusted IPv4 DAC.
Use undo trust ip to remove a trusted IPv4 DAC.
Syntax
trust ip ipv4-address [ vpn-instance vpn-instance-name ]
undo trust ip ipv4-address [ vpn-instance vpn-instance-name ]
Default
No trusted IPv4 DACs are configured.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of a DAC, which cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the DAC belongs to the public network.
Usage guidelines
On a DAE proxy network, the DAE proxy checks the legitimacy of DAE requests received from DACs and it sends only legitimate DAE requests to the DAS. To exempt DAE requests from a DAC from being checked, you can configure the DAC as a trusted DAC. In this way, the DAE proxy directly sends DAE requests from the DAC to the DAS. This reduces the burden of the DAE proxy.
You can repeat this command to configure multiple trusted IPv4 DACs.
Examples
# Configure the DAC at 10.110.1.2 as a trusted IPv4 DAC.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] trust ip 10.110.1.2
Related commands
trust ipv6
trust ipv6
Use trust ipv6 to configure a trusted IPv6 DAC.
Use undo trust ipv6 to remove a trusted IPv6 DAC.
Syntax
trust ipv6 ipv6-address [ vpn-instance vpn-instance-name ]
undo trust ipv6 ipv6-address [ vpn-instance vpn-instance-name ]
Default
No trusted IPv6 DACs are configured.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
ipv6 ipv6-address: Specifies the IPv6 address of a DAC, which must be a unicast address and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the DAC belongs to the public network.
Usage guidelines
On a DAE proxy network, the DAE proxy checks the legitimacy of DAE requests received from DACs and it sends only legitimate DAE requests to the DAS. To exempt DAE requests from a DAC from being checked, you can configure the DAC as a trusted DAC. In this way, the DAE proxy directly sends DAE requests from the DAC to the DAS. This reduces the burden of the DAE proxy.
You can repeat this command to configure multiple trusted IPv6 DACs.
Examples
# Configure the DAC at 10:110::1:2 as a trusted IPv6 DAC.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] trust ipv6 10:110::1:2
Related commands
trust ip
user-name-format (RADIUS scheme view)
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to a RADIUS server.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the RADIUS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name part is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
Related commands
display radius scheme
username-authorization apply
Use username-authorization apply to configure the device to use server-assigned usernames for AAA processes subsequent to authentication.
Use undo username-authorization apply to restore the default.
Syntax
username-authorization apply
undo username-authorization apply
Default
The device uses the usernames used in authentication for AAA processes subsequent to authentication.
Views
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
A RADIUS server might add the User-Name attribute in an Access-Accept response. This feature enables the device to notify the access module of the User-Name attribute and use the server-assigned username for AAA processes subsequent to authentication. For example, the device includes the username in start-accounting requests sent to the RADIUS server and displays the username in command output instead of the username used in authentication.
The username assigned by the RADIUS server is different from the username used in authentication. How a server-assigned username is encapsulated in the RADIUS User-Name attribute by the device depends on the username format configuration in the RADIUS scheme.
· If the username format is keep-original, the username is encapsulated without any change.
· If the username format is without-domain, the username is encapsulated without any domain name.
· If the username format is with-domain, the username is encapsulated with the authentication domain name. If the server-assigned username contains a domain name other than the authentication domain name, the device replaces the domain name with the authentication domain name.
This command takes effect only on IPoE users.
If this command is used, the usernames in IPoE user information displayed by using the display ip subscriber command are the usernames assigned by the RADIUS server.
Examples
# In RADIUS scheme radius1, configure the device to use server-assigned usernames for AAA processes subsequent to authentication.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] username-authorization apply
Related commands
display ip subscriber (BRAS Services Command Reference)
display radius scheme
vpn-instance (RADIUS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RADIUS scheme belongs to the public network.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN instance is also configured for an individual RADIUS server, the VPN instance specified for the RADIUS scheme does not take effect on that server.
Examples
# Specify VPN instance test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
Related commands
display radius scheme
HWTACACS commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
data: Specifies the unit for data flows.
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
packet: Specifies the unit for data packets.
giga-packet: Specifies the unit as giga-packet.
kilo-packet: Specifies the unit as kilo-packet.
mega-packet: Specifies the unit as mega-packet.
one-packet: Specifies the unit as one-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs scheme
display hwtacacs scheme
Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.
Syntax
display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.
statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the specified HWTACACS scheme.
Usage guidelines
When displaying configuration only for one scheme, this command also displays the active state duration for each active server and the most recent five state changes for all servers in the scheme.
When displaying configuration for all schemes, this command also displays the active state duration for each active server and the most recent blocking period for all servers in all schemes.
Examples
# Display the configuration of all HWTACACS schemes.
<Sysname> display hwtacacs scheme
Total 1 HWTACACS schemes
------------------------------------------------------------------
HWTACACS scheme name : hwtac
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 49
VPN Instance: 2
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent blocked period: 2021/08/15 20:33:45 - 2021/08/15 20:38:45
Single-connection: Enabled
Primary authorization server:
IP : 2.2.2.2 Port: 49
VPN Instance: 2
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent blocked period: 2021/08/15 20:33:45 - 2021/08/15 20:38:45
Single-connection: Disabled
Primary accounting server:
IP : Not Configured Port: 49
VPN Instance: Not configured
State: Blocked
Single-connection: Disabled
VPN Instance : 2
NAS IP Address : 2.2.2.3
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Stop-accounting packets buffering : Enabled
Retransmission times : 100
Response Timeout Interval(seconds) : 5
Username Format : with-domain
Data flow unit : Byte
Packet unit : One
------------------------------------------------------------------
# Display the configuration of HWTACACS scheme hwtac.
<Sysname> display hwtacacs scheme hwtac
Total 1 HWTACACS schemes
------------------------------------------------------------------
HWTACACS scheme name: hwtac
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 49
VPN Instance: 2
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent state changes:
2021/08/15 21:01:23 Changed to active state
2021/08/15 20:56:22 Changed to blocked stat
Single-connection: Enabled
Primary authorization server:
IP : 2.2.2.2 Port: 49
VPN Instance: 2
State: Active (duration: 1 weeks 2 days 1 hours 32 minutes 34 seconds)
Most recent state changes:
2021/08/15 21:01:23 Changed to active state
2021/08/15 20:56:22 Changed to blocked state
Single-connection: Disabled
Primary accounting server:
IP : Not Configured Port: 49
VPN Instance: Not configured
State: Blocked
Single-connection: Disabled
VPN Instance : 2
NAS IP Address : 2.2.2.3
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Stop-accounting packets buffering : Enabled
Retransmission times : 100
Response Timeout Interval(seconds) : 5
Username Format : with-domain
Data flow unit : Byte
Packet unit : One
------------------------------------------------------------------
Table 26 Command output
|
Field |
Description |
|
Index |
Index number of the HWTACACS scheme. |
|
Primary authentication server |
Primary HWTACACS authentication server. |
|
Primary authorization server |
Primary HWTACACS authorization server. |
|
Primary accounting server |
Primary HWTACACS accounting server. |
|
Secondary authentication server |
Secondary HWTACACS authentication server. |
|
Secondary authorization server |
Secondary HWTACACS authorization server. |
|
Secondary accounting server |
Secondary HWTACACS accounting server. |
|
IP |
IP address of the HWTACACS server. If no server is configured, this field displays Not configured. |
|
Port |
Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. |
|
VPN Instance |
MPLS L3VPN instance to which the HWTACACS server or scheme belongs. If no VPN instance is specified for the server or scheme, this field displays Not configured. |
|
State |
Status of the server: · Active—The server is in active state. · Blocked—The server is in blocked state. |
|
duration |
The duration of the current active state for the server. This field is displayed only when the server is in active state. |
|
Most recent blocked period |
Most recent blocking start time and end time when the server stayed in blocked state. If the server still remains in blocked state, now is displayed for the end time. |
|
Most recent state changes |
Most recent five state changes of the server. |
|
Single-connection |
Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server. |
|
NAS IP Address |
Source IP address for outgoing HWTACACS packets. |
|
Server Quiet Period(minutes) |
Quiet period for the primary servers, in minutes. |
|
Realtime Accounting Interval(minutes) |
Real-time accounting interval, in minutes. |
|
Stop-accounting packets buffering |
Whether buffering of nonresponded HWTACACS stop-accounting requests is enabled. |
|
Retransmission times |
Maximum number of transmission attempts for individual HWTACACS stop-accounting requests. |
|
Response Timeout Interval(seconds) |
HWTACACS server response timeout period, in seconds. |
|
Username Format |
Format for the usernames sent to the HWTACACS server: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flows: · Byte. · Kilobyte. · Megabyte. · Gigabyte. |
|
Packet unit |
Measurement unit for packets: · One. · Kilo. · Mega. · Giga. |
# Display the HWTACACS service statistics.
<Sysname> display hwtacacs scheme tac statistics
HWTACACS scheme name: tac
Primary authentication server: 3.3.3.3
Round trip time: 0 seconds
Request packets: 1
Login request packets: 1
Change-password request packets: 0
Request packets including plaintext password: 0
Request packets including ciphertext password: 0
Response packets: 2
Pass response packets: 1
Failure response packets: 0
Get-data response packets: 0
Get-username response packets: 0
Get-password response packets: 1
Restart response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Continue packets: 1
Continue-abort packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary authorization server: 3.3.3.3
Round trip time: 1 seconds
Request packets: 1
Response packets: 1
PassAdd response packets: 1
PassReply response packets: 0
Failure response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary accounting server: 3.3.3.3
Round trip time: 0 seconds
Request packets: 2
Accounting start request packets: 1
Accounting stop request packets: 1
Accounting update request packets: 0
Pending request packets: 0
Response packets: 2
Success response packets: 2
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Timeout response packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Table 27 Command output
|
Field |
Description |
|
Primary authentication server |
Primary HWTACACS authentication server. |
|
Primary authorization server |
Primary HWTACACS authorization server. |
|
Primary accounting server |
Primary HWTACACS accounting server. |
|
Secondary authentication server |
Secondary HWTACACS authentication server. |
|
Secondary authorization server |
Secondary HWTACACS authorization server. |
|
Secondary accounting server |
Secondary HWTACACS accounting server. |
|
Round trip time |
Time between the device processes the latest pair of request and response, in seconds. |
|
Request packets |
Number of sent requests. |
|
Response packets |
Number of received responses. |
|
Failure response packets |
Number of responses for authentication or authorization failure. |
|
Error response packets |
Number of error authentication responses. |
|
Follow response packets |
Number of follow authentication responses. |
|
Malformed response packets |
Number of invalid responses. |
|
Pending request packets |
Number of requests for which the device waits for responses. |
|
Timeout packets |
Number of requests that timed out. |
|
Unknown type response packets |
Number of unknown responses. |
|
Dropped response packets |
Number of dropped responses. |
|
Login request packets |
Number of sent packets that request to log in to the device. |
|
Change-password request packets |
Number of sent packets that request to change user passwords. |
|
Request packets including plaintext passwords |
Number of sent requests that include user passwords in plaintext form. |
|
Request packets including ciphertext passwords |
Number of requests that include user passwords in encrypted form. |
|
Pass response packets |
Number of responses that indicate users pass authentication. |
|
Get-data response packets |
Number of responses that get data. |
|
Get-username response packets |
Number of responses that get usernames. |
|
Get-password response packets |
Number of responses that get user passwords. |
|
Restart response packets |
Number of responses that indicate reauthentication. |
|
Continue packets |
Number of sent continue packets. |
|
Continue-abort packets |
Number of sent continue-abort packets. |
|
PassAdd response packets |
Number of received PassAdd responses. This type of responses indicate that the server agrees to assign all requested authorization attributes and adds other authorization attributes. |
|
PassReply response packets |
Number of received PassReply responses. This type of responses indicate that the server uses the authorization attributes in the responses to replace the requested authorization attributes. |
|
Accounting start request packets |
Number of sent start-accounting requests. |
|
Accounting stop request packets |
Number of sent stop-accounting requests. |
|
Accounting update request packets |
Number of sent accounting-update requests. |
|
Success response packets |
Number of received responses that indicate accounting success. |
Related commands
reset hwtacacs statistics
display stop-accounting-buffer (for HWTACACS)
Use display stop-accounting-buffer to display information about buffered HWTACACS stop-accounting requests to which no responses have been received.
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Display information about nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1
Total entries: 2
Scheme IP address Username First sending time Attempts
hwt1 192.168.100.1 abc 23:27:16-05/31/2019 19
hwt1 192.168.90.6 bob 23:33:01-05/31/2019 20
Table 28 Command output
|
Field |
Description |
|
First sending time |
Time when the stop-accounting request was first sent. |
|
Attempts |
Number of attempts that were made to send the stop-accounting request. |
Related commands
reset stop-accounting-buffer (for HWTACACS)
retry stop-accounting (HWTACACS scheme view)
stop-accounting-buffer enable (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
The source IP address of an HWTACACS packet sent to the server is the primary IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, the HWTACACS server checks the source IP address of the packet.
· If the source IP address belongs to a managed NAS, the server processes the packet.
· If the source IP address does not belong to a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
You can specify a maximum of 16 source IP addresses in system view, including:
· Zero or one public-network source IPv4 address.
· Zero or one public-network source IPv6 address.
· Private-network source IP addresses.
Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address in system view.
Examples
# Specify IP address 129.10.10.1 as the source address of outgoing HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Related commands
nas-ip (HWTACACS scheme view)
hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An HWTACACS scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 HWTACACS schemes.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Related commands
display hwtacacs scheme
hwtacacs-user change-password
Use hwtacacs-user change-password to change user passwords stored on HWTACACS servers.
Syntax
hwtacacs-user change-password hwtacacs-scheme hwtacacs-scheme-name { all-servers | first-server | server-ip { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * }
Views
User view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies all the authentication servers in an HWTACACS scheme. The hwtacacs-scheme-name argument represents the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters. Make sure the specified HWTACACS scheme already exists.
all-servers: Changes user passwords on all the authentication servers in the HWTACACS scheme.
first-server: Changes user passwords only on the first reachable authentication server in the HWTACACS scheme.
server-ip: Changes user passwords on the specified HWTACACS authentication server.
ipv4-address: Specifies the IPv4 address of an HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of an HWTACACS authentication server.
port-number: Specifies the TCP service port number of the HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Application scenarios
To change user passwords stored on remote HWTACACS authentication servers without logging in to them, use this command.
Operating mechanism
After you execute this command, the device attempts to connect to each of the specified servers for you to change passwords. If a server is reachable, the device prompts you for the username and old password of a target user account, the new password, and confirmation of the new password. Then, the device sends this information to the server for a password change. This process differs slightly depending on the server parameters specified for the command:
· If you specify a particular server in an HWTACACS scheme, the device communicates only with that server for password change.
· If you specify the first reachable authentication server in an HWTACACS scheme, the device attempts to connect to the first authentication server in the HWTACACS scheme. If that server is reachable, the device communicates with that server for password change. If that server is not reachable, the device tries the next authentication server in the HWTACACS scheme. This process continues until one reachable authentication server is found or all the authentication servers in the HWTACACS scheme are exhausted.
· If you specify all the authentication servers in an HWTACACS scheme, the device connects to each of the servers for password change. After password change succeeds on one server, the device prompts you to choose whether you want to proceed with the next server.
¡ If you choose to proceed or does not make a choice within 3 seconds, the device tries the next server for a password change based on the provided user information.
¡ If you choose to not proceed further within 3 seconds, the password change process closes.
Likewise, if a server is not reachable or password change fails on a server, the device prompts you to choose whether you want to skip the server and proceed further.
Prerequisites
To execute this command, you must log in to the device through HWTACACS authentication. All HWTACACS authenticated users can change the passwords for their own user accounts. To change passwords for other HWTACACS users, you must have the network-admin or level-15 user role.
To execute this command successfully, make sure the specified server parameters are consistent with the settings for the specified HWTACACS scheme.
Restrictions and guidelines
If the password for the target user account has expired, you will receive a password expired message from the server and will be unable to change the password.
Enter the username and password information at the prompt within 30 seconds. If you fail to do that, the password change process automatically terminates.
To terminate a password change process, press Ctrl+C.
Examples
# Change the password for user tacacs1 on the authentication server that provides service on port 49 at 10.1.1.2. The server is specified in HWTACACS scheme hw1.
<Sysname> hwtacacs-user change-password hwtacacs-scheme hw1 server-ip 10.1.1.2 49
Connected to the HWTACACS server at 10.1.1.2.
Interacting with the server... Please wait.
Username: tacacs1
Old password:
New password:
Confirm new password:
Changed the password successfully.
<Sysname>
# Change the password for user tacacs2 on all the authentication servers in HWTACACS scheme hw1.
<Sysname> hwtacacs-user change-password hwtacacs-scheme hw1 all-servers
Connected to the HWTACACS server at 10.1.1.2.
Interacting with the server... Please wait.
Username: tacacs2
Old password:
New password:
Confirm new password:
Changed the password successfully.
Continue to change the user's password on the next HWTACACS server? [Y/N] Y
Connected to the HWTACACS server at 10.1.1.6.
Interacting with the server... Please wait.
Changed the password successfully.
Continue to change the user's password on the next HWTACACS server? [Y/N] Y
Connected to the HWTACACS server at 10.1.1.10.
Interacting with the server... Please wait.
Changed the password successfully.
Changed the password successfully on all HWTACACS servers.
<Sysname>
key (HWTACACS scheme view)
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Syntax
key { accounting | authentication | authorization } { cipher | simple } string
undo key { accounting | authentication | authorization }
Default
No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure HWTACACS accounting communication.
authentication: Specifies the shared key for secure HWTACACS authentication communication.
authorization: Specifies the shared key for secure HWTACACS authorization communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
Examples
# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!
# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.
[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!
# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!
Related commands
display hwtacacs scheme
nas-ip (HWTACACS scheme view)
Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to delete the source IP address of the specified type for outgoing HWTACACS packets.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip [ ipv6 ]
Default
The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.
If the hwtacacs nas-ip command is not configured, the source IP address is the primary IP address of the outbound interface.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, the HWTACACS server checks the source IP address of the packet.
· If the source IP address belongs to a managed NAS, the server processes the packet.
· If the source IP address does not belong to a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address of outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
You can specify only one source IPv4 address and one source IPv6 address for an HWTACACS scheme.
If you do not specify the ipv6 keyword for the undo nas-ip command, the command deletes the configured source IPv4 address for outgoing HWTACACS packets.
Examples
# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address of outgoing HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Related commands
hwtacacs nas-ip
primary accounting (HWTACACS scheme view)
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
The primary HWTACACS accounting server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.
ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
The primary HWTACACS authentication server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection at each authentication.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to restore the default.
Syntax
primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authorization
Default
The primary HWTACACS authorization server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authorization (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
reset hwtacacs statistics
Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }
Views
User view
Predefined user roles
network-admin
Parameters
accounting: Clears the HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears the HWTACACS authentication statistics.
authorization: Clears the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Related commands
display hwtacacs scheme
reset stop-accounting-buffer (for HWTACACS)
Use reset stop-accounting-buffer to clear buffered HWTACACS stop-accounting requests to which no responses have been received.
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
Views
User view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Clear nonresponded stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1
Related commands
display stop-accounting-buffer (for HWTACACS)
stop-accounting-buffer enable (HWTACACS scheme view)
retry stop-accounting (HWTACACS scheme view)
Use retry stop-accounting to set the maximum number of transmission attempts for individual HWTACACS stop-accounting requests.
Use undo retry stop-accounting to restore the default.
Syntax
retry stop-accounting retries
undo retry stop-accounting
Default
The maximum number of transmission attempts for individual HWTACACS stop-accounting requests is 100.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of transmission attempts for HWTACACS stop-accounting requests. The value range is 1 to 300.
Examples
# In HWTACACS scheme hwt1, set the maximum number of HWTACACS stop-accounting attempts to 300.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 300
Related commands
display stop-accounting-buffer (for HWTACACS)
timer response-timeout (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove a secondary HWTACACS accounting server.
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS accounting servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authentication servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the password is a string of 1 to 255 characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, VPN instance, and port number settings.
As a best practice, specify the single-connection keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authorization (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
stop-accounting-buffer enable (HWTACACS scheme view)
Use stop-accounting-buffer enable to enable buffering of HWTACACS stop-accounting requests to which no responses have been received.
Use undo stop-accounting-buffer enable to disable buffering of HWTACACS stop-accounting requests to which no responses have been received.
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
Default
The device buffers HWTACACS stop-accounting requests to which no responses have been received.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to buffer an HWTACACS stop-accounting request to which no response has been received. The device resends the buffered request until it receives a server response or when the number of transmission attempts reaches the maximum (set by using the retry stop-accounting command). If no more attempts are available, the device discards the request. However, if you have removed an accounting server, stop-accounting requests destined for the server are not buffered.
Examples
# Enable buffering of HWTACACS stop-accounting requests to which no responses have been received.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable
Related commands
display stop-accounting-buffer (for HWTACACS)
reset stop-accounting-buffer (for HWTACACS)
timer quiet (HWTACACS scheme view)
Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet period is 5 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Examples
# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Related commands
display hwtacacs scheme
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
A short interval helps improve accounting precision but requires many system resources.
Table 29 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
When you modify the real-time accounting interval, the following rules apply to users that have been online before the modification:
· If you modify the real-time accounting interval from a non-zero value to zero or from zero to a non-zero value, the modification does not take effect on these users. These users still use the old real-time accounting interval.
· If you modify the real-time accounting interval from a non-zero value to another non-zero value, the modification takes effect immediately on these users.
The device sends a start-accounting packet for a dual-stack user after the user obtains an IP address of one stack. No matter how long the real-time accounting interval is, the device sends an update-accounting packet for the user immediately after the user obtains an IP address of another stack.
Examples
# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Related commands
display hwtacacs scheme
timer response-timeout (HWTACACS scheme view)
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS servers in the scheme. Any violation will result in user logoffs before the authentication, authorization, or accounting process is complete.
Examples
# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Related commands
display hwtacacs scheme
user-name-format (HWTACACS scheme view)
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to an HWTACACS server.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the HWTACACS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name part is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.
Examples
# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Related commands
display hwtacacs scheme
vpn-instance (HWTACACS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The HWTACACS scheme belongs to the public network.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
Related commands
display hwtacacs scheme
LDAP commands
attribute-map
Use attribute-map to specify the LDAP attribute map in an LDAP scheme.
Use undo attribute-map to restore the default.
Syntax
attribute-map map-name
undo attribute-map
Default
An LDAP scheme does not use an LDAP attribute map in an LDAP scheme.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When the LDAP scheme used for authorization contains an LDAP attribute map, the device converts server-assigned LDAP attributes to device-recognizable AAA attributes based on the mapping entries.
You can specify only one LDAP attribute map in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
If you specify another attribute map or change the mapping entries, the new settings are effective only on the LDAP authorization that occurs after your operation.
Examples
# Specify LDAP attribute map map1 in LDAP scheme ldap1.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] attribute-map map1
Related commands
display ldap scheme
ldap attribute-map
authentication-server
Use authentication-server to specify the LDAP authentication server for an LDAP scheme.
Use undo authentication-server to restore the default.
Syntax
authentication-server server-name
undo authentication-server
Default
No LDAP authentication server is specified for an LDAP scheme.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authentication server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authentication-server ccc
Related commands
display ldap scheme
ldap server
authorization-server
Use authorization-server to specify the LDAP authorization server for an LDAP scheme.
Use undo authorization-server to restore the default.
Syntax
authorization-server server-name
undo authorization-server
Default
No LDAP authorization server is specified for an LDAP scheme.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authorization server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authorization-server ccc
Related commands
display ldap scheme
ldap server
display ldap scheme
Use display ldap scheme to display LDAP scheme configuration.
Syntax
display ldap scheme [ ldap-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.
Examples
# Display the configuration of all LDAP schemes.
<Sysname> display ldap scheme
Total 1 LDAP schemes
------------------------------------------------------------------
LDAP scheme name : aaa
Authentication server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Authorization server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Attribute map : map1
------------------------------------------------------------------
Table 30 Command output
|
Field |
Description |
|
Authentication server |
Name of the LDAP authentication server. If no server is configured, this field displays Not configured. |
|
Authorization server |
Name of the LDAP authorization server. If no server is configured, this field displays Not configured. |
|
IP |
IP address of the LDAP server. If no server is specified, this field displays Not configured. |
|
Port |
Port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN instance |
MPLS L3VPN instance to which the LDAP server belongs. If no VPN instance is specified, this field displays Not configured. |
|
LDAP protocol version |
LDAP version, LDAPv2 or LDAPv3. |
|
Server timeout interval |
LDAP server timeout period, in seconds. |
|
Login account DN |
DN of the administrator. |
|
Base DN |
Base DN for user search. |
|
Search scope |
User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN. |
|
User searching parameters |
User search parameters. |
|
User object class |
User object class for user DN search. If no user object class is configured, this field displays Not configured. |
|
Username attribute |
User account attribute for login. |
|
Username format |
Format for the username sent to the server. |
|
Attribute map |
LDAP attribute map used by the scheme. If no LDAP attribute map is used, this field displays Not configured. |
ip
Use ip to configure the IP address of the LDAP server.
Use undo ip to restore the default.
Syntax
ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ip
Default
An LDAP server does not have an IP address.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the IP address and port number as 192.168.0.10 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300
Related commands
ldap server
ipv6
Use ipv6 to configure the IPv6 address of the LDAP server.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ipv6
Default
An LDAP server does not have an IPv6 address.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the IPv6 address and port number as 1:2::3:4 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300
Related commands
ldap server
ldap attribute-map
Use ldap attribute-map to create an LDAP attribute map and enter its view, or enter the view of an existing LDAP attribute map.
Use undo ldap attribute-map to delete an LDAP attribute map.
Syntax
ldap attribute-map map-name
undo ldap attribute-map map-name
Default
No LDAP attribute maps exist.
Views
System view
Predefined user roles
network-admin
Parameters
map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute.
Examples
# Create an LDAP attribute map named map1 and enter LDAP attribute map view.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1]
Related commands
attribute-map
ldap scheme
map
ldap scheme
Use ldap scheme to create an LDAP scheme and enter its view, or enter the view of an existing LDAP scheme.
Use undo ldap scheme to delete an LDAP scheme.
Syntax
ldap scheme ldap-scheme-name
undo ldap scheme ldap-scheme-name
Default
No LDAP schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
ldap-scheme-name: Specifies the LDAP scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An LDAP scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 LDAP schemes.
Examples
# Create an LDAP scheme named ldap1 and enter LDAP scheme view.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1]
Related commands
display ldap scheme
ldap server
Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server.
Use undo ldap server to delete an LDAP server.
Syntax
ldap server server-name
undo ldap server server-name
Default
No LDAP servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies the LDAP server name, a case-insensitive string of 1 to 64 characters.
Examples
# Create an LDAP server named ccc and enter LDAP server view.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc]
Related commands
display ldap scheme
login-dn
Use login-dn to specify the administrator DN.
Use undo login-dn to restore the default.
Syntax
login-dn dn-string
undo login-dn
Default
No administrator DN is specified.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the administrator DN as uid=test, ou=people, o=example, c=city for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-dn uid=test,ou=people,o=example,c=city
Related commands
display ldap scheme
login-password
Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.
Use undo login-password to restore the default.
Syntax
login-password { cipher | simple } string
undo login-password
Default
No administrator password is configured.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 128 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Usage guidelines
This command is effective only after the login-dn command is configured.
Examples
# Specify the administrator password as abcdefg in plaintext form for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-password simple abcdefg
Related commands
display ldap scheme
login-dn
map
Use map to configure a mapping entry in an LDAP attribute map.
Use undo map to delete the specified mapping entries from the LDAP attribute map.
Syntax
map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute { user-group | user-profile }
undo map [ ldap-attribute ldap-attribute-name ]
Default
An LDAP attribute map does not contain mapping entries.
Views
LDAP attribute map view
Predefined user roles
network-admin
Parameters
ldap-attribute ldap-attribute-name: Specifies an LDAP attribute by its name. The ldap-attribute-name argument is a case-insensitive string of 1 to 63 characters.
prefix prefix-value delimiter delimiter-value: Specifies a partial value string of the LDAP attribute for attribute mapping. The prefix-value argument represents the position where the partial string starts. The prefix is a case-insensitive string of 1 to 7 characters, such as cn=. The delimiter-value argument represents the position where the partial string ends, such as a comma (,). If you do not specify the prefix prefix-value delimiter delimiter-value option, the mapping entry uses the entire value string of the LDAP attribute.
aaa-attribute: Specifies an AAA attribute.
user-group: Specifies the user group attribute.
user-profile: Specifies the user profile attribute.
Usage guidelines
Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.
If you do not specify an LDAP attribute for the undo map command, the command deletes all mapping entries from the LDAP attribute map.
Examples
# In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
Related commands
ldap attribute-map
user-group
user-profile
protocol-version
Use protocol-version to specify the LDAP version.
Use undo protocol-version to restore the default.
Syntax
protocol-version { v2 | v3 }
undo protocol-version
Default
The LDAP version is LDAPv3.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
v2: Specifies the LDAP version LDAPv2.
v3: Specifies the LDAP version LDAPv3.
Usage guidelines
For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.
If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.
A Microsoft LDAP server supports only LDAPv3.
Examples
# Specify the LDAP version as LDAPv2 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] protocol-version v2
Related commands
display ldap scheme
search-base-dn
Use search-base-dn to specify the base DN for user search.
Use undo search-base-dn to restore the default.
Syntax
search-base-dn base-dn
undo search-base-dn
Default
No base DN is specified for user search.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.
Examples
# Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com
Related commands
display ldap scheme
ldap server
search-scope
Use search-scope to specify the user search scope.
Use undo search-scope to restore the default.
Syntax
search-scope { all-level | single-level }
undo search-scope
Default
The user search scope is all-level.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
all-level: Specifies that the search goes through all subdirectories of the base DN.
single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.
Examples
# Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-scope all-level
Related commands
display ldap scheme
ldap server
server-timeout
Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Use undo server-timeout to restore the default.
Syntax
server-timeout time-interval
undo server-timeout
Default
The LDAP server timeout period is 10 seconds.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.
Usage guidelines
If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Set the LDAP server timeout period to 15 seconds for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] server-timeout 15
Related commands
display ldap scheme
user-parameters
Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.
Use undo user-parameters to restore the default of an LDAP user attribute.
Syntax
user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }
undo user-parameters { user-name-attribute | user-name-format | user-object-class }
Default
The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.
user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.
user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.
Usage guidelines
If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.
Examples
# Set the user object class to person for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] user-parameters user-object-class person
Related commands
display ldap scheme
login-dn
Local bill cache commands
display local-bill
Use display local-bill to display detailed information about usage statistics of the local bill cache or detailed information about the specified accounting bills in the cache.
Syntax
display local-bill { cache-usage | verbose start-number count count }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
cache-usage: Displays usage statistics of the local bill cache.
verbose: Displays detailed information about a series of consecutive accounting bills.
start-number: Specifies the number of the first accounting bill to be displayed. The value range for this argument is 1 to 50000.
count count: Specifies the total number of consecutive accounting bills to be displayed. The value range for the count argument is 1 to 100.
Examples
# Display detailed information about the two consecutive accounting bills starting from the bill numbered 1.
<Sysname> display local-bill verbose 1 count 2
Bill 1 details:
Session ID : 00000005201801181806480000195e6176100378
User name : user1@h3c
Start time : 2019-05-21 18:04:10
Stop time : 2019-05-21 18:05:35 Duration : 0:01:35
IP address : 111.8.10.125 MAC address: 0016-ecb7-a879
IPv6 address: N/A
Service type: PPP Access type: PPP
Interface : Ten-GigabitEthernet3/1/1
Status : Offline Reason code: 6 Ref: 98
User traffic:
Received: 0 bytes, 0 packets
Sent : 0 bytes, 0 packets
Bill 2 details:
Session ID : 00000005201801181806480000195e6176100379
User name : user2
Start time : 2019-05-21 18:14:15
Stop time : 2019-05-21 18:15:35 Duration : 0:01:20
IP address : 111.8.10.124 MAC address: 0016-ec89-a8e9
IPv6 address: N/A
Service type: PPP Access type: PPP
Interface : Ten-GigabitEthernet3/1/2
SVLAN/CVLAN : 100/100
Status : Offline Reason code: 6 Ref: 98
User traffic:
Received: 0 bytes, 0 packets
Sent : 0 bytes, 0 packets
Total bills: 2.
Table 31 Command output
|
Field |
Description |
|
Bill n details |
Detailed information about the accounting bill numbered n. |
|
Session ID |
Session ID, which uniquely identifies an accounting session of a user. |
|
Start time |
Time from which the accounting session starts. |
|
Stop time |
Time at which the accounting session stops. |
|
Duration |
Online duration of the user. |
|
IPv6 address |
IPv6 address of the user. |
|
Interface |
Interface through which the user is connected to the device. |
|
SVLAN/CVLAN |
Customer network VLAN and service provider VLAN in which the user is connected to the device. A hyphen (-) is displayed if the user does not belong to a customer network VLAN or service provider VLAN. |
|
Status |
Accounting bill type: · Invalid. · Realtime. · Offline. · CRC Failed. The device supports only offline accounting bills in the current software version. |
|
Reason code |
Reason that the accounting session was terminated. The reason code is compliance to RFC 2866. |
|
Ref |
Code that represents supplementary information for the session termination. This field is reserved for future use. |
|
User traffic |
User traffic statistics, including the uplink bytes, uplink packets, downlink bytes, and downlink packets. |
|
Received |
Traffic received by the user. |
|
Sent |
Traffic sent from the user. |
|
Total bills |
Total number of accounting bills displayed. |
# Display usage statistics of the local bill cache.
<Sysname> display local-bill cache-usage
Cache usage:
Existing bills: 0 Available bills : 50000
Max bills : 50000 Auto export threshold: 4000
Bytes per bill: 448
Table 32 Command output
|
Field |
Description |
|
Existing bills |
Number of accounting bills stored in the local cache. |
|
Available bills |
Number of accounting bills that can be stored in the remaining space. |
|
Max bills |
Maximum number of accounting bills that the local cache can hold. |
|
Auto export threshold |
Threshold for automatic bill export. When the number of accounting bills reaches the system-defined threshold, automatic bill export is triggered. |
|
Bytes per bill |
Size of each accounting bill in the cache, in bytes. |
Related commands
local-bill enable
local-bill export
local-bill export-interval
local-bill export-url
local-bill enable
Use local-bill enable to enable the local bill cache feature.
Use undo local-bill enable to disable the local bill cache feature.
Syntax
local-bill enable
undo local-bill enable
Default
The local bill cache feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The local bill cache stores accounting bills locally for users that encounter accounting-stop failures (for example, failures caused by unreachable servers).
The local accounting bills can be exported automatically or manually to a storage directory by using FTP or TFTP. The exported accounting bills are saved in TXT format in the directory. You can use the bills for accounting, auditing, or analyzing.
This feature is applicable to LAN, PPP, and IPoE users.
Examples
# Enable the local bill cache feature.
<Sysname> system-view
[Sysname] local-bill enable
Related commands
local-bill export
local-bill export-interval
local-bill export-url
local-bill export
Use local-bill export to manually export local-cached accounting bills to a storage directory.
Syntax
local-bill export [ url ] [ clear-cache ]
Views
System view
Predefined user roles
network-admin
Parameters
url: Specifies the URL to which accounting bills are exported. The URL is a string of 1 to 256 characters. If you do not specify a URL, this command exports the accounting bills to the storage directory specified by using the local-bill export-url command.
clear-cache: Clears the local bill cache after the accounting bills are exported. If you do not specify this keyword, the command does not clear the local bill cache after the accounting bills are exported.
Usage guidelines
Use this command for random audit and data analysis or when automatic export for accounting bills is not working correctly (for example, because of server failure).
Table 33 describes the URL formats.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path |
You can specify a TFTP server by IP address or hostname. For example, tftp://1.1.1.1/lbill. |
|
FTP |
· With FTP username and password: · Without FTP username and password: |
You can specify an FTP server by IP address or hostname. You can specify the username with or without the domain name. However, the device ignores the domain name. For example, you can specify the URL as ftp://1:1@1.1.1.1/lbill or ftp://1.1.1.1/lbill. |
Use the clear-cache keyword according to the export purposes. Do not use this keyword if the accounting bills are to be exported for troubleshooting or problem solving.
Among all user lines, only one user is allowed to perform a manual bill export at a time. During the export process, other users on the same user line cannot execute any commands. The manual bill export breaks an ongoing automatic bill export process.
Examples
# Export accounting bills to the tftp://10.10.10.10/tftp directory, and clears the local bill cache after the export.
<Sysname> system-view
[Sysname] local-bill export tftp://10.10.10.10/tftp clear-cache
Related commands
local-bill enable
local-bill export-interval
local-bill export-url
local-bill export-interval
Use local-bill export-interval to set an interval at which the device automatically exports accounting bills.
Use undo local-bill export interval to restore the default.
Syntax
local-bill export-interval interval
undo local-bill export interval
Default
The interval is 1440 minutes.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which the device automatically exports accounting bills. The value range for the interval is 1 to 65535, in minutes.
Usage guidelines
The interval takes effect after the local bill cache feature is enabled.
Examples
# Set the interval to 100 minutes for the device to automatically export accounting bills.
<Sysname> system-view
[Sysname] local-bill export-interval 100
Related commands
local-bill enable
local-bill export
local-bill export-url
local-bill export-url
Use local-bill export-url to specify a URL for automatic bill export.
Use undo local-bill export-url to restore the default.
Syntax
local-bill export-url url
undo local-bill export-url
Default
The URL is not specified and automatic bill export will fail.
Views
System view
Predefined user roles
network-admin
Parameters
url: Specifies the URL to which accounting bills are exported. The URL is a string of 1 to 256 characters and cannot start with a question mark (?).
Usage guidelines
With the local bill cache feature, the device exports accounting bills to the specified URL at the automatic export interval or after the number of accounting bills exceeds the system-defined threshold. The accounting bills are saved in TXT format. The local bill cache is cleared each time after an automatic export.
The command supports FTP and TFTP URLs. Table 34 describes the URL formats.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path |
You can specify a TFTP server by IP address or hostname. For example, tftp://1.1.1.1/lbill. |
|
FTP |
· With FTP username and password: · Without FTP username and password: |
You can specify an FTP server by IP address or hostname. You can specify the username with or without the domain name. However, the device ignores the domain name. For example, you can specify the URL as ftp://1:1@1.1.1.1/lbill or ftp://1.1.1.1/lbill. |
Examples
# Configure tftp://10.10.10.10/tftp as the URL for automatic bill export.
<Sysname> system-view
[Sysname] local-bill export-url tftp://10.10.10.10/tftp
Related commands
local-bill enable
local-bill export-interval
snmp-agent trap enable local-bill
Use snmp-agent trap enable local-bill to enable SNMP notification for automatic accounting bill export.
Use undo snmp-agent trap enable local-bill to disable SNMP notification for automatic accounting bill export.
Syntax
snmp-agent trap enable local-bill
undo snmp-agent trap enable local-bill
Default
SNMP notification is enabled for automatic accounting bill export.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When the system fails to export accounting bills automatically to a server, it sends SNMP notifications to the information center.
The minimum interval for sending SNMP notifications is 10 seconds. The system does not send another SNMP notification if it has sent an SNMP notification within 10 seconds.
Examples
# Enable SNMP notification for automatic accounting bill export.
<Sysname> system-view
[Sysname] snmp-agent trap enable local-bill
Related commands
local-bill export-interval
local-bill export-url
RADIUS proxy commands
radius-proxy
Use radius-proxy to enable the RADIUS proxy feature and enter RADIUS proxy view.
Use undo radius-proxy to disable the RADIUS proxy feature.
Syntax
radius-proxy
undo radius-proxy
Default
The RADIUS proxy feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to enable the RADIUS proxy feature on the access device if both of the following conditions exist:
· 802.1X authentication is configured for wireless clients to access the network and IPoE authentication is configured for all clients to access the network.
· The access device enabled with IPoE authentication does not support 802.1X authentication for wireless clients. IPoE authentication and 802.1X authentication are enabled on different devices.
This command enables the access device to act as a RADIUS proxy to participate in the RADIUS authentication, authorization, and accounting process of wireless 802.1X clients. The device performs RADIUS proxy as follows:
1. Listens for authentication request packets from the specified RADIUS clients and forwards the request packets to the corresponding RADIUS servers of the RADIUS clients.
2. Upon receiving authentication response packets from the RADIUS servers, the RADIUS proxy forwards the response packets to the RADIUS clients. In addition, the device generates local proxy user entries for authenticated 802.1X clients to record their username, IP address, MAC address, RADIUS client, and authorization information.
3. Upon receiving accounting request packets from the RADIUS clients, the RADIUS proxy responds to them directly without forwarding the request packets to the RADIUS servers.
Use the RADIUS proxy feature only in scenarios where both IPoE authentication and wireless 802.1X authentication are configured for clients to access the network. As a best practice to ensure successful accounting for users that do not need a RADIUS proxy, do not enable the RADIUS proxy feature in any other scenarios.
By default, the RADIUS proxy feature and the RADIUS session-control feature use UDP port 1812 to listen for authentication request packets and session-control packets, respectively. If you use both the RADIUS proxy and RADIUS session-control features, make sure the two features use different ports to listen for packets.
Disabling the RADIUS proxy feature deletes all settings from RADIUS proxy view.
Examples
# Enable the RADIUS proxy feature and enter RADIUS proxy view.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy]
Related commands
client
client
Use client to specify a RADIUS client.
Use undo client to remove a RADIUS client.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] radius-scheme radius-scheme-name [ key { cipher | simple } string ] [ authentication-port authentication-port-num ] [ accounting-port accounting-port-num ] [ dae-server-port dae-server-port-num ]
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS clients are specified.
Views
RADIUS proxy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
key: Specifies the shared key for secure communication with the RADIUS client. The specified shared key must be the same as the authentication and accounting shared key configured on the RADIUS client. If the RADIUS client does not have a shared key, do not specify this keyword.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive. The encrypted form of the key is a string of 1 to 117 characters and the plaintext form of the key is a string of 1 to 64 characters.
authentication-port authentication-port-num: Specifies the UDP port that listens for authentication request packets from the RADIUS client. The value range for the authentication-port-num argument is 1 to 65535 and the default value is 1812.
accounting-port accounting-port-num: Specifies the UDP port that listens for accounting request packets from the RADIUS client. The value range for the accounting-port-num argument is 1 to 65535 and the default value is 1813.
dae-server-port dae-server-port-num: Specifies the destination UDP port that the RADIUS proxy uses to forward DAE packets to the RADIUS client (acts as a DAS). The value range for the dae-server-port-num argument is 1 to 65535 and the default value is 3799.
Usage guidelines
With the RADIUS proxy feature, the device listens for and processes authentication and accounting request packets from the specified RADIUS clients.
· When the device receives an authentication request packet from a RADIUS client, it first matches the source IP address and VPN instance of the packet with local RADIUS client settings.
¡ If no matching RADIUS client is found or no RADIUS client has been specified on the device , the device discards the packet.
¡ If a matching RADIUS client is found, the device uses the shared key of the matching RADIUS client to validate the packet. If the packet fails the validation, the device discards the packet. If the packet passes the validation, the device forwards the packet to the RADIUS server in the RADIUS scheme specified by using the radius-scheme radius-scheme-name option. Then, the device listens for the response to the request packet and forwards the response to the RADIUS client.
· When the device receives an accounting request packet from a RADIUS client, it first validates the packet in the same way the authentication request packet was validated. If the packet passes the validation, the device responds to the request with accounting success. If the packet fails the validation, the device responds to the request with accounting failure. Unlike authentication, the device does not forward the accounting request packet to the RADIUS server after it passes the validation.
Make sure a RADIUS client uses the same RADIUS scheme for wireless client authentication, authorization, and accounting. This configuration ensures that the RADIUS proxy can listen for the stop-accounting request packets of wireless online users from the RADIUS client. As a result, the RADIUS proxy can clear local proxy user entries in time to release memory space. In addition, execute the stop-accounting-packet send-force command on the RADIUS client. This command forces the RADIUS client to send a RADIUS stop-accounting request packet to the RADIUS proxy when a wireless client goes offline. The residual user information of the wireless client will be cleared in time from the RADIUS proxy.
For a RADIUS client, make sure the authentication and accounting ports configured on the RADIUS proxy are the same as the destination UDP ports of authentication and accounting packets sent by the RADIUS client, respectively. In addition, the authentication and accounting ports must be different.
Execute this command multiple times to specify multiple RADIUS clients. The device supports a maximum of 32 RADIUS clients.
If you specify a RADIUS client that has the same IP address and VPN instance as an existing RADIUS client, the most recent configuration overwrites the previous configuration.
Make sure the RADIUS proxy and a RADIUS client use the same port to forward DAE packets. On the RADIUS proxy, the port is the destination UDP port that the RADIUS proxy uses to forward DAE packets to the RADIUS client (acts as a DAS). On the RADIUS client, the port is the RADIUS DAS port configured by using the port command in RADIUS DAS view.
Examples
# Specify the RADIUS client at 3.3.3.3 for the RADIUS proxy and set the shared key to 123456 in plaintext form for secure RADIUS communication with the RADIUS client. The RADIUS proxy uses the RADIUS servers in RADIUS scheme rs1 for the users from the RADIUS client.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy] client ip 3.3.3.3 radius-scheme rs1 key simple 123456
Related commands
port
stop-accounting-packet send-force
display radius-proxy statistics
Use display radius-proxy statistics to display RADIUS proxy packet statistics for a RADIUS client.
Syntax
display radius-proxy statistics client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Examples
# Display RADIUS proxy packet statistics for the RADIUS client with IP address 169.168.92.1 in VPN instance v1.
<Sysname> display radius-proxy statistics client ip 169.168.92.1 vpn-instance v1
Authentication packets:
Requests : 10 Accept responses : 2
Challenge packets : 8 Reject responses : 0
Bad authenticators : 0 Dropped requests : 0
Accounting packets:
Requests : 2 Responses : 2
Bad authenticators : 0 Dropped requests : 0
DAE packets:
Requests : 1 ACKs : 1
NAKs : 0
Table 35 Command output
|
Field |
Description |
|
Authentication packets |
Number of authentication packets. |
|
Accounting packets |
Number of accounting packets. |
|
DAE packets |
Number of DAE packets. |
|
Requests |
Number of request packets. |
|
Accept responses |
Number of Access-Accept packets. |
|
Challenge packets |
Number of Access-Challenge packets. |
|
Reject responses |
Number of Access-Reject packets. |
|
Responses |
Number of accounting response packets. |
|
Bad authenticators |
Number of packets with incorrect authenticators. |
|
Dropped requests |
Number of dropped request packets. |
|
ACKs |
Number of DAE request ACK packets. |
|
NAKs |
Number of DAE request NAK packets. |
Related commands
reset radius-proxy statistics
display radius-proxy user
Use display radius-proxy user to display RADIUS proxy user information for RADIUS clients.
Syntax
display radius-proxy user [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
client: Specifies a RADIUS client. If you do not specify a RADIUS client, this command displays RADIUS proxy user information for all RADIUS clients.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
count: Displays only the number of RADIUS proxy users. If you do not specify this keyword, the command displays detailed information about RADIUS proxy users.
Examples
# Display RADIUS proxy user information for the RADIUS client with IP address 3.3.3.3.
<Sysname> display radius-proxy user client ip 3.3.3.3
Username MAC address IP address Client IP Client VPN
Yyy1 1-1-1 2.2.2.2 3.3.3.3 abc
Yyy2 1-1-2 - 3.3.3.3 -
# Display the number of RADIUS proxy users on the RADIUS client with IP address 3.3.3.3.
<Sysname> display radius-proxy user client ip 3.3.3.3 count
Total RADIUS users: 2
Table 36 Command output
|
Field |
Description |
|
MAC address |
MAC address of the user. |
|
IP address |
IP address of the user. If no IP address of the user is obtained, this field displays a hyphen (-). If both the IPv4 and IPv6 addresses of the user are obtained, this field displays only the IPv4 address. |
|
Client IP |
IP address of the RADIUS client that the user accesses. |
|
Client VPN |
Name of the VPN instance to which the RADIUS client belongs. If the RADIUS client belongs to the public network, this field displays a hyphen (-). |
|
Total RADIUS users |
Number of proxy users on the RADIUS client. |
Related commands
reset radius-proxy user
reset radius-proxy statistics
Use reset radius-proxy statistics to clear RADIUS proxy packet statistics for RADIUS clients.
Syntax
reset radius-proxy statistics [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]
Views
User view
Predefined user roles
network-admin
Parameters
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears RADIUS proxy packet statistics for all RADIUS clients.
Examples
# Clear RADIUS proxy packet statistics for the RADIUS client with IP address 3.3.3.3.
<Sysname> reset radius-proxy statistics client ip 3.3.3.3
Related commands
display radius-proxy statistics
reset radius-proxy user
Use reset radius-proxy user to clear RADIUS proxy user information.
Syntax
reset radius-proxy user [ mac mac-address [ client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ]
Views
User view
Predefined user roles
network-admin
Parameters
mac mac-address: Specifies a proxy user by its MAC address, in the format of H-H-H.
client: Specifies a RADIUS client.
ip ipv4-address: Specifies the RADIUS client by its IPv4 address.
ipv6 ipv6-address: Specifies the RADIUS client by its IPv6 address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the RADIUS client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the RADIUS client is on the public network, do not specify this option.
Usage guidelines
Use this command to clear RADIUS proxy user information for a RADIUS client in either of the following cases:
· If the RADIUS proxy is not configured to ignore stop-accounting packets:
You can use this command to clear residual RADIUS proxy user information for a RADIUS client if the number of proxy users on the RADIUS proxy is larger than the number of online users on the RADIUS client.
· If the RADIUS proxy is configured to ignore stop-accounting packets and the aging time of local proxy user entries is long:
You can use this command to clear local proxy user entries for users that will not come online again in a short period of time from the RADIUS proxy.
To avoid user authentication failures caused by improper information clearing, make sure the information to clear are about offline users before executing this command.
If you do not specify any parameters, this command clears all RADIUS proxy user information.
Examples
# Clear RADIUS proxy user information for the RADIUS client with IP address 3.3.3.3.
<Sysname> reset radius-proxy user client ip 3.3.3.3
Related commands
display radius-proxy user
stop-accounting ignore
timer aging
stop-accounting ignore
Use stop-accounting ignore to enable the RADIUS proxy to ignore stop-accounting requests.
Use undo stop-accounting ignore to disable the RADIUS proxy from ignoring stop-accounting requests.
Syntax
stop-accounting ignore
undo stop-accounting ignore
Default
The RADIUS proxy does not ignore stop-accounting requests and clears the corresponding local proxy user entry upon receiving a stop-accounting request.
Views
RADIUS proxy view
Predefined user roles
network-admin
Usage guidelines
By default, upon receiving a stop-accounting request from the AC for a client that goes offline, the RADIUS proxy deletes the local proxy user entry immediately but does not delete the IPoE session. If BRAS allows packet-triggered reassociation of IPoE users that go offline abnormally, IPoE authentication can be triggered for the IPoE users by using the following packets:
· IP, ARP, and NS/NA packets of DHCP users.
· IP and NS/NA packets of ND RS users.
However, the new IPoE sessions generated by BRAS for the users do not have matching local proxy user entries. The IPoE users cannot come online.
Therefore, for a device enabled with RADIUS proxy to support reassociation of IPoE users that go offline abnormally, enable the RADIUS proxy to ignore stop-accounting requests as a best practice.
With this feature enabled, upon receiving a stop-accounting packet, the device does not delete the corresponding local proxy user entry proactively. The entries might occupy memory resources, but will be deleted after the aging timer expires.
Examples
# Enable the RADIUS proxy to ignore stop-accounting packets.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy] stop-accounting ignore
Related commands
display radius-proxy user
reset radius-proxy user
timer aging
timer aging
Use timer aging to set the aging time of local proxy user entries
Use undo timer aging to restore the default.
Syntax
timer aging aging-time
undo timer aging
Default
The aging time of local proxy user entries is 720 minutes.
Views
RADIUS proxy view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the aging time in the range of 0 to 65535 minutes. Setting the value to 0 indicates that the local proxy user entries will not age out.
Usage guidelines
Application scenarios
Concentrated wireless client association or disassociation through the RADIUS proxy can cause accumulation of local proxy user entries on the BRAS device, which occupies a large amount of memory resources. In this case, use this command to shorten the aging time of local proxy user entries to release memory resources as soon as possible.
In any other cases, use the default value as a best practice or slightly increase the aging time to avoid repeated authentication of clients requiring a long-term network access due to aging entries.
Operating mechanism
After generating a local proxy user entry for a successfully authenticated user, the RADIUS proxy starts an aging timer for the entry. After the client data traffic triggers IPoE authentication and the IPoE user comes online successfully, the RADIUS proxy stops the aging timer for the user's local proxy user entry. Once the IPoE user goes offline, the BRAS device restarts the aging timer based on the command setting. The entry will be deleted once the timer expires.
If the IPoE user comes online before the timer expires, the timer is stopped again.
Restrictions and guidelines
If you change the aging time, the change does not affect running aging timers. It affects only newly created local proxy entries and restarted aging timers.
As a best practice, do not set the aging time to 0. Value 0 is applicable only to scenarios with fixed clients. After you change the aging time from 0 to a non-zero value, examine if residual entries of offline users exist on the device as a best practice and clear the residual entries. To clear the residual entries, use the reset radius-proxy user command.
If the UCM process restarts or master/backup switchover occurs, the system restarts all aging timers for local proxy user entries based on the command setting.
The new aging time takes effect immediately in the following cases:
· The IPoE user for a local proxy user entry goes offline.
· An 802.11X user passes reauthentication.
· An 802.11X user performs inter-AC roaming.
Examples
# Set the aging time of local proxy user entries to 60 minutes.
<Sysname> system-view
[Sysname] radius-proxy
[Sysname-radius-proxy] timer aging 60
Related commands
display radius-proxy user
reset radius-proxy user
